Playing in the Sandbox - Bypassing Adobe Flash Input Validation

Explore the intricacies of bypassing Adobe Flash input validation in this 39-minute conference talk recorded at Radboud Universiteit, Nijmegen. Delve into sandboxing techniques used by vendors to restrict application trust boundaries and minimize potential system damage. Examine two sandbox escape vulnerabilities in Adobe Flash, CVE-2016-4271 and CVE-2017-3085, which enable local data exfiltration and obtaining Windows user credentials. Analyze the underlying causes, including arbitrary definitions of "remote" and "local," insufficient input validation schemes, and unmitigated platform-specific vulnerabilities. Gain insights into the importance of Flash as an attack vector and object of study, despite recent deprecation efforts. Learn about embedding Flash code, security sandboxes, SMB authentication, and NTLMv2 hashes. Discover testing methods for susceptibility and explore cross-domain policy files. Conclude with remarks on the significance of understanding these vulnerabilities and an invitation to engage in ethical hacking.

Intro
Today's topic: bug bounties
Introducing Adobe Flash
Embedding Flash code
Flash security sandboxes
Local by definition - Flash
Escaping the local sandbox (2/2)
Exfiltrating files out of sandbox
SMB authentication
SMB Relay attack (2008)
NTLMv2 hashes
Attack variant: SMBTrap
CVE-2016-4271: discussion (1/2)
The (revised) remote sandbox
SMB attacks, revisited (1/2)
Testing for susceptibility: basic idea
Testing for susceptibility: first try
Side track: cross-domain policy file
Testing for susceptibility: second try
CVE-2017-3085: discussion (1/3)
CVE-2017-3085: discussion (3/3)
Concluding remarks
Want to break stuff?