Thursday, January 06, 2011

Bypassing Flash Local-with-filesystem Sandbox

  • Flash is designed around the sandbox concept.
  • Flash cannot read local files except for the cookie files.
What Billy Rios did recently in his research:
  • Bypass the restriction and make flash to access any local and remote files.
  • Found a protocol handler that wasn't blacklisted by Adobe.
  • User will not be prompted for permission when bypassing attempts.
Summary of how it works:
  • Using file:// and point to local system. Eg: file://\\\stolen-data-here\
  • Then pass the content back to attacker server via getURL(). Eg: getURL(‘mhtml:‘, ”);