Adobe's Flash Sandbox Not So Secure After All
The idea on paper sounded great: Add a sandbox to Adobe Flash to prevent many attacks from affecting the underlying operating system. It appears however that the sandbox which has been introduced in December 2010 is not as effective as it could be. Security researcher Billy Rios discovered a way to bypass Adobe's Flash Player sandbox locally.
He found out that SWFs that are loaded from a local file can in fact bypass the sandbox by passing "the contents to the attacker server via getURL() and a url like: file://..". That however can only be used to pass IPs and hostnames and no other data.
Billy Rios found the mhtml protocol:
There are a large number of protocol handlers that meet the criteria outlined in the previous sentence, but we’ll use the mhtml protocol handler as an example. The mhtml protocol handler is available on modern Windows systems, can be used without any prompts, and is not blacklisted by Flash. Using the mhtml protocol handler, it’s easy to bypass the Flash sandbox:
Some other benefits for using the mhtml protocol handler are:
The request goes over http/https and port 80/443 so it will get past most egress filtering
If the request results in a 404, it will silently fail. The data will still be transmitted to the attackers server, but the victim will never see an indication of the transfer
The protocol handler is available by default on Win7 and will launch with no protocol handler warning
Attackers need to create a Flash file that they add the mhtml request to. Users then would need to execute the file on their computer system. How does it get there? For instance by email or as part of a virus attack. (via)Advertisement