Flash “local-with-filesystem” Bypass in navigateToURL

This issue has been patched by Adobe: https://helpx.adobe.com/security/products/flash-player/apsb16-25.html (CVE-2016-4178) Flash “local-with-filesystem” policy can be bypassed using the “navigateToURL” function. It is not possible to target the local files using a Flash file in a website using normal methods such as the “file://” protocol or the “\\localhost\c$” path due to the Flash “local-with-filesystem” security policy. However, a method was found that could bypass this protection. For instance the following payload could be used to open the Windows directory in the C drive: \\.\localhost/c:\windows\ Example (should be tested in IE): http://0me.me/demo/xss/flash/link_protocol_test.swf?input=\\.\localhost/c:\windows\ It was possible to open local files and directories in an Iframe as well. The following old PoC page can be used for this purpose: http://0me.me/demo/xss/flash/iframe_link_protocol_test.html The “link_protocol_test.swf?input=\\.\localhost/c:\windows\starter.xml” payload can be used as an example in the “Custom Address” field of this HTML page. Note: This will only work in Internet Explorer as other browsers do not allow Flash to access local filesystem. Note: Other vectors: "\\.\/C:\" or "\\.\/\\.\\..\C:\" also reported to Adobe afterwards. These payloads were discovered by Matthew Evans from NCC Group. History before reporting this issue: Similar issues were reported to Adobe a few years ago by a number of security researchers after this blog post was published by me: https://soroush.secproject.com/blog/2013/10/catch-up-on-flash-xss-exploitation-part-2-navigatetourl-and-jar-protocol/