vendor:
Flash Player
by:
Jihui Lu of KeenTeam
N/A
CVSS
N/A
NTFS junction attack
Unknown
CWE
Product Name: Flash Player
Affected Version From: Adobe Flash Player 16.0.0.305 (KB3021953)
Affected Version To: Unknown
Patch Exists: Unknown
Related CWE: Unknown
CPE: Unknown
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: Windows 8.1, IE
2015
FlashBroker – BrokerMoveFileEx TOCTOU IE PM Sandbox Escape
FlashBroker is vulnerable to NTFS junction attack to write an arbitrary file to the filesystem under user permissions. There is a race condition in FlashBroker BrokerMoveFileEx method. This race can be won by using an oplock to wait for the point where the BrokerMoveFileEx method opens the original file and then making destination to be a junction. The PoC writes calc.bat to startup folder. It has been tested by injecting the dll into 32-bit low integrity level IE process with Adobe Flash Player 16.0.0.305 (KB3021953) installed. It does not work in IE11 EPM as it needs to write normally to the temporary folder to setup the junction.
Mitigation:
Unknown