Speaker(s): Bjorn Ruytenberg, Eindhoven University of Technology
Sandboxing is a popular technique used by vendors to minimize damage that applications might cause to a system. Dictated by so-called sandbox policies, legitimate and malicious code alike are restricted in their trust boundaries, preventing unauthorized actions.
Input validation is key to enforcing sandbox policies. With input validation, context often matters: given some policy, certain input may be allowed, while the same input may be invalid given another. File paths are a prime example. In Adobe Flash Player, the "remote" sandbox prohibits local file system access but enables remote connections, while the "local-with-filesystem" sandbox enables the opposite use case.
While being a seemingly simple concept, validating file paths becomes increasingly complicated when considering the entire picture. With Flash being the intermediate glue between operating systems and various host environments - web browsers, Microsoft Office, PDF readers - there is a diverse landscape of path schemes to consider. This leads to challenges in path validation, and as it turns out, subtle but unforgiving mistakes.
In this talk, we will review two sandbox escape vulnerabilities I have recently found in Adobe Flash.
Tracked as CVE-2016-4271, the first vulnerability details a local sandbox escape through bypassing path validation, enabling to exfiltrate local data, obtain Windows user credentials, and escalate privileges. The second vulnerability, dubbed CVE-2017-3085, is a patch break in the remote sandbox, showing that Adobe's mitigations for the first vulnerability incompletely solved the issue. Both vulnerabilities have resulted in significant changes to Adobe Flash's decade-old sandbox design, causing web developers to refactor their applications.
In analyzing these vulnerabilities, we'll review the underlying causes that made them possible: arbitrary definitions of what constitutes "remote" and "local", inadequate path validation schemes, and unmitigated OS-specific vulnerabilities. Finally, in light of recent efforts to deprecate Adobe Flash, we'll also discuss how Flash will remain important in the short and long term. What are the industry's efforts to minimize its attack surface? Will end users still be vulnerable until 2020?
Björn Ruytenberg is an MSc student in Computer Science and Engineering, specializing in Information Security, at Eindhoven University of Technology. Being a technology enthusiast, he holds a BSc in Electrical Engineering as well as Computer Science (cum laude). Aside from his work as a software developer, he actively participates in bug bounty programs. His vulnerability research mainly focuses on sandboxing technology in widely deployed enterprise products, including Adobe Flash, Microsoft Office and Foxit Reader.