Adobe's interpretation of sandboxing is called Adobe Reader X Protected Mode. Inspired by Microsoft's Practical Windows Sandboxing techniques, it was introduced in July 2010. So far, it had been doing a good job at limiting the impact of exploitable bugs in Adobe Reader X, as escaping the sandbox after successful exploitation turned to be particularly challenging, and hasn't been witnessed in the wild, yet. This paper exposes how we did just this: By leveraging some broker APIs, a policy flaw, and a little more, we were able to break free from Adobe's sandbox. The particular vulnerability we used was patched by Adobe in September 2011 (CVE-2011-1353), as a result of our responsible disclosure action; yet, this demonstrates that Adobe's sandbox cannot be considered a panacea against security flaws exploitation in Adobe Reader X, and paves the way toward further interesting discoveries for security researchers. Indeed, beyond this particular vulnerability, this paper dives deep into the sandbox implementation of Adobe Reader X, and debates ways to audit its broker APIs, which, to our minds, offer a major attack surface. In particular, the paper details how we configured an open-source fuzzing tool to audit them through the IPC Framework.

1. BREEDING SANDWORMS:
HOW TO FUZZ YOUR WAY OUT OF ADOBE READER X'S SANDBOX

2. Who we are
• Research and Analysis: Zhenhua(Eric) Liu
Vulnerability Researcher
zhliu@fortinet.com
• Contributor and Editor: Guillaume Lovet
Sr Manager of Fortinet's EMEA Threat
Research and Response Center
glovet@fortinet.com

3. Huge number of vulnerabilities been found
Adobe vulnerabilities history in CVE.
http://www.cvedetails.com/vendor/53/Adobe.html

4. Huge number of vulnerabilities been found
Big Fan of you,
Mr. Ormandy

5. How many of them can compromise
Adobe Reader X?
Since its launch in November
2010, we have not seen a
single successful exploit in the
wild against Adobe Reader X.

6. All because of Protected Mode
(SandBox)
Adobe Reader X Protected
Mode mitigations would
prevent an exploit of this kind
from executing.

7. How Hard Actually?
http://blogs.adobe.com/asset/files/2010/11/Win7-
Sandbox-Exploit-Steps.png

8. Agenda
• Introduce to the Adobe Reader X Protected
Mode
• The SandBox implementation
• Fuzz Broker APIs
• Bypass the Challenge
• Demo
• Conclusions and Future Work

9. Documentation
• The most complete and authoritative
documentation one can find about Adobe
Reader Protect Mode is the series of blogs
written by Kyle Randolph from ASSET.

10. Sandbox INTERNALS from ASSET’s blog
http://blogs.adobe.com/asset/files/2010/10/Sandbox-
Diagrams3.png

11. Blood and Sand: At the heart of
Adobe Reader's sandbox
http://blogs.adobe.com/asset/files/2010/11/Sandbox-
and-Broker-Process-IPC.png

12. Possible Avenues to Achieve Attack
• Attacks From Kernel Land
• Attacks From User Land
-- Broker API Attack Surface
-- Policy Engine
-- IPC Frame Work
-- Named Object Squatting Attacks
-- Plug-in that not been sandboxed.
-- And more… which will be discovered by you.

13. Attacks From Kernel Land
Can we subvert the token pointer？

14. Motivations and Questions
“An example is the dialog that confirms if the
user really wants to disable Protected Mode”
Hello from our old
friend.
We start from `hello` for
respective.

15. Audit Target
• 1: Are there logic flaws, or weaknesses, that
could be leveraged to circumvent restrictions?
• 2: Are there memory corruption
vulnerabilities?

16. The strategy for reversing 1
• Find “thread_provider_->RegisterWait”
• Find function “ThreadPingEventReady” and
the important parameter “service_context”.
• Find IPC message dispatch mechanism
through ThreadPingEventReady, and then find
the entire IPC handler functions.

17. Important data structures
RegisterWaitForSingleObject(&pool_object,
waitable_object,
callback,
context,
INFINITE,
WT_EXECUTEDEFAULT
)

18. Important data structures
service_context：
• +0h Ping handle
• +4h pong handle
• +8h channel_size
• +Ch channel_buffer
• +10h shared_base
• +14h channel
• +18h dispatcher
• +1Ch target_info

19. The result

20. The strategy for reversing 2
• find out the “HOOK” function first, then
enumerate entire broker IPC by “xrefs”
function of IDApro. (for Client API)
• Characteristic string like
“AcroWinMainSandbox”. (for Client API)
• Serach pattern strings in .data section of file
“AcroRd32.exe”. (for handler API)

21. You are so beautiful
Following
`AcroWinMainSandbox`,
we find Adobe Service
APIs list. (Client side)

22. Broker API tag 0x3E is to disable
Protected Mode.
if ( MessageBoxW(hWnd, "..", "..", 0x34) == 6 )
{
hKey = 0;
ret = RegCreateKeyW
(
HKEY_CURRENT_USER,
L"SoftwareAdobeAcrobat Reader
10.0Privileged",
&hKey);
...

