Abusing Adobe Readers JavaScript APIs
Abusing Adobe Readers JavaScript APIs
Brian Gorenc, Manager, Vulnerability ResearchAbdulAziz Hariri,
Security Researcher
1
AgendaIntroductionUnderstanding the Attack SurfaceVulnerability
DiscoveryConstructing the Exploit
2
Introduction
3
Introduction4HP Zero Day InitiativeAbdulAziz Hariri -
@abdhaririSecurity Researcher at the Zero Day InitiativeRoot cause
analysis, vulnerability discovery, and exploit development
Brian Gorenc - @maliciousinputHead of Zero Day
InitiativeOrganizer of Pwn2Own Hacking Competitions
Internal research starting in December 2014Bug HuntersPatched
VulnerabilitiesCVE-2015-5085, CVE-2015-5086, CVE-2015-5090,
CVE-2015-5091, CVE-2015-4438, CVE-2015-4447, CVE-2015-4452,
CVE-2015-5093, CVE-2015-5094, CVE-2015-5095, CVE-2015-5101,
CVE-2015-5102, CVE-2015-5103, CVE-2015-5104, CVE-2015-5113,
CVE-2015-5114, CVE-2015-5115, CVE-2015-5100, CVE-2015-5111,
CVE-2015-4435, CVE-2015-4441, CVE-2015-4445, CVE-2015-3053,
CVE-2015-3055, CVE-2015-3057, CVE-2015-3058, CVE-2015-3065,
CVE-2015-3066, CVE-2015-3067, CVE-2015-3068, CVE-2015-3071,
CVE-2015-3072, CVE-2015-3073, CVE-2015-3054, CVE-2015-3056,
CVE-2015-3061, CVE-2015-3063, CVE-2015-3064, CVE-2015-3069,
CVE-2015-3060, CVE-2015-3062Unpatched VulnerabilitiesZDI-CAN-3058,
ZDI-CAN-3059, ZDI-CAN-3060, ZDI-CAN-3061, ZDI-CAN-3062,
ZDI-CAN-3063, ZDI-CAN-3065, ZDI-CAN-3066, ZDI-CAN-3067,
ZDI-CAN-3079, ZDI-CAN-3081, ZDI-CAN-3083, ZDI-CAN-3085,
ZDI-CAN-3086, ZDI-CAN-3087, ZDI-CAN-3088, ZDI-CAN-3089,
ZDI-CAN-3090, ZDI-CAN-3091, ZDI-CAN-3068, ZDI-CAN-3069,
ZDI-CAN-3070, ZDI-CAN-3073, ZDI-CAN-3074, ZDI-CAN-3080,
ZDI-CAN-3082, ZDI-CAN-3084, ZDI-CAN-3103, ZDI-CAN-3111,
ZDI-CAN-3051, ZDI-CAN-3050, ZDI-CAN-3049, ZDI-CAN-3048,
ZDI-CAN-3047, ZDI-CAN-3046, ZDI-CAN-3043, ZDI-CAN-3036,
ZDI-CAN-3022, ZDI-CAN-3021, ZDI-CAN-2019, ZDI-CAN-3018,
ZDI-CAN-3017, ZDI-CAN-3016, ZDI-CAN-3015, ZDI-CAN-2998,
ZDI-CAN-2997, ZDI-CAN-2958, ZDI-CAN-2816, ZDI-CAN-2892,
ZDI-CAN-2893more to come.
5
5
Understanding the Attack Surface
6
Understanding Attack Surface7Prior research and resourcesThe
life of an Adobe Reader JavaScript bug (CVE-2014-0521) - Gbor
MolnrFirst to highlight the JS API bypass issueThe bug was patched
in APSB14-15 and was assigned CVE-2014-0521According to Adobe, this
could lead to information
disclosurehttps://molnarg.github.io/cve-2014-0521/#/Why Bother
Assessing Popular Software? MWR LabsHighlights various attack
vectors on Adobe
readerhttps://labs.mwrinfosecurity.com/system/assets/979/original/Why_bother_assessing_popular_software.pdf
7
Understanding Attack Surface8ZDI Research StatsPrimary Adobe
research started internally in December 2014We were not getting
many cases in Reader/AcrobatMain goal was to kill as much bugs as
possibleInternal discoveries varied in bug typeJavaScript API
Restriction BypassesMemory LeaksUse-After-FreesElevation of
Privilegesetc.
