Risk
1/7/2011
12:05 PM
50%
50%

Security Researcher Defeats Adobe Flash Sandbox

Flash expert Billy Rios bypassed Flash Player feature meant to prevent malicious attacks.

Top 10 Security Stories Of 2010
(click image for larger view)
Slideshow: Top 10 Security Stories Of 2010
A security feature added to harden Adobe Flash Player against attacks has been defeated.

Security researcher Billy Rios on Tuesday said that he's discovered "an easy way to bypass Flash's local-with-file system sandbox."

Adobe added the sandbox to Flash Player version 8. After facing heavy criticism for the number of security vulnerabilities present in Flash -- as well as Reader and Acrobat -- which attackers exploited heavily in 2010, Adobe also added a security sandboxes to Flash Player for Google Chrome, as well as for Reader X for Windows. The latter two applications' sandboxes weren't bypassed by Rios.

The Flash Player sandbox was meant to prevent SWF files, used by Flash, from reading local files or communicating with the network in any manner, thereby blocking many types of malicious attacks. According to Adobe documentation, the sandbox "assures the user that local data cannot be leaked out to the network or otherwise inappropriately shared."

But Rios labels that description "a bit too generous." While it's true that SWF files can't call JavaScript or make direct HTTP or HTTPS requests, they can make file requests to a remote server. Accordingly, an attacker -- or security researcher such as Rios, developing a proof of concept exploit -- can resort to a few tricks for sidestepping the sandbox restrictions to inappropriately share information.

In particular, Rios tapped the mhtml protocol handler that's built into Windows 7 and which will launch with no warning to the user. With mhtml, "it's easy to bypass the Flash sandbox," he said, and transmit data to a remote server without a user ever knowing that the exploit occurred.

What's notable with this vulnerability is that Rios wrote no attack code, but rather just used capabilities built into the Windows operating system to sidestep the sandbox.

"This is a flaw in design, it's not a flaw in implementation or coding," said Anup Ghosh, founder and chief scientist of Invincea, which develops browser and PDF sandboxes that use local, "throwaway" virtualized environments, rather than building a sandbox inside an application, as Adobe did.

"When you're writing a sandbox for an application, you have to think about every possible way that an attacker could hit you, and then design a block or Band-Aid for each of those techniques," said Ghosh. But Rios "basically exposed the fallacy of that thinking," because an attacker only has to find one communication protocol -- from one of thousands of libraries -- that isn't explicitly blocked.

Adobe acknowledged the vulnerability, rating it as "moderate," which hints at the potential difficulty of translating the vulnerability into a malicious exploit.

"An attacker would first need to gain access to the user's system to place a malicious SWF file in a directory on the local machine before being able to trick the user into launching an application that can run the SWF file natively," according to a statement released by Adobe. "In the majority of use scenarios, the malicious SWF file could not simply be launched by double-clicking on it; the user would have to manually open the file from within the application itself."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2010-5075
Published: 2014-12-27
Integer overflow in aswFW.sys 5.0.594.0 in Avast! Internet Security 5.0 Korean Trial allows local users to cause a denial of service (memory corruption and panic) via a crafted IOCTL_ASWFW_COMM_PIDINFO_RESULTS DeviceIoControl request to \\.\aswFW.

CVE-2011-4720
Published: 2014-12-27
Hillstone HS TFTP Server 1.3.2 allows remote attackers to cause a denial of service (daemon crash) via a long filename in a (1) RRQ or (2) WRQ operation.

CVE-2011-4722
Published: 2014-12-27
Directory traversal vulnerability in the TFTP Server 1.0.0.24 in Ipswitch WhatsUp Gold allows remote attackers to read arbitrary files via a .. (dot dot) in the Filename field of an RRQ operation.

CVE-2012-1203
Published: 2014-12-27
Cross-site request forgery (CSRF) vulnerability in starnet/index.php in SyndeoCMS 3.0 and earlier allows remote attackers to hijack the authentication of administrators for requests that add user accounts via a save_user action.

CVE-2012-1302
Published: 2014-12-27
Multiple cross-site scripting (XSS) vulnerabilities in amMap 2.6.3 allow remote attackers to inject arbitrary web script or HTML via the (1) data_file or (2) settings_file parameter to ammap.swf, or (3) the data_file parameter to amtimeline.swf.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.