blackhat eu 2012 - zhenhua liu - breeding sandworms: how to fuzz your way out of adobe reader's...
DESCRIPTION
Adobe's interpretation of sandboxing is called Adobe Reader X Protected Mode. Inspired by Microsoft's Practical Windows Sandboxing techniques, it was introduced in July 2010. So far, it had been doing a good job at limiting the impact of exploitable bugs in Adobe Reader X, as escaping the sandbox after successful exploitation turned to be particularly challenging, and hasn't been witnessed in the wild, yet.This paper exposes how we did just this: By leveraging some broker APIs, a policy flaw, and a little more, we were able to break free from Adobe's sandbox.The particular vulnerability we used was patched by Adobe in September 2011 (CVE-2011-1353), as a result of our responsible disclosure action; yet, this demonstrates that Adobe's sandbox cannot be considered a panacea against security flaws exploitation in Adobe Reader X, and paves the way toward further interesting discoveries for security researchers.Indeed, beyond this particular vulnerability, this paper dives deep into the sandbox implementation of Adobe Reader X, and debates ways to audit its broker APIs, which, to our minds, offer a major attack surface. In particular, the paper details how we configured an open-source fuzzing tool to audit them through the IPC Framework.TRANSCRIPT
![Page 1: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/1.jpg)
BREEDING SANDWORMS: HOW TO FUZZ YOUR WAY OUT OF ADOBE READER X'S SANDBOX
![Page 2: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/2.jpg)
• Research and Analysis: Zhenhua(Eric) Liu Vulnerability [email protected]
• Contributor and Editor: Guillaume LovetSr Manager of Fortinet's EMEA Threat Research and Response [email protected]
Who we are
![Page 3: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/3.jpg)
Huge number of vulnerabilities been found
Adobe vulnerabilities history in CVE.http://www.cvedetails.com/vendor/53/Adobe.html
![Page 4: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/4.jpg)
Huge number of vulnerabilities been found
Big Fan of you, Mr. Ormandy
![Page 5: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/5.jpg)
How many of them can compromise Adobe Reader X?
Since its launch in November 2010, we have not seen a single successful exploit in the wild against Adobe Reader X.
![Page 6: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/6.jpg)
All because of Protected Mode (SandBox)
Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing.
![Page 7: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/7.jpg)
How Hard Actually?
http://blogs.adobe.com/asset/files/2010/11/Win7-Sandbox-Exploit-Steps.png
![Page 8: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/8.jpg)
• Introduce to the Adobe Reader X Protected Mode
• The SandBox implementation• Fuzz Broker APIs• Bypass the Challenge• Demo• Conclusions and Future Work
Agenda
![Page 9: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/9.jpg)
• The most complete and authoritative documentation one can find about Adobe Reader Protect Mode is the series of blogs written by Kyle Randolph from ASSET.
Documentation
![Page 10: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/10.jpg)
Sandbox INTERNALS from ASSET’s blog
http://blogs.adobe.com/asset/files/2010/10/Sandbox-Diagrams3.png
![Page 11: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/11.jpg)
Blood and Sand: At the heart of Adobe Reader's sandbox
http://blogs.adobe.com/asset/files/2010/11/Sandbox-and-Broker-Process-IPC.png
![Page 12: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/12.jpg)
• Attacks From Kernel Land
• Attacks From User Land-- Broker API Attack Surface-- Policy Engine-- IPC Frame Work-- Named Object Squatting Attacks-- Plug-in that not been sandboxed.-- And more… which will be discovered by you.
Possible Avenues to Achieve Attack
![Page 13: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/13.jpg)
Attacks From Kernel Land
Can we subvert the token pointer?
![Page 14: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/14.jpg)
“An example is the dialog that confirms if the user really wants to disable Protected Mode”
Motivations and Questions
Hello from our old friend.We start from `hello` for respective.
![Page 15: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/15.jpg)
• 1: Are there logic flaws, or weaknesses, that could be leveraged to circumvent restrictions?
• 2: Are there memory corruption vulnerabilities?
Audit Target
![Page 16: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/16.jpg)
• Find “thread_provider_->RegisterWait”• Find function “ThreadPingEventReady” and
the important parameter “service_context”.• Find IPC message dispatch mechanism
through ThreadPingEventReady, and then find the entire IPC handler functions.
The strategy for reversing 1
![Page 17: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/17.jpg)
RegisterWaitForSingleObject(&pool_object, waitable_object, callback,context, INFINITE, WT_EXECUTEDEFAULT)
Important data structures
![Page 18: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/18.jpg)
service_context:• +0h Ping handle• +4h pong handle• +8h channel_size• +Ch channel_buffer• +10h shared_base• +14h channel• +18h dispatcher• +1Ch target_info
Important data structures
![Page 19: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/19.jpg)
The result
![Page 20: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/20.jpg)
• find out the “HOOK” function first, then enumerate entire broker IPC by “xrefs” function of IDApro. (for Client API)
• Characteristic string like “AcroWinMainSandbox”. (for Client API)
• Serach pattern strings in .data section of file “AcroRd32.exe”. (for handler API)
The strategy for reversing 2
![Page 21: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/21.jpg)
You are so beautiful
Following `AcroWinMainSandbox`, we find Adobe Service APIs list. (Client side)
![Page 22: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/22.jpg)
Broker API tag 0x3E is to disable Protected Mode.
if ( MessageBoxW(hWnd, "..", "..", 0x34) == 6 ){
hKey = 0;ret = RegCreateKeyW
(HKEY_CURRENT_USER,L"Software\\Adobe\\Acrobat Reader\\10.0\\Privileged", &hKey);
...
