This write-up describes the exploit for the Adobe Flash Player vulnerability published as CVE-2016-4286.
Author: Jordy Kersten (info@hamon-security.nl)
Exploit Type: Microsoft Windows Lock Screen Authentication Bypass
CVE Score: High (7.3) https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N (by best guess)
Access Type: Physical access to the mobile device (might work on workstations also)
Prerequisites: Mobile device is turned on and locked by the user. A flash screensaver must be active. Either an external monitor or docking station is required. No exploit code required(!).
The exploit has been tested with the following software:
Adobe Flash Player version 22.0.0.209. Most likely all prior versions are also vulnerable, but not tested.
First of all I would like to thank the Core Infra Team (Michiel and Stefan) for complaining about the fact that their laptop always crashes after putting it back in the dock. This triggered me to investigate if I was able to reproduce the issue and determine the impact.
When the mobile device is locked and a flash screensaver is configured, changing the resolution of the output device will result in a controlled crash of the flash player. At this point the screensaver stops, resulting in the possibility to access the flash configuration settings menu regardless the device is locked. From here it is possible to open the file explorer within Windows, allowing attackers to gain access to the file system with the same rights as the user. To exploit the vulnerability, follow the following steps:
1. After the mobile device is locked and the set idle time has passed, the flash screensaver becomes active.
2. Either dock the laptop in a docking station or connect an external monitor with a different default resolution which triggers the screen resolution change
3. Press right mouse click and select “global settings”
4. Press Alt-Tab to change to the Flash Player Settings menu
4. Click on the “Advanced” tab and select “trusted locations”
5. Click “add file” and browse to a folder containing another folder
6. Right click on the folder and select “Open in new window” to get a fully functioning file explorer
Vulnerability Fix: Update the Adobe Flash Player version to the latest version or disable the flash screensaver. For more information see https://helpx.adobe.com/security/products/flash-player/apsb16-32.html.