Macromedia Flash plug-in caurums

Vakar atnāca meils uz Bugtraq meilinglisti, ka Macromedia Flash plug-in jeb latviski spraudnis ir caurumains un ļauj iespēju gan nolasīt, gan pārsūtīt failus, kas atrodas uz lokālā diska. Kā caurumainais pārlūks ar šo spraudni ir minēts Internet Explorer.

Flash

Atjaunot savu Flash spraudni var šeit macromedia.com. Tas aizņems nedaudz virs 300Kb.


.---. .----------
/ __ / ------
/ / ( )/ -----
////// ' / ` ---
//// / // : : ---
// / / /` '--
// //..\
====UU====UU====
'//||\` Macromedia Flash plugin can read local files

Description :

Macromedia Flash Player is the leading rich client for Internet content and
applications across the broadest range of platforms and devices.
According to Macromedia more than 90% of web users are able to view
Macromedia Flash content. Macromedia Flash Player is available for all major
browsers on Windows, Mac OS, and Linux as well as well as on device
platforms such as Pocket PC and Nokia Communicator.
There is a bug in Macromedia Flash Player that allows reading and sending of
local files

This can be achieved in three ways.

1. force a http redirect to a local file
2. place a in the document then use a relative url
3. embed the flash object in a web archive (mht file) and make it seem as
though its been saved from a location on the users hard drive, then use a
relative url.

Systems affected :

The vulnerability has been confirmed to work on Macromedia Flash Player 6 in
Internet Explorer 6 but I feel it’s safe to assume that at least some other
configurations are affected as well (naturally the mht file trick is IE
specific)

Example :

Demonstrations of the issue’s described are available at :

1. redirect issue
http://kuperus.xs4all.nl/flash.htm

2. base tag
http://www.xs4all.nl/~jkuperus/flash.htm

3. mht file embedding
http://www.xs4all.nl/~jkuperus/flash.mht

It reads and displays the contents of c:jelmer.txt

The exploits use the Macromedia Flash xml object, first introduced in
Macromedia Flash Player 5 to read the local files.

There may be other ways to achieve the same effect.

Vendor status :

Macromedia was notified on July 12th 2002. The latest build fixes the
problem

Workaround :

Update to the latest player (6,0,47,0). It should be available at
http://www.macromedia.com/go/getflashplayer/

References :

http://www.netmag.co.uk/ie5/save-page.htm
http://www.wdvl.com/Authoring/HTML/Head/base.html
http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.3
http://www.macromedia.com/support/flash/action_scripts/objects/xml_object.ht
ml
http://www.macromedia.com/software/player_census/flashplayer/version_penetra
tion.html

Previous vulnerablilities :

“MSIE + Winamp allows execution of arbitrary code”
http://online.securityfocus.com/archive/1/283018

“MSIE + ICQ allows execution of arbitrary code”
http://online.securityfocus.com/archive/1/282631

“Windows media player allows execution of arbitrary code”
http://online.securityfocus.com/bid/5107

“MS XMLHTTP component allows local file reading”
http://online.securityfocus.com/archive/1/245687

One thought on “Macromedia Flash plug-in caurums

Ieraksti komentāru

Tava e-pasta adrese netiks publicēta. Obligātie lauki ir atzīmēti kā *