A recently patched vulnerability in Adobe's Flash Player could be used to steal Windows user credentials, Dutch security researcher Björn Ruytenberg has discovered.
The bug is a variant of an old vulnerability, CVE-2016-4271, which Adobe patched in September 2016.
That flaw could enable hackers to fool users into loading a Flash file that would connect to a remote SMB server and steal Windows credentials.
Adobe added new security measures in Flash Player version 23, but they can be bypassed, Ruytenberg found.
In a blog post, Ruytenberg said a hacker could override Flash making outbound connections to web links with Windows uniform naming convention file-like path names by loading a Flash file that makes requests to a remote server via HTTP or HTTPS.
“By setting the HTTP location header and an appropriate response code (eg 301, 302), this vulnerability can be used to redirect HTTP requests to a malicious SMB server,” he said.
In an example, the researcher described a scenario where a malicious Flash application as well as SMB server are hosted on a machine having the same IP address.
This Flash application runs on the victim's local machine in the remote sandbox. That is, the runtime prohibits local file system access but allows remote connections.
“Tracing back to the Win32 API, the functions affected by redirect-to-SMB reside in urlmon.dll. Hence, Internet Explorer and any third-party applications using them are vulnerable,” he said.
He said Adobe's cross-domain policy file, which dictates when a Flash client is allowed to load resources from a different domain other than the originating one, could be abused.
“The careful reader might notice that Adobe's definition, unlike HTTP CORS (referencing RFC6454), restricts itself to cross-domain data handling. More specifically, it does not take into account differing protocols," he said.
"This security mechanism should therefore be unrelated to our blocked attack: we are trying to redirect to SMB, a different protocol, on the same host."
Ruytenberg said crossdomain.xml is being requested from the same host that serves the Flash application. By constructing a least-restrictive cross-domain policy, the researcher was able to establish an SMB connection from the victim's machine to a remote server.
From there a Python script called SMBTrap operates as a malicious SMB server, and captures any incoming requests along with the victim's user credentials.
Firefox as well as Internet Explorer are vulnerable to this kind of attack while Edge and Chrome aren't, he said. This also applies to all current versions of Microsoft Office. In addition, the flaw affects both remote and local-with-networking sandboxes.
Ruytenberg said having introduced new input validation measures, Flash Player 23 minimises potential attack vectors by rejecting any outbound requests for non-HTTP URLs.
“Quite unexpectedly, however, input validation is only done once: while the initial HTTP request is validated, consecutive redirects are not. Combined with the fact Flash is still susceptible to a known Windows vulnerability therefore effectively kills a seemingly solid approach," he said.
"This is unfortunate, and perhaps once again illustrates the underlying problem that platform-specific vulnerabilities need to be taken into account whenever possible."
The issue is fixed in Flash Player 26.0.0.151.
