Adobe Acrobat Reader 0-day / bypass dep+aslr

همان طور که شاهد بودید طی یک ماه اخیر چندین آسیب پذیری امنیتی در محصول adobe acrobat readerگزارش شد. طی تحقیقات 30 روزه بنده و دوستان در آزمایشگاه itsecteam توانستیم چندین اسیب پذیری کشف کنیم که دو مورد از آسیب پذیری های کشف شده را به شکل یک Advisory عمومی کردیم.

Adobe Acrobat Reader All Version Memory Corruption
Adobe Acrobat Reader acroform_PlugInMain memory corruption

Advisory URL:

http://itsecteam.com/en/papers/paper11.htm
http://itsecteam.com/en/papers/paper12.htm

البته بیشتر نتیایج , اکسپلویت ها و ابزار نوشته شده عمومی نشد :)

دوستان و همکاران ایرانی هم بیکار نبوده اند و علاقه شدید خود را برای این محصول "خاص" نشان داده اند !... که باز نتایج عمومی جالبی داشت

@abysssec:

MOAUB #12 - Adobe Acrobat and Reader “pushstring” Memory Corruption

MOAUB #12 - Adobe Acrobat and Reader "pushstring" Memory Corruption

MOAUB #1 - Adobe Acrobat Reader and Flash Player “newclass” invalid pointer - Binary Analysis

MOAUB #1 - Adobe Acrobat Reader and Flash Player “newclass” invalid pointer

@Ramz Afzar:

Acrobat Acrobat Font Parsing Integer Overflow Vulnerability

البته آخرین باگ ذکر شده آفای Charlie Miller طی یک داکیومنت 70 صفحه ایی عمومی کرده بود. Charlie Miller رو هم که میشناسید Mackbook Air رو در کنفزانس pwn2own در عرض 2 دقیقه Exploit کرد. دکترای ریاضی در دانشگاه University Notre و حال boomb رو منفجر می کنم!!!! شاهکاری عالی از دوستان بی نام " Unknown" و عزیزان در Metasploit

Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow

adobe_cooltype_sing.rb

خصوصیت های جالب این اکسپلویت بایپس کردن dep و به قول خودشون:

"unpublished technique to bypass ASLR"

برای پیاده سازی این exploit از icucnv36.dll استفاده شده که برای این که این dll توابع یا api هایی داره که برای فراخوانی باید از ادرس ثابت فراخوانی بشوند و عملا نمی توان سیستم aslr را بر روی این dll پیاده سازی کرد.

به قول دوستمون Felipe Andres Manzano

"For PATCH adobe bug.. delete the plugin"

Acrobat Reader memory corruption advisory / analysis

discovered a vulnerability in Adobe Reader and Adobe Acrobat Could Allow For Remote Code Execution

OVERVIEW:

A vulnerability has been discovered in the Adobe Acrobat and Adobe Reader applications which could allow attackers to execute arbitrary code on the affected systems. Adobe Reader allows users to view Portable Document Format (PDF) files while Adobe Acrobat offers users additional features such as the ability to create PDF files. This vulnerability may be exploited if a user visits or is redirected to a specially crafted web page or when a user opens a specially crafted PDF file. Successful exploitation will result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts will likely cause denial-of-service conditions.

SYSTEMS AFFECTED:

• Adobe Acrobat 9.3.4 for Windows
• Adobe Acrobat 9.x
• Adobe Acrobat 8.x
• Adobe Reader 7.x

VULNERABILITY DESCRIPTION:

Adobe Reader and Adobe Acrobat are prone to a remote code execution vulnerability when handling malicious PDF files. The vulnerability is a remote memory-corruption that occurs in 'AcroForm.api' when processing unspecified 'special characters'. This vulnerability may be exploited if a user visits or is redirected to a specially crafted web page. Exploitation may also occur when a user opens a specially crafted PDF file.

Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000001 ecx=02ae1314 edx=020c4bc8 esi=02adb470 edi=0012f4b4 eip=20946b4a esp=0012f414 ebp=0012f470 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\AcroForm.api *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\AcroForm.api - AcroForm!DllUnregisterServer+0x130993: 20946b4a 8b00 mov eax,dword ptr [eax] ds:0023:00000000=???????? Missing image name, possible paged-out or corrupt data. Missing image name, possible paged-out or corrupt data. Missing image name, possible paged-out or corrupt data. 0:000> u AcroForm!DllUnregisterServer+0x130993: 20946b4a 8b00 mov eax,dword ptr [eax] 20946b4c c3 ret 20946b4d 56 push esi 20946b4e 8b742408 mov esi,dword ptr [esp+8] 20946b52 57 push edi 20946b53 33ff xor edi,edi 20946b55 393e cmp dword ptr [esi],edi 20946b57 7e1a jle AcroForm!DllUnregisterServer+0x1309bc (20946b73)

Well we see that after Cmp eax, [eax] program gives Access violation

But the memory of this bug occurs when special characters it is injected. But because it is not possible to register them and can not be changed with the chain to locate crash can not be changed after the currently exploit this vulnerability to be a solution to this vulnerability found. Api above with the following 3 module that you can see with the address.

------------------------------------------------------------------------------------
http://www.exploit-db.com/exploits/14761
http://packetstormsecurity.org/1008-exploits/adobear-corrupt.tgz
------------------------------------------------------------------------------------

POC File:

Adb_poc.zip