![Page 23: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/23.jpg)
Practice for fun
Tag field0x3E means to “disable
Protected Mode”
![Page 24: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/24.jpg)
Practice for fun
With a pop confirmation dialogs out
![Page 25: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/25.jpg)
Another Practice For FunTag field
0x43 means to open http link using default explorer
under High Integrity.
http://10.10.1.127/1.exe
![Page 26: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/26.jpg)
Another Practice For Fun
1.exe is a POC file which doing operation in file
system
![Page 27: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/27.jpg)
Another Practice For Fun
And another confirmation dialog pop out
![Page 28: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/28.jpg)
• The needs• The existing idea that meets needs
Fuzz Broker APIs
![Page 29: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/29.jpg)
• In particular, the “in memory fuzz” concept introduced by Michael Sutton in a famous book“Fuzzing: Brute Force Vulnerability Discovery”fits our requirements.
The exits idea that meets needs
![Page 30: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/30.jpg)
Why we focused Broker Service APIs
• We guess APIs inherited from Google’s Chrome have been researched a lot by many researchers.
• Continuously increased Broker Service APIs by Adobe.
![Page 31: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/31.jpg)
Why we focused Broker Service APIs63 Broker Service Dispatchers were found in AcroRd32.exe 10.0.1.434
72 Broker Service Dispatchers were found in AcroRd32.exe 10.1.1.33
![Page 32: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/32.jpg)
In Memory Fuzzer POC: How it works
第 32 页
Step 1 Step 2 Step 3 Step 4 Step 5
Take snapshot for sandboxed
process before
sending the IPC message
Stuff fuzzing data into the IPC Message
Send the IPC Message
Wait for the broker process to handle the IPC message
Restore snapshot of sandboxed
process
![Page 33: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/33.jpg)
In Memory Fuzzer POC: How it works
Step 1 Step 2 Step 3 Step 4 Step 5
Take snapshot for sandboxed
process before
sending the IPC message
Stuff fuzzing data into the IPC Message
Send the IPC Message
Wait for the broker process to handle the IPC message
Restore snapshot of sandboxed
process
Repeat step 2 - 5 until fuzz data exhausted
![Page 34: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/34.jpg)
Prepare the “Smarter ” Fuzz Data
Example: strings in policy rules.
![Page 35: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/35.jpg)
Pop Pop and Pop XD
Which means the relative Broker API have been achieved.
![Page 36: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/36.jpg)
• It was patched by Adobe in September 2011 as a result of our responsible disclosure action
• World is smallMark Yason and Paul Sabanal of IBM X-Force have also found this vulnerability.
The Vulnerability CVE-2011-1353
![Page 37: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/37.jpg)
• AddRule( SUBSYS_REGISTRY, REG_DENY, "HKEY_CURRENT_USER\Software\Adobe\Acrobat
Reader\10.0\Privileged");
• AddRule( SUBSYS_REGISTRY, REG_ALLOW_ANY, "HKEY_CURRENT_USER\Software\Adobe\Acrobat
Reader\10.0");
See the Problem?
![Page 38: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/38.jpg)
• AddRule( SUBSYS_REGISTRY, REG_DENY, "HKEY_CURRENT_USER\Software\Adobe\Acrobat
Reader\10.0\Privileged");
• AddRule( SUBSYS_REGISTRY, REG_ALLOW_ANY, "HKEY_CURRENT_USER\Software\Adobe\Acrobat
Reader\10.0");
See the Problem?
![Page 39: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/39.jpg)
• HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\\Privileged\bProtectedMode
Magic String
![Page 40: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/40.jpg)
CVE-2011-1353
SandboxProcess
BrokerProcess
Policy Engine
CreateRegKey Request
OS
![Page 41: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/41.jpg)
CVE-2011-1353
SandboxProcess
BrokerProcess
Policy Engine
OS
Good Boy?
![Page 42: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/42.jpg)
CVE-2011-1353
SandboxProcess
BrokerProcess
Policy EngineFalse Positive
OS
Good Boy
![Page 43: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/43.jpg)
CVE-2011-1353
SandboxProcess
BrokerProcess
Policy Engine
OS
What Can I Do for you?
![Page 44: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/44.jpg)
CVE-2011-1353
SandboxProcess
BrokerProcess
Policy Engine
OS
Return Duplicated Handle
![Page 45: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/45.jpg)
The patch and little bit more
New function “CanonPathName” added to Strip off the extra backslash.
while ( *Cp != '\' );do{
Cp++;}
![Page 46: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/46.jpg)
Demo
![Page 47: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/47.jpg)
Conclusions and Future Work
![Page 48: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/48.jpg)
The Road To The Horizon
![Page 49: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/49.jpg)
The Road To The HorizonAPSAs Like CVE-2011-3232 in the Demo.
![Page 50: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/50.jpg)
The Road To The Horizon
Heap Spray, ROP, Heap FengShui, JIT,Haifei Li’s Flash ActionScriptExploit…
![Page 51: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/51.jpg)
The Road To The Horizon
CVE-2011-1353
![Page 52: BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox](https://reader037.vdocuments.net/reader037/viewer/2022102621/5595f1ee1a28ab760e8b475a/html5/thumbnails/52.jpg)
Free!