Macromedia Flash plugin can read local files

From: Jelmer (jelmerat_private)
Date: Wed Aug 07 2002 - 20:43:02 PDT

Next message: Atsushi Nishimura: "[SNS Advisory No.55 rev.2] Eudora 5.x for Windows Buffer Overflow Vulnerability"

Previous message: secureat_private: "[CLA-2002:516] Conectiva Linux Security Announcement - openssl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

      .---.        .----------
     /     \  __  /    ------
    / /     \(  )/    -----
   //////   ' \/ `   ---
  //// / // :    : ---
 // /   /  /`    '--
//          //..\\
       ====UU====UU====
           '//||\\`   Macromedia Flash plugin can read local files


Description :

Macromedia Flash Player is the leading rich client for Internet content and
applications across the broadest range of platforms and devices.
According to Macromedia more than 90% of web users are able to view
Macromedia Flash content. Macromedia Flash Player is available for all major
browsers on Windows, Mac OS, and Linux as well as well as on device
platforms such as Pocket PC and Nokia Communicator.
There is a bug in Macromedia Flash Player that allows reading and sending of
local files

This can be achieved in three ways.

1. force a http redirect to a local file
2. place a <base href="file:///C:/"> in the document then use a relative url
3. embed the flash object in a web archive (mht file) and make it seem as
though its been saved from a location on the users hard drive, then use a
relative url.

Systems affected :

The vulnerability has been confirmed to work on Macromedia Flash Player 6 in
Internet Explorer 6 but I feel it's safe to assume that at least some other
configurations are affected as well (naturally the mht file trick is IE
specific)

Example :

Demonstrations of the issue's described are available at :

1. redirect issue
http://kuperus.xs4all.nl/flash.htm

2. base tag
http://www.xs4all.nl/~jkuperus/flash.htm

3. mht file embedding
http://www.xs4all.nl/~jkuperus/flash.mht

It reads and displays the contents of c:\jelmer.txt

The exploits use the Macromedia Flash xml object, first introduced in
Macromedia Flash Player 5 to read the local files.

There may be other ways to achieve the same effect.

Vendor status :

Macromedia was notified on July 12th 2002. The latest build fixes the
problem

Workaround :

Update to the latest player (6,0,47,0). It should be available at
http://www.macromedia.com/go/getflashplayer/


References :

http://www.netmag.co.uk/ie5/save-page.htm
http://www.wdvl.com/Authoring/HTML/Head/base.html
http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.3
http://www.macromedia.com/support/flash/action_scripts/objects/xml_object.ht
ml
http://www.macromedia.com/software/player_census/flashplayer/version_penetra
tion.html


Previous vulnerablilities :

"MSIE + Winamp allows execution of arbitrary code"
  http://online.securityfocus.com/archive/1/283018

"MSIE + ICQ allows execution of arbitrary code"
  http://online.securityfocus.com/archive/1/282631

"Windows media player allows execution of arbitrary code"
  http://online.securityfocus.com/bid/5107

"MS XMLHTTP component allows local file reading"
  http://online.securityfocus.com/archive/1/245687

Next message: Atsushi Nishimura: "[SNS Advisory No.55 rev.2] Eudora 5.x for Windows Buffer Overflow Vulnerability"
Previous message: secureat_private: "[CLA-2002:516] Conectiva Linux Security Announcement - openssl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 08 2002 - 12:54:21 PDT