vendor:
Microsoft
by:
2015
FlashBroker will use a wrong destination folder for check. The PoC writes calc.bat to startup folder. It has been tested by injecting the dll into 32-bit low integrity level IE process with Adobe Flash Player 16.0.0.305 (KB3021953) installed. It does not work in IE11 EPM as it needs to write normally to the temporary folder to setup the junction."
CVSS
8.8
NTFS junction attack
N/A
CWE
Product Name: Microsoft
Affected Version From: YES
Affected Version To: Adobe Flash Player 16.0.0.305 (KB3021953)
Patch Exists: Update to the latest version of Adobe Flash Player.
Related CWE: Jietao Yang of KeenTeam
CPE: Adobe Flash Player 16.0.0.305 (KB3021953)
Metasploit:
https://www.exploit-db.com/raw/37840
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: Windows 8.1
HIGH
FlashBroker – Junction Check Bypass With Forward Slash IE PM Sandbox Escape
FlashBroker is vulnerable to NTFS junction attack to write an arbitrary file to the filesystem under user permissions. There is a bad check in FlashBroker BrokerCreateFile method and BrokerMoveFileEx method. FlashBroker only considers "" as delimiter. If the destination includes ""/""
Mitigation:
N/A