8
Understanding Attack Surface9Insights Into Readers JavaScript
APIsAdobe Acrobat/Reader exposes a rich JS APIJavaScript API
documentation is available on the Adobe websiteA lot can be done
through the JavaScript API (Forms, Annotations, Collaboration
etc..)Mitigations exist for the JavaScript APIsSome APIs defined in
the documentation are only available in Acrobat Pro/Acrobat
standardBasically JavaScript APIs are executed in two
contexts:Privileged ContextNon-Privileged Context
9
Understanding Attack Surface10Insights Into Readers JavaScript
APIs
Privileged vs Non-Privileged contexts are defined in the JS API
documentation:
A lot of APIs are privileged and cannot be executed from
non-privileged contexts:
10
Understanding Attack Surface11Insights Into Readers JavaScript
APIs
Privileged APIs warning example from a non-privileged
context:
Trusted Functions12Executing privileged methods in a
non-privileged context
12
Understanding Attack Surface13Folder-Level ScriptsScripts stored
in the JavaScript folder inside the Acrobat/Reader folderUsed to
implement functions for automation purposesContains Trusted
functions that execute privileged APIsBy default Acrobat/Reader
ships with JSByteCodeWin.binJSByteCodeWin.bin is loaded when
Acrobat/Reader starts upIts loaded inside Root, and exposed to the
Doc when a document is open
13
Understanding Attack Surface14Decompiling JSByteCodeWin.bin is
compiled into SpiderMoney 1.8 XDR bytecode JSByteCodeWin.bin
contains interesting Trusted functionsMolnarg was kind enough to
publish a decompiler for
SpiderMonkeyhttps://github.com/molnarg/dead0007Usage: ./dead0007
JSByteCodeWin.bin > output.jsOutput needs to be
prettified~27,000 lines of Javascript
Vulnerability Discovery
15
Vulnerability Discovery16JavaScript Implicit Method Calls
16
Vulnerability Discovery17JavaScript Method/Property
Overloading__defineGetter__ and __defineSetter__
17
Vulnerability Discovery18JavaScript Method/Property
Overloading__proto__
18
Vulnerability Discovery19Code Auditing for Overloading
OpportunitiesSearch for eval
19
Vulnerability Discovery20Code Auditing for Overloading
OpportunitiesSearch for app.beginPriv(
20
Vulnerability Discovery21Achieving System-Level eval()Overload
property access with a custom function
21
Vulnerability Discovery22Executing Privileged APIsReplace a
property with a privileged function
22
Vulnerability Discovery23Vulnerability ChainingSet up the
system-level eval such that it executes the bulk of the
payloadCreate the replacement attribute such that it now calls a
privileged APITrigger the call
23
Vulnerability Discovery24Proof of Concept CVE-2015-3073
24
Normal Behavior25
Privilege Escalation Exploit26
Vulnerability Discovery27Adobe Reader 11.0.10 Before Patch
27
Vulnerability Discovery28Adobe Reader DC After Patch
28
Vulnerability Discovery29RecapTo achieve a JavaScript bypass we
need toAchieve execution within the system contextEscalate
privileges by overriding an object methodMust be in a privileged
block within a trusted function
29
Constructing the Exploit
30
Constructing the exploit31OverviewResearch triggered from
https://helpx.adobe.com/security/products/reader/apsb14-15.html:
Challenge: Gain Remote Code Execution through the bypass issueWe
might be able to do that through the JS APIs that we know about
31
Constructing the exploit32Because documentation sucks..We needed
to find a way to dump a file on diskThe file can be of any type
(try to avoid restrictions)Lets have a look at the Collab
objectthrough the JS API from Adobe:
32
Constructing the exploit33If you want to keep a secret, you must
also hide it from yourself. G. Orwell From all the 128 undocumented
methods, the Collab.uri* family is specifically interesting:
33
Constructing the exploit34The more you leave out, the more you
highlight what you leave in. - H. GreenToo good to be true, so I
consulted uncle Google before digging more:
34
Constructing the exploit35Show me what you got...Quick overview
of the interesting methods:
35
Constructing the exploit36Overview of the Collab.uri* APIs:The
APIs are used for
CollaborationuriDeleteFolder/uriDeleteFile/uriPutData/uriCreateFolder
are privileged APIsuriEnumerateFiles is NOT privilegedThe
Collab.uri* methods take a URI path as an argument (at least)The
path expected should be a UNC pathThe UNC path should start with
smb:// or file://
The APIs fail to:Sanitize the UNC path (smb://localhost/C$/XXX
works)Check the filetype of the filename to be written on disk (in
the case of uriPutData)Check the content of oData object to be
dumped (in the case of uriPutData)
36
Constructing the exploit37What we have so far:We can dump files
on disk using the Collab.uriPutData() methodThe file contents that
we want to dump should be passed as an oData objectStream objects
do work!
37
Constructing the exploit38We can attach files in PDF documents
and extract the contentsWe should chain the uriPutData call with
one of the bypasses that we discussed earlier
Then what ? How can we get RCE? Actually there are two obvious
ways...
38
Constructing the exploit39Gaining RCEFirst waya la Chaouki:
Basically write a file to the startup and wait for a
logoff/logon
Second way is writing a DLL that would be loaded by Adobe
Acrobat
39
Vulnerable Versions40ProductWindowsMacOSXAdobe ReaderVulnerable
Limited (Sandbox)VulnerableAdobe Reader DCVulnerable Limited
(Sandbox)VulnerableAdobe Acrobat ProVulnerableVulnerableAdobe
Acrobat Pro DCVulnerableVulnerable
Constructing the exploit41Putting it all together (Adobe Acrobat
Pro)Attach our payload to the PDFCreate a JS that would execute
when the document is openJS is composed of:Extraction of the
attachmentBypass JS privilegesExecute Collab.uriPutData to output
our payload (startup/dll)
Extract AttachmentBypass JS PrivilegesCall uriPutData with the
extracted attachmentRCE
41
Windows Exploit Demo42
Reader for MacOSX DEMO43
Conclusion
44
Recap45Abusing Adobe Readers JavaScript APIsGoalLeverage
JavaScript APIs to gain remote code execution on Adobe
Reader/AcrobatNo memory corruptionPlan of AttackObtain an arbitrary
eval() by JavaScript property overloading and redefinition Chain
eval() with privilege escalation through
app.trustedFunctionLeverage undocumented APIs to execute malicious
codeProfit?
45
Thank you
