Vigil@nce: Adobe Flash, file reading
March 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker can create a malicious Flash application, which
indicates file fragments to a CIFS/SMB share.
Severity: 2/4
Consequences: data reading
Provenance: document
Means of attack: 1 proof of concept
Ability of attacker: specialist (3/4)
Confidence: unique source (2/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 04/03/2010
IMPACTED PRODUCTS
– Adobe Flash Player
DESCRIPTION OF THE VULNERABILITY
A Flash application can be conceived with two modes
– "Access local files only" : no network access, excepted a CIFS
server on the same local network
– "Access network only" : no local access
An application is thus not allowed to transfer data from user’s
computer to the internet.
In "local files only" mode, the application can use the URLLoader
class to read a local file, or a file located on a CIFS/SMB share.
An application can therefore use URLLoader to read a file located
on victim’s computer. This file for example contains "hello". The
application can then try to read "\1.2.3.4\public\hello", where
"1.2.3.4" is a CIFS server owned by the attacker. The "hello" file
does not exist on the CIFS share, so this generates an error which
is logged.
The attacker can then read logs of his CIFS server, in order to
obtain data fragments ("hello") coming from victim’s computer.
An attacker can therefore create a malicious Flash application,
which indicates file fragments to a CIFS/SMB share.
CHARACTERISTICS
Identifiers: BID-38517, VIGILANCE-VUL-9495
http://vigilance.fr/vulnerability/Adobe-Flash-file-reading-9495