Flash Broker-Based - Sandbox Escape via Forward Slash Instead of Backslash

EDB-ID:

37840

Author:

KeenTeam

Type:

remote

Platform:

Windows

Published:

2015-08-19

Source: https://code.google.com/p/google-security-research/issues/detail?id=278&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

FlashBroker - Junction Check Bypass With Forward Slash IE PM Sandbox Escape

1. Windows 8.1 Internet Explorer Protected Mode Bypass in FlashBroker

FlashBroker is vulnerable to NTFS junction attack to write an arbitrary file to the filesystem under user permissions.

There is a bad check in FlashBroker BrokerCreateFile method and BrokerMoveFileEx method. FlashBroker only considers "\" as delimiter. If the destination includes "/", FlashBroker will use a wrong destination folder for check.

The PoC writes calc.bat to startup folder. It has been tested by injecting the dll into 32-bit low integrity level IE process with Adobe Flash Player 16.0.0.305 (KB3021953) installed. It does not work in IE11 EPM as it needs to write normally to the temporary folder to setup the junction.

2. Credit
Jietao Yang of KeenTeam (@K33nTeam) is credited for the vulnerability.

Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/37840.zip