Risk
1/7/2011
12:05 PM
50%
50%

Security Researcher Defeats Adobe Flash Sandbox

Flash expert Billy Rios bypassed Flash Player feature meant to prevent malicious attacks.

Top 10 Security Stories Of 2010
(click image for larger view)
Slideshow: Top 10 Security Stories Of 2010
A security feature added to harden Adobe Flash Player against attacks has been defeated.

Security researcher Billy Rios on Tuesday said that he's discovered "an easy way to bypass Flash's local-with-file system sandbox."

Adobe added the sandbox to Flash Player version 8. After facing heavy criticism for the number of security vulnerabilities present in Flash -- as well as Reader and Acrobat -- which attackers exploited heavily in 2010, Adobe also added a security sandboxes to Flash Player for Google Chrome, as well as for Reader X for Windows. The latter two applications' sandboxes weren't bypassed by Rios.

The Flash Player sandbox was meant to prevent SWF files, used by Flash, from reading local files or communicating with the network in any manner, thereby blocking many types of malicious attacks. According to Adobe documentation, the sandbox "assures the user that local data cannot be leaked out to the network or otherwise inappropriately shared."

But Rios labels that description "a bit too generous." While it's true that SWF files can't call JavaScript or make direct HTTP or HTTPS requests, they can make file requests to a remote server. Accordingly, an attacker -- or security researcher such as Rios, developing a proof of concept exploit -- can resort to a few tricks for sidestepping the sandbox restrictions to inappropriately share information.

In particular, Rios tapped the mhtml protocol handler that's built into Windows 7 and which will launch with no warning to the user. With mhtml, "it's easy to bypass the Flash sandbox," he said, and transmit data to a remote server without a user ever knowing that the exploit occurred.

What's notable with this vulnerability is that Rios wrote no attack code, but rather just used capabilities built into the Windows operating system to sidestep the sandbox.

"This is a flaw in design, it's not a flaw in implementation or coding," said Anup Ghosh, founder and chief scientist of Invincea, which develops browser and PDF sandboxes that use local, "throwaway" virtualized environments, rather than building a sandbox inside an application, as Adobe did.

"When you're writing a sandbox for an application, you have to think about every possible way that an attacker could hit you, and then design a block or Band-Aid for each of those techniques," said Ghosh. But Rios "basically exposed the fallacy of that thinking," because an attacker only has to find one communication protocol -- from one of thousands of libraries -- that isn't explicitly blocked.

Adobe acknowledged the vulnerability, rating it as "moderate," which hints at the potential difficulty of translating the vulnerability into a malicious exploit.

"An attacker would first need to gain access to the user's system to place a malicious SWF file in a directory on the local machine before being able to trick the user into launching an application that can run the SWF file natively," according to a statement released by Adobe. "In the majority of use scenarios, the malicious SWF file could not simply be launched by double-clicking on it; the user would have to manually open the file from within the application itself."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7896
Published: 2015-03-03
Multiple cross-site scripting (XSS) vulnerabilities in HP XP P9000 Command View Advanced Edition Software Online Help, as used in HP Device Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Tiered Storage Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Replication Manager 6.x and 7.x before ...

CVE-2014-9283
Published: 2015-03-03
The BestWebSoft Captcha plugin before 4.0.7 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.

CVE-2014-9683
Published: 2015-03-03
Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

CVE-2015-0890
Published: 2015-03-03
The BestWebSoft Google Captcha (aka reCAPTCHA) plugin before 1.13 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.

CVE-2015-2168
Published: 2015-03-03
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue in customer-controlled software. Notes: none.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industrys professional organizations about how security pros can get more involved with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.