Flash logo

Earlier this week, Adobe patched a vulnerability in Flash Player that allows an attacker to use malicious Flash files to leak Windows credentials.

The security issue is tracked under the CVE-2017-3085 identifier and affects Flash Player versions from 23.0.0.162 up to 26.0.0.137, running on Windows XP, Vista, 7, 8.x, and 10.

Flaw derived from older vulnerability

The vulnerability was discovered by Dutch security researcher Björn Ruytenberg and is a variation of an older flaw tracked as CVE-2016-4271, which Adobe patched in September 2016.

Back then, Ruytenberg discovered that he could trick victims into loading a Flash file that called back to a remote SMB server that, in turn, would trick the user's computer into giving over its credentials.

Adobe patched this flaw with the release of Flash Player 23.0.0.162 by preventing Flash from making any outbound connections to URLs with UNC (Universal Naming Convention, eg: \\10.0.0.1\some\file.txt) or file-style paths (file://///10.0.0.1/some/file.txt).

The new bug Ruytenberg discovered relies on a clever trick to bypass Adobe's new protection measures. The researcher explains in a technical blog post that an attacker could comply with the Adobe ban on UNC and file-path URLs by loading a Flash file that made a request to a remote server via HTTP or HTTPS.

On the side of the malicious server, the attacker could use a classic 302 HTTP redirection to relay this incoming request to an SMB server that would use the same technique as before to collect local NTLM hashes (user's credentials).

SMBtrap output

Attack does not work in Chrome or Edge

Ruytenberg says the attack works only when loading malicious Flash files in Office (2010, 2013 and 2016), Firefox or Internet Explorer only. Browsers like Chrome or Edge are not susceptible to this attack.

Furthermore, the attack also breaks Flash's "remote" and "local-with-networking" sandboxes, two Flash security setups that should have prevented the attacker from exfiltrating local data.

"Flash Player 23 minimizes potential attack vectors by rejecting any outbound requests for non-HTTP URLs," Ruytenberg explains. "However, input validation is only done once: while the initial HTTP request is validated, consecutive redirects are not."

Vulnerability can be exploited in various ways

In an email to Bleeping Computer, Ruytenberg lays out possible attack scenarios in more depth.

"The attack complexity is very low," the researcher says. "Possible attack scenario's include:"

- Web: visiting a (possibly compromised) website that serves the Flash application with the malicious payload. This includes third party domains, such as those from malvertisers.

- Email, Windows file sharing: opening a local HTML file that embeds the malicious Flash application. Note that in this scenario, the Flash application would run in the "local-with-networking" sandbox as opposed to the default "remote" sandbox (but both sandboxes are vulnerable).

- Microsoft Office: Word and Excel documents allow for embedding Flash code. Hence, the malicious code could be embedded in an Office document, and then distributed through the web or email.

Low vulnerability severity rating isn't representative

The vulnerability received a (CVSS) severity score of 4.3 out of 10, and at a closer look, it doesn't look like something you'd see in a malvertising campaign.

On the other hand, the flaw is perfect for targeted attacks aimed at particular companies or individuals, as seen in economic or state-sponsored cyber-espionage campaigns.

"Strictly taken, if exploited, the information that is leaked is 'limited' to Windows user credentials," Ruytenberg told Bleeping Computer. "However, being in possession of these credentials is potentially very damaging."

"For example, this allows an attacker to escalate privileges, and install (persistent) malware on the victim's machine," the expert also added. "Therefore, the CVSS score may not be entirely representative of the damage that can be caused if this vulnerability is exploited."

Image credits: Björn Ruytenberg, Adobe, IconGhost, Bleeping Computer