SYNTHESIS OF THE VULNERABILITY

An attacker can create a malicious Flash application, which indicates file fragments to a CIFS/SMB share.

Severity: 2/4

Consequences: data reading

Provenance: document

Means of attack: 1 proof of concept

Ability of attacker: specialist (3/4)

Confidence: unique source (2/5)

Diffusion of the vulnerable configuration: high (3/3)

Creation date: 04/03/2010

IMPACTED PRODUCTS

 Adobe Flash Player

DESCRIPTION OF THE VULNERABILITY

A Flash application can be conceived with two modes
 "Access local files only" : no network access, excepted a CIFS server on the same local network

 "Access network only" : no local access An application is thus not allowed to transfer data from user’s computer to the internet.

In "local files only" mode, the application can use the URLLoader class to read a local file, or a file located on a CIFS/SMB share.

An application can therefore use URLLoader to read a file located on victim’s computer. This file for example contains "hello". The application can then try to read "\\1.2.3.4\public\hello", where "1.2.3.4" is a CIFS server owned by the attacker. The "hello" file does not exist on the CIFS share, so this generates an error which is logged.

The attacker can then read logs of his CIFS server, in order to obtain data fragments ("hello") coming from victim’s computer.

An attacker can therefore create a malicious Flash application, which indicates file fragments to a CIFS/SMB share.

CHARACTERISTICS

Identifiers: BID-38517, VIGILANCE-VUL-9495

http://vigilance.fr/vulnerability/A...