23. Practice for fun
Tag field
0x3E means to “disable
Protected Mode”

24. Practice for fun
With a pop confirmation dialogs out

25. Another Practice For Fun
Tag field
0x43 means to open http
link using default explorer
under High Integrity.
http://10.10.1.127/1.exe

26. Another Practice For Fun
1.exe is a POC file which
doing operation in file
system

27. Another Practice For Fun
And another confirmation dialog
pop out

28. Fuzz Broker APIs
• The needs
• The existing idea that meets needs

29. The exits idea that meets needs
• In particular, the “in memory fuzz” concept
introduced by Michael Sutton in a famous
book“Fuzzing: Brute Force Vulnerability
Discovery”fits our requirements.

30. Why we focused Broker Service APIs
• We guess APIs inherited from Google’s
Chrome have been researched a lot by many
researchers.
• Continuously increased Broker Service APIs by
Adobe.

31. Why we focused Broker Service APIs
63 Broker Service Dispatchers were 72 Broker Service Dispatchers were
found in AcroRd32.exe 10.0.1.434 found in AcroRd32.exe 10.1.1.33

32. In Memory Fuzzer POC: How it works
Step 1 Step 2 Step 3 Step 4 Step 5
Take
snapshot for
Wait for the Restore
sandboxed Stuff fuzzing
Send the IPC broker process snapshot of
process data into the
Message to handle the sandboxed
before IPC Message
IPC message process
sending the
IPC message
第 32 页

33. In Memory Fuzzer POC: How it works
Step 1 Step 2 Step 3 Step 4 Step 5
Take
snapshot for
Wait for the Restore
sandboxed Stuff fuzzing
Send the IPC broker process snapshot of
process data into the
Message to handle the sandboxed
before IPC Message
IPC message process
sending the
IPC message
Repeat step 2 - 5 until
fuzz data exhausted

34. Prepare the “Smarter ” Fuzz Data
Example: strings in policy
rules.

35. Pop Pop and Pop XD
Which means the relative
Broker API have been
achieved.

36. The Vulnerability CVE-2011-1353
• It was patched by Adobe in September 2011
as a result of our responsible disclosure action
• World is small
Mark Yason and Paul Sabanal of IBM X-Force
have also found this vulnerability.

37. See the Problem?
• AddRule( SUBSYS_REGISTRY,
REG_DENY,
"HKEY_CURRENT_USERSoftwareAdobeAcrobat
Reader10.0Privileged"
);
• AddRule( SUBSYS_REGISTRY,
REG_ALLOW_ANY,
"HKEY_CURRENT_USERSoftwareAdobeAcrobat
Reader10.0"
);

38. See the Problem?
• AddRule( SUBSYS_REGISTRY,
REG_DENY,
"HKEY_CURRENT_USERSoftwareAdobeAcrobat
Reader10.0Privileged"
);
• AddRule( SUBSYS_REGISTRY,
REG_ALLOW_ANY,
"HKEY_CURRENT_USERSoftwareAdobeAcrobat
Reader10.0"
);

39. Magic String
• HKEY_CURRENT_USERSoftwareAdobeAcro
bat Reader10.0PrivilegedbProtectedMode

40. CVE-2011-1353
Policy Engine
CreateRegKey
Sandbox Request Broker
Process Process
OS

41. CVE-2011-1353
Good Policy Engine
Boy?
Sandbox Broker
Process Process
OS

42. CVE-2011-1353
Policy Engine
False Positive
Sandbox Broker
Process Process
Good Boy
OS

43. CVE-2011-1353
Policy Engine
Sandbox Broker
Process Process
What Can I Do for you?
OS

44. CVE-2011-1353
Policy Engine
Sandbox Broker
Process Process
Return Duplicated
Handle
OS

45. The patch and little bit more
New function “CanonPathName”
added to Strip off the extra
backslash.
while ( *Cp != '' );
do
{
Cp++;
}

46. Demo

47. Conclusions and Future Work

48. The Road To The Horizon

49. The Road To The Horizon
APSAs
Like CVE-2011-3232
in the Demo.

50. The Road To The Horizon
Heap Spray, ROP,
Heap FengShui, JIT,
Haifei Li’s Flash
ActionScript
Exploit…

51. The Road To The Horizon
CVE-2011-1353

52. Free!