Recently patched Flash Player sandbox leaks Windows credentials
Recently patched Flash Player sandbox leaks Windows credentials

According to Dutch security researcher Björn Ruytenberg, the bug is a variant of an old vulnerability, CVE-2016-4271, which Adobe patched in September 2016. That bug could enable hackers to fool users into loading a Flash file that would connect to a remote SMB server and steal Windows credentials.

This new flaw can bypass Adobe's new security measures in version 23. In a blog post, Ruytenberg said that a hacker could override Adobe's prevention of Flash making outbound connections to URLs with UNC of file-like paths by loading a Flash file that makes requests to a  remote server via HTTP or HTTPS.

“By setting the HTTP Location header and an appropriate response code (eg 301, 302), this vulnerability can be used to redirect HTTP requests to a malicious SMB server,” he said.

In an example, the researcher described a scenario where a malicious Flash application as well as SMB server are hosted on a machine having the same IP address. This Flash application runs on the victim's local machine in the remote sandbox. That is, the runtime prohibits local file system access but allows remote connections.

“Tracing back to the Win32 API, the functions affected by Redirect-to-SMB reside in urlmon.dll. Hence, Internet Explorer and any third-party applications using them are vulnerable,” he said.

He said that Adobe's cross-domain policy file, which dictates when a Flash client is allowed to load resources from a different domain other than the originating one, could be abused.

“The careful reader might notice that Adobe's definition, unlike HTTP CORS (referencing RFC6454), restricts itself to cross-domain data handling. More specifically, it does not take into account differing protocols. This security mechanism should therefore be unrelated to our blocked attack: we are trying to redirect to SMB, a different protocol, on the same host,” he said.

Ruytenberg added that crossdomain.xml is being requested from the same host that serves our Flash application. By constructing a least-restrictive cross-domain policy, the researcher was able to establish an SMB connection from the victim's machine to a remote server.

From there a Python script called SMBTrap operates as a malicious SMB server, and captures any incoming requests along with the victim's user credentials.

He added that Firefox as well as Internet Explorer are vulnerable to this kind of attack while Edge and Chrome weren't. This also applies to all current versions of Microsoft Office. In addition, the flaw affects both remote and local-with-networking sandboxes.

Ruytenberg said that having introduced new input validation measures, Flash Player 23 minimises potential attack vectors by rejecting any outbound requests for non-HTTP URLs.

“Quite unexpectedly, however, input validation is only done once: while the initial HTTP request is validated, consecutive redirects are not. Combined with the fact Flash is still susceptible to a known Windows vulnerability therefore effectively kills a seemingly solid approach. This is unfortunate, and perhaps once again illustrates the underlying problem that platform-specific vulnerabilities need to be taken into account whenever possible,” he said.

The issue is fixed in Flash Player 26.0.0.151.

David Emm, principal security researcher at Kaspersky Lab, told SC Media UK that the first thing an attacker would need to do is to get their malicious code onto the victim's computer.

“This could be done in any of the usual ways that are used to do this – sending embedded a Flash object in an e-mail attachment, via drive-by download or using any other way of delivering the object to the computer.  This would set up the attack, after which the infected object could exploit the vulnerability,” he said.

Emm added that in the first instance, organisations should apply the patch released by Adobe. “They should also consider giving up the use of Flash Player altogether, unless they specifically need it,” said Emm.

“There are still lots of people using Flash, so there is a large pool of potential victims for a potential attacker.  This is why it's vital that anyone using Flash Player should update to the latest version.  One reason for the continued use of Flash is simply inertia, ie it's something that they have become familiar with and just take it for granted.  But organisations and individuals alike should regularly review what is installed on their systems and either update what they still need or remove what they don't.”