Risk
1/7/2011
12:05 PM
50%
50%

Security Researcher Defeats Adobe Flash Sandbox

Flash expert Billy Rios bypassed Flash Player feature meant to prevent malicious attacks.

Top 10 Security Stories Of 2010
(click image for larger view)
Slideshow: Top 10 Security Stories Of 2010
A security feature added to harden Adobe Flash Player against attacks has been defeated.

Security researcher Billy Rios on Tuesday said that he's discovered "an easy way to bypass Flash's local-with-file system sandbox."

Adobe added the sandbox to Flash Player version 8. After facing heavy criticism for the number of security vulnerabilities present in Flash -- as well as Reader and Acrobat -- which attackers exploited heavily in 2010, Adobe also added a security sandboxes to Flash Player for Google Chrome, as well as for Reader X for Windows. The latter two applications' sandboxes weren't bypassed by Rios.

The Flash Player sandbox was meant to prevent SWF files, used by Flash, from reading local files or communicating with the network in any manner, thereby blocking many types of malicious attacks. According to Adobe documentation, the sandbox "assures the user that local data cannot be leaked out to the network or otherwise inappropriately shared."

But Rios labels that description "a bit too generous." While it's true that SWF files can't call JavaScript or make direct HTTP or HTTPS requests, they can make file requests to a remote server. Accordingly, an attacker -- or security researcher such as Rios, developing a proof of concept exploit -- can resort to a few tricks for sidestepping the sandbox restrictions to inappropriately share information.

In particular, Rios tapped the mhtml protocol handler that's built into Windows 7 and which will launch with no warning to the user. With mhtml, "it's easy to bypass the Flash sandbox," he said, and transmit data to a remote server without a user ever knowing that the exploit occurred.

What's notable with this vulnerability is that Rios wrote no attack code, but rather just used capabilities built into the Windows operating system to sidestep the sandbox.

"This is a flaw in design, it's not a flaw in implementation or coding," said Anup Ghosh, founder and chief scientist of Invincea, which develops browser and PDF sandboxes that use local, "throwaway" virtualized environments, rather than building a sandbox inside an application, as Adobe did.

"When you're writing a sandbox for an application, you have to think about every possible way that an attacker could hit you, and then design a block or Band-Aid for each of those techniques," said Ghosh. But Rios "basically exposed the fallacy of that thinking," because an attacker only has to find one communication protocol -- from one of thousands of libraries -- that isn't explicitly blocked.

Adobe acknowledged the vulnerability, rating it as "moderate," which hints at the potential difficulty of translating the vulnerability into a malicious exploit.

"An attacker would first need to gain access to the user's system to place a malicious SWF file in a directory on the local machine before being able to trick the user into launching an application that can run the SWF file natively," according to a statement released by Adobe. "In the majority of use scenarios, the malicious SWF file could not simply be launched by double-clicking on it; the user would have to manually open the file from within the application itself."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-5084
Published: 2015-08-02
The Siemens SIMATIC WinCC Sm@rtClient and Sm@rtClient Lite applications before 01.00.01.00 for Android do not properly store passwords, which allows physically approximate attackers to obtain sensitive information via unspecified vectors.

CVE-2015-5352
Published: 2015-08-02
The x11_open_helper function in channels.c in ssh in OpenSSH before 6.9, when ForwardX11Trusted mode is not used, lacks a check of the refusal deadline for X connections, which makes it easier for remote attackers to bypass intended access restrictions via a connection outside of the permitted time ...

CVE-2015-5537
Published: 2015-08-02
The SSL layer of the HTTPS service in Siemens RuggedCom ROS before 4.2.0 and ROX II does not properly implement CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a different vulnerability than CVE-2014-3566.

CVE-2015-5600
Published: 2015-08-02
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumptio...

CVE-2015-1009
Published: 2015-07-31
Schneider Electric InduSoft Web Studio before 7.1.3.5 Patch 5 and Wonderware InTouch Machine Edition through 7.1 SP3 Patch 4 use cleartext for project-window password storage, which allows local users to obtain sensitive information by reading a file.

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!