TechNote

Socket connection timing can reveal information about network configuration (Flash Player)

Issue

By taking advantage of subtle timing differences in Adobe Flash Player, a carefully-constructed malicious SWF file may be able to learn whether certain TCP ports on known host computers are open or closed. This technique cannot be used to actually connect to such ports without authorization. It can only be used to learn whether ports are open or closed.

The technique relies on attempting to make an ActionScript socket connection (using the Socket or XMLSocket class) and monitoring how long the connection takes to fail.

This issue is known to the security community as CVE-2007-4324.

Solution

Adobe is pursuing a solution to this issue in a future release of Flash Player.

In the meantime, beginning with Flash Player 9.0.115.0, users and enterprises can disable (and selectively reenable) ActionScript socket functionality. This workaround may not be necessary for most users because the ability to determine open and closed ports is not by itself a critical vulnerability. However, in some environments, this workaround may be desirable. Customers should be aware that disabling ActionScript socket functionality may cause some SWF-based content to stop functioning as intended. For more information about Flash Player socket functionality, please see the following ActionScript resources:

The following instructions reference the mms.cfg configuration file. For a general introduction to mms.cfg, see the Adobe Flash Player Administration Guide.

To disable ActionScript socket functionality:

Ensure that Flash Player 9.0.115.0, or later, is installed. Visit the Adobe Flash Player Download Center to obtain the latest version, or visitthe Adobe Flash Product pageto determine the version currently installed.
Find the location of the file mms.cfg on your system(s). This file may already exist, or you may need to create it. You will most likely need administrative access to create or edit this file.
mms.cfg is located at:
- Windows: \Macromed\Flash\mms.cfg
- (e.g. C:\WINDOWS\system32\Macromed\Flash\mms.cfg)
- Mac OS: /Library/Application Support/Macromedia/mms.cfg
- Linux: /etc/adobe/mms.cfg
Add the following line to mms.cfg:
DisableSockets=1

If you decide to disable ActionScript sockets, you may find that certain known legitimate SWF files stop working as intended. For example, SWF files deployed by your own organization no longer function as intended. If this happens, you can selectively reenable ActionScript socket functionality by configuring individual hosts to which Flash Player should allow ActionScript socket connections.

To selectively reenable ActionScript socket functionality (this assumes you have already followed the steps above for disabling sockets):

Add the following line to mms.cfg:
EnableSocketsTo=hostname

You can add this line as many times as you need. You can specify Intranet host names without periods, Intranet or Internet host names with periods, or IP addresses.

The hosts you specify are the target hosts to which socket connections are made, not the source hosts from which SWF files come. Connections to the hosts that you selectively reenable are permitted from all SWF files.

Flash Player will only permit socket connections when ActionScript specifies the exact host name or IP address that you have specified in an EnableSocketsTo directive. For example, if you maintain a host called host1.mycompany.com, it might also be reachable as just host1, or as anothername.mycompany.com, or as 192.168.1.15. If you specify only EnableSocketsTo=host1.mycompany.com in mms.cfg, then ActionScript will only be permitted to connect to this host when it explicitly specifies host1.mycompany.com, not when it specifies host1 or anothername.mycompany.com or 192.168.1.15. Likewise, if you specify only EnableSocketsTo=192.168.1.15, then ActionScript will only be permitted to connect to this host when it explicitly specifies 192.168.1.15, not when it specifies any other name. If you need a host to be reachable using multiple names, enter an EnableSocketsTo directive for each name.

Additional Information

Flash developers and system administrators should also be aware of security changes that affect socket connections in Flash Player 9.0.115.0. For more details, see the Adobe Developer Connection article "Security changes in Flash Player 9".