One of the patches included in yesterday’s Adobe Flash Player update was a do-over after the researcher who privately reported the problem earlier this year discovered the original patch incompletely resolved the issue.
Dutch researcher Bjorn Ruytenberg disclosed details after Adobe updated the soon-to-be deprecated Flash Player yesterday to version 26. Flash Player 23, released close to a year ago, closed off a local sandbox escape, but Ruytenberg found the update failed to address the vulnerability locally if networking was enabled, or remotely.
Exploiting the vulnerability would allow an attacker to connect a compromised computer to an attacker’s remote Windows SMB server. An attack allows for the redirection of traffic to the remote SMB server and the interception of Windows credentials.
“The attack complexity is very low,” Ruytenberg told Threatpost.
The researcher pointed out that an attacker could use any number of typical infection vectors to infect victims’ machines, including hosting a site that serves a malicious Flash application, or by embedding a Flash file in an Office document. Attackers could also hit victims via email or Windows file sharing by enticing them to open a local HTML file that embeds the malicious Flash application.
“In this scenario, the Flash application would run in the ‘local-with-networking’ as opposed to the default ‘remote sandbox (but both sandboxes are vulnerable),” Ruytenberg said.
In Flash 23, Adobe updated its sandbox policies, improving input validation along the way, which should have prevented Flash from connected to a remote server. Ruytenberg discovered that he could use a two-year-old Windows redirect-to-SMB vulnerability to again exploit the Flash bug. The attack works only on Internet Explorer and Firefox, Ruytenberg said; Chrome and Microsoft Edge are not affected, he said, preventing Flash from connecting to the SMB server.
Ruytenberg said in Flash 23, Adobe no longer allowed the software to load resources from an SMB server, rejecting UNC and File-style paths; any paths that are not prefixed with HTTP or HTTPS. Ruytenberg discovered that he could change the requested path after it had passed input validation by abusing the Redirect-to-SMB bug.
“By setting the HTTP Location header and an appropriate response code (e.g. 301, 302), this vulnerability can be used to redirect HTTP requests to a malicious SMB server,” he wrote in his report, adding that the vulnerability affects IE, Firefox and any third-party applications using them.
Specifically, Ruytenberg’s attack was able to abuse Flash’s cross-domain policy file which, he said, dictates when Flash is allowed to load resources from another domain. He discovered that the cross-domain policy is requested from the same host serving the attacker’s Flash application. Therefore, he built a new policy with lesser restrictions and was successful in forcing Flash to connect to the remote SMB server and capture incoming requests including the victim’s user credentials.
“The report I disclosed demonstrates this vulnerability was fixed improperly as the new sandbox policies can be circumvented,” Ruytenberg said. “This week’s patch should indeed fix the vulnerability.”
Adobe addressed the vulnerability, CVE-2017-3085, yesterday, giving it a severity rating of important and calling it a security bypass vulnerability. It was one of two vulnerabilities addressed in yesterday’s update.