ESET discovered two 0-day vulnerabilities in Adobe Reader and Microsoft Windows

    At the end of March 2018, ESET experts discovered an unusual malicious PDF file. Upon closer inspection, it turned out that the sample uses two previously unknown vulnerabilities: Remote Code Execution Vulnerability (RCE) in Adobe Reader and Privilege Elevation Vulnerability (LPE) in Microsoft Windows.


    The combination of two 0-day is quite dangerous, because it gives attackers the opportunity to execute arbitrary code on the target system with maximum privileges and minimal user participation. ART groups often use similar combinations of tools - for example, in the Sednit campaign last year.

    Having discovered a malicious PDF, ESET experts contacted the Microsoft Security Response Center, the Windows Defender ATP and the Adobe Product Security Incident Response Team to close the vulnerabilities.

    The patches and recommendations of Adobe and Microsoft are available at the following links:

    APSB18-09
    CVE-2018-8120

    The following products are vulnerable to vulnerabilities:

    • Acrobat DC (2018.011.20038 and earlier versions)
    • Acrobat Reader DC (2018.011.20038 and earlier versions)
    • Acrobat 2017 (011.30079 and earlier versions)
    • Acrobat Reader DC 2017 (2017.011.30079 and earlier versions)
    • Acrobat DC (Classic 2015) (2015.006.30417 and more earlier versions)
    • Acrobat Reader DC (Classic 2015) (2015.006.30417 and earlier)
    • Windows 7 for 32-bit Systems Service Pack 1
    • Windows 7 for x64-based Systems Service Pack 1
    • Windows Server 2008 for 32-bit Systems Service Pack 2
    • Windows Server 2008 for Itanium-Based Systems Service Pack 2
    • Windows Server 2008 for x64-based Systems Service Pack 2
    • Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
    • Windows Server 2008 R2 for x64-based Systems Service Pack 1 The

    following is a technical description of the malicious sample and vulnerabilities.

    Introduction


    PDF files are often used to deliver malware to a target computer. To execute malicious code, attackers have to look for and exploit vulnerabilities in the software for viewing PDF. One of the most popular such programs is Adobe Reader.

    Adobe Reader implements isolated execution technology, better known as the sandbox, Protected Mode. Its detailed description is published on the Adobe blog ( part 1 , part 2 , part 3 , part 4 ). The sandbox complicates the implementation of the attack: even if the malicious code is executed, the attacker will have to bypass the sandbox protection in order to compromise a computer running Adobe Reader. As a rule, vulnerabilities in the operating system itself are used to bypass the sandbox.

    A rare case where attackers managed to find vulnerabilities and write exploits for both Adobe Reader and the operating system.

    CVE-2018-4990 - RCE Vulnerability in Adobe Reader


    The malicious PDF has built-in JavaScript code that controls the operation process. The code is executed after opening the PDF file.

    At the beginning of the operation, JavaScript code manipulates the object Button1. The object contains a specially crafted JPEG2000 image that triggers a double vulnerability.


    Figure 1. JavaScript manipulating the Button object.

    JavaScript uses the heap-spraying technique to break internal data structures. After these manipulations, attackers achieve the main goal - access to memory with read and write permissions.


    Figure 2. JavaScript code used to read and write memory.

    Using two primitives, attackers find the memory address of the pluginEScript.api, which is an Adobe JavaScript engine. Using the ROP gadgets from this module, malicious JavaScript sets up the ROP chain, which will lead to the execution of native shellcode.


    Figure 3. Malicious JavaScript setting up the ROP chain.

    As a last step, the shellcode initializes the PE file embedded in the PDF and passes it the execution.

    CVE-2018-8120 - privilege escalation in Microsoft Windows


    After exploiting the Adobe Reader vulnerability, an attacker needs to get rid of the sandbox. This is the task of the second exploit.

    This previously unknown vulnerability is based on a feature NtUserSetImeInfoExof the Windows kernel component win32k. In particular, the SetImeInfoExroutine NtUserSetImeInfoExdoes not check the data pointer, allowing you to dereference a null pointer.


    Figure 4. Disassembled SetImeInfoEx function.

    As you can see in Figure 4, the function SetImeInfoExexpects a pointer to the initialized WINDOWSTATION object as the first argument.SpklListmay be zero if the attacker creates a new WS object and assigns it to the current process in user mode. Thus, mapping the zero page and setting the pointer to the offset (offset) 0x2C allows attackers to use the vulnerability to write to an arbitrary address in kernel space. It is worth noting that, starting with Windows 8, the user process cannot convert zero page data.

    Since attackers have an arbitrary writing primitive, they can use various techniques. But in our case, the attackers choose the technique described by Ivanlef0u , as well as Mateusz "j00ru" Jurczyk and Gynvael Coldwin. They set the call gateway to Ring 0 by overwriting the global descriptor table (GDT). To do this, attackers obtain the address of the source GDT using the SGDT assembly instructions, create their own table, and then overwrite the original using the mentioned vulnerability.

    The exploit then uses the command CALL FARto invoke the privilege level.


    Figure 5. Disassembled CALL FAR command.

    When the code is executed in kernel mode, the exploit replaces the current process token with a system token.

    conclusions


    ESET experts discovered the malicious PDF when it was uploaded to the public repository of malicious samples. The sample does not contain the final payload, which may indicate that it was detected in the early stages of development. Despite this, the authors have shown high qualifications in the field of vulnerability search and exploit writing.

    Indicators of compromise (IoC)


    ESET product detection:
    JS / Exploit.Pdfka.QNV trojan
    Win32 / Exploit.CVE-2018-8120.A trojan

    SHA-1:
    C82CFEAD292EECA601D3CF82C8C5340CB579D1C6
    0D3F335CCCA4575593054446F5F219

    Also popular now: