Adobe uses the so-called Settings Manager to configure aspects of the Flash Player application. As the Settings Manager is itself only a flash applet at a specific URL, it can be spoofed and used to set privacy-related parameters, such as allowing access to the camera and microphone for an attacker-chosen domain.
As noted before, the Settings Manager is a flash applet itself, which leads to the nice note The Settings Manager that you see above is not an image; it is the actual Settings Manager. on the website. The flash applet is located at http://www.macromedia.com/support/flashplayer/sys/settingsmanager.swf, which in turn loads another applet from https://www.macromedia.com/support/flashplayer/sys/settingsmanager2.swf (Note the https URL, Flash Player versions earlier than 8 retrieved this applet via HTTP only)
This applet is now allowed to change the settings for domains which already have a Local Shared Object (aka Flash cookie ) set. In particular, it is possible to set the options for camera and microphone access. In our proof of concept exploit, this is how the communication takes place (given that the user has not yet accepted a certificate for www.macromedia.com). All files on the rogue www.macromedia.com referenced below have been modified to serve our PoC exploit.
- The user accesses the (rogue) Settings Manager at https://www.macromedia.com/[...]/settings_manager.html (maybe by being forced if the attacker can modify normal HTTP traffic) If the attacker is lucky, the user ignores the certificate warning and accepts the certificate. If the attacker is powerful, then there is no certificate warning
- This page contains an invisible iframe load_evil.html, which redirects to evil.html on the HTTP server, as settingsmanager.swf has to be retrieved using HTTP. evil.html in turn contains an embed-tag to load the modified settingsmanager.swf
- settingsmanager.swf writes a dummy LSO, so that the domain is known in the next step. After that, it loads settingsmanager2.swf via HTTPS.
- settingsmanager2.swf can now be used to allow the video and camera to be turned on for www.macromedia.com. Our PoC sets this option for all domains (just because we can and it was easier to implement). It then redirects to hidden_record.flv, which uses the camera and microphone to record the user and sends the data via RTMP to a haxeVideo server.
Workaround:
Mitigation is possible by not allowing the Flash Player to use the microphone and camera. Add a line like this:
AVHardwareDisable = 1
to your mms.cfg. For more information about configuring/restricting Flash Player using mms.cfg, see:
http://www.adobe.com/devnet/flashplayer/articles/flash_player_admin_guide/flash_player_admin_guide.pdf
Disclosure Timeline:
Date released: 04.09.2010
Date reported: 08.03.2010
