lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20150529215815.GC14791@laptop.thejh.net>
Date: Fri, 29 May 2015 23:58:15 +0200
From: Jann Horn <jann@...jh.net>
To: fulldisclosure@...lists.org
Subject: [FD] Flash: Local SWF files can leak arbitrary local files to the
	internet

Summary:
Flash by design allows local SWF files to read arbitrary local files, but
prevents communication with remote servers. By smuggling data through a timing
side-channel, this can be circumvented, allowing local SWF files to exfiltrate
the contents of arbitrary local files to the internet.

Some more details:
Flash runs normal local SWF files under local-with-file-system restrictions,
which are documented at
<http://help.adobe.com/en_US/AS2LCR/Flash_10.0/help.html?content=00000462.html>.
As <http://help.adobe.com/en_US/AS2LCR/Flash_10.0/help.html?content=00000452.html>
explains:

    For security purposes, Flash Player places all local SWF files, including
    all legacy local SWF files, in the local-with-file-system sandbox, by
    default (unless some other setting is made). For some legacy SWF files
    (Flash Player 7 and earlier), operations could be affected by enforcing
    restrictions on their access (no outside network access), but this
    provides the most secure default for the users' protection.

    From this sandbox, SWF files may read from files on local file systems or
    UNC network paths (by using the XML.load() method, for example), but they
    may not communicate with the network in any way. This assures the user
    that local data cannot be leaked out to the network or otherwise
    inappropriately shared.

The following was only tested in Google Chrome.

When multiple SWF files are running in the same browser (but in different
frames or tabs), only one of them can run ActionScript code at a time. This
means that a local SWF file can leak information to a network-loaded SWF file
by busylooping, which delays the processing of ExternalInterface calls to the
network-loaded SWF file. (Apparently local HTML files can't interact with
network-loaded SWF files, but the local HTML file can just frame an HTML file
with http origin which in turn loads the SWF file with http origin.)

Chrome prevents downloads of files with a .swf file extension to mitigate
against attacks on the local-with-file-system rules, but that doesn't prevent
an attacker from embedding a file with a different extension as SWF
(<https://code.google.com/p/chromium/issues/detail?id=487475>, WontFix).

I made a PoC that only requires the victim to download one malicious HTML
file and open it locally. Repro steps:

 - go to <https://var.thejh.net/flash_HigNabIalOt6/download.html> in Chrome
 - click the download link
 - open the downloaded file (by clicking on the item in the downloads bar)
 - replace "file:///etc/passwd" with the file URI to some local file
 - press "run"

You should see the contents of the file appear in the red box, one character
every 8 seconds or so. (Yes, it's really slow - I'm sure it'd be possible to
do this much faster, but for a PoC, I think it's enough.) Note that, as this
is a timing attack, less errors occur if the computer is mostly idle.

Sources of the PoC are at <https://var.thejh.net/flash_local_poc.zip>.

This issue was reported to Adobe PSIRT 2015-04-26. They confirmed that they
got the report, but still haven't told me whether they consider this to be a
fixable issue or a wontfix.

So, in other words: Yet another reason why you shouldn't open untrusted HTML
files from the local disk.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