Adobe's interpretation of sandboxing is called Adobe Reader X Protected Mode. Inspired by Microsoft's Practical Windows Sandboxing techniques, it was introduced in July 2010. So far, it had been doing a good job at limiting the impact of exploitable bugs in Adobe Reader X, as escaping the sandbox after successful exploitation turned to be particularly challenging, and hasn't been witnessed in the wild, yet.
This paper exposes how we did just this: By leveraging some broker APIs, a policy flaw, and a little more, we were able to break free from Adobe's sandbox.
The particular vulnerability we used was patched by Adobe in September 2011 (CVE-2011-1353), as a result of our responsible disclosure action; yet, this demonstrates that Adobe's sandbox cannot be considered a panacea against security flaws exploitation in Adobe Reader X, and paves the way toward further interesting discoveries for security researchers.
Indeed, beyond this particular vulnerability, this paper dives deep into the sandbox implementation of Adobe Reader X, and debates ways to audit its broker APIs, which, to our minds, offer a major attack surface. In particular, the paper details how we configured an open-source fuzzing tool to audit them through the IPC Framework.
2. Who we are
• Research and Analysis: Zhenhua(Eric) Liu
Vulnerability Researcher
zhliu@fortinet.com
• Contributor and Editor: Guillaume Lovet
Sr Manager of Fortinet's EMEA Threat
Research and Response Center
glovet@fortinet.com
3. Huge number of vulnerabilities been found
Adobe vulnerabilities history in CVE.
http://www.cvedetails.com/vendor/53/Adobe.html
4. Huge number of vulnerabilities been found
Big Fan of you,
Mr. Ormandy
5. How many of them can compromise
Adobe Reader X?
Since its launch in November
2010, we have not seen a
single successful exploit in the
wild against Adobe Reader X.
6. All because of Protected Mode
(SandBox)
Adobe Reader X Protected
Mode mitigations would
prevent an exploit of this kind
from executing.
8. Agenda
• Introduce to the Adobe Reader X Protected
Mode
• The SandBox implementation
• Fuzz Broker APIs
• Bypass the Challenge
• Demo
• Conclusions and Future Work
9. Documentation
• The most complete and authoritative
documentation one can find about Adobe
Reader Protect Mode is the series of blogs
written by Kyle Randolph from ASSET.
10. Sandbox INTERNALS from ASSET’s blog
http://blogs.adobe.com/asset/files/2010/10/Sandbox-
Diagrams3.png
11. Blood and Sand: At the heart of
Adobe Reader's sandbox
http://blogs.adobe.com/asset/files/2010/11/Sandbox-
and-Broker-Process-IPC.png
12. Possible Avenues to Achieve Attack
• Attacks From Kernel Land
• Attacks From User Land
-- Broker API Attack Surface
-- Policy Engine
-- IPC Frame Work
-- Named Object Squatting Attacks
-- Plug-in that not been sandboxed.
-- And more… which will be discovered by you.
14. Motivations and Questions
“An example is the dialog that confirms if the
user really wants to disable Protected Mode”
Hello from our old
friend.
We start from `hello` for
respective.
15. Audit Target
• 1: Are there logic flaws, or weaknesses, that
could be leveraged to circumvent restrictions?
• 2: Are there memory corruption
vulnerabilities?
16. The strategy for reversing 1
• Find “thread_provider_->RegisterWait”
• Find function “ThreadPingEventReady” and
the important parameter “service_context”.
• Find IPC message dispatch mechanism
through ThreadPingEventReady, and then find
the entire IPC handler functions.
20. The strategy for reversing 2
• find out the “HOOK” function first, then
enumerate entire broker IPC by “xrefs”
function of IDApro. (for Client API)
• Characteristic string like
“AcroWinMainSandbox”. (for Client API)
• Serach pattern strings in .data section of file
“AcroRd32.exe”. (for handler API)
21. You are so beautiful
Following
`AcroWinMainSandbox`,
we find Adobe Service
APIs list. (Client side)
22. Broker API tag 0x3E is to disable
Protected Mode.
if ( MessageBoxW(hWnd, "..", "..", 0x34) == 6 )
{
hKey = 0;
ret = RegCreateKeyW
(
HKEY_CURRENT_USER,
L"SoftwareAdobeAcrobat Reader
10.0Privileged",
&hKey);
...
23. Practice for fun
Tag field
0x3E means to “disable
Protected Mode”
29. The exits idea that meets needs
• In particular, the “in memory fuzz” concept
introduced by Michael Sutton in a famous
book“Fuzzing: Brute Force Vulnerability
Discovery”fits our requirements.
30. Why we focused Broker Service APIs
• We guess APIs inherited from Google’s
Chrome have been researched a lot by many
researchers.
• Continuously increased Broker Service APIs by
Adobe.
31. Why we focused Broker Service APIs
63 Broker Service Dispatchers were 72 Broker Service Dispatchers were
found in AcroRd32.exe 10.0.1.434 found in AcroRd32.exe 10.1.1.33
32. In Memory Fuzzer POC: How it works
Step 1 Step 2 Step 3 Step 4 Step 5
Take
snapshot for
Wait for the Restore
sandboxed Stuff fuzzing
Send the IPC broker process snapshot of
process data into the
Message to handle the sandboxed
before IPC Message
IPC message process
sending the
IPC message
第 32 页
33. In Memory Fuzzer POC: How it works
Step 1 Step 2 Step 3 Step 4 Step 5
Take
snapshot for
Wait for the Restore
sandboxed Stuff fuzzing
Send the IPC broker process snapshot of
process data into the
Message to handle the sandboxed
before IPC Message
IPC message process
sending the
IPC message
Repeat step 2 - 5 until
fuzz data exhausted
35. Pop Pop and Pop XD
Which means the relative
Broker API have been
achieved.
36. The Vulnerability CVE-2011-1353
• It was patched by Adobe in September 2011
as a result of our responsible disclosure action
• World is small
Mark Yason and Paul Sabanal of IBM X-Force
have also found this vulnerability.
37. See the Problem?
• AddRule( SUBSYS_REGISTRY,
REG_DENY,
"HKEY_CURRENT_USERSoftwareAdobeAcrobat
Reader10.0Privileged"
);
• AddRule( SUBSYS_REGISTRY,
REG_ALLOW_ANY,
"HKEY_CURRENT_USERSoftwareAdobeAcrobat
Reader10.0"
);
38. See the Problem?
• AddRule( SUBSYS_REGISTRY,
REG_DENY,
"HKEY_CURRENT_USERSoftwareAdobeAcrobat
Reader10.0Privileged"
);
• AddRule( SUBSYS_REGISTRY,
REG_ALLOW_ANY,
"HKEY_CURRENT_USERSoftwareAdobeAcrobat
Reader10.0"
);