BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox

  • 491 views
Uploaded on

Adobe's interpretation of sandboxing is called Adobe Reader X Protected Mode. Inspired by Microsoft's Practical Windows Sandboxing techniques, it was introduced in July 2010. So far, it had been doing …

Adobe's interpretation of sandboxing is called Adobe Reader X Protected Mode. Inspired by Microsoft's Practical Windows Sandboxing techniques, it was introduced in July 2010. So far, it had been doing a good job at limiting the impact of exploitable bugs in Adobe Reader X, as escaping the sandbox after successful exploitation turned to be particularly challenging, and hasn't been witnessed in the wild, yet.

This paper exposes how we did just this: By leveraging some broker APIs, a policy flaw, and a little more, we were able to break free from Adobe's sandbox.

The particular vulnerability we used was patched by Adobe in September 2011 (CVE-2011-1353), as a result of our responsible disclosure action; yet, this demonstrates that Adobe's sandbox cannot be considered a panacea against security flaws exploitation in Adobe Reader X, and paves the way toward further interesting discoveries for security researchers.

Indeed, beyond this particular vulnerability, this paper dives deep into the sandbox implementation of Adobe Reader X, and debates ways to audit its broker APIs, which, to our minds, offer a major attack surface. In particular, the paper details how we configured an open-source fuzzing tool to audit them through the IPC Framework.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
491
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
12
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. BREEDING SANDWORMS:HOW TO FUZZ YOUR WAY OUT OF ADOBE READER XS SANDBOX
  • 2. Who we are• Research and Analysis: Zhenhua(Eric) Liu Vulnerability Researcher zhliu@fortinet.com• Contributor and Editor: Guillaume Lovet Sr Manager of Fortinets EMEA Threat Research and Response Center glovet@fortinet.com
  • 3. Huge number of vulnerabilities been foundAdobe vulnerabilities history in CVE.http://www.cvedetails.com/vendor/53/Adobe.html
  • 4. Huge number of vulnerabilities been foundBig Fan of you,Mr. Ormandy
  • 5. How many of them can compromise Adobe Reader X?Since its launch in November2010, we have not seen asingle successful exploit in thewild against Adobe Reader X.
  • 6. All because of Protected Mode (SandBox)Adobe Reader X ProtectedMode mitigations wouldprevent an exploit of this kindfrom executing.
  • 7. How Hard Actually?http://blogs.adobe.com/asset/files/2010/11/Win7-Sandbox-Exploit-Steps.png
  • 8. Agenda• Introduce to the Adobe Reader X Protected Mode• The SandBox implementation• Fuzz Broker APIs• Bypass the Challenge• Demo• Conclusions and Future Work
  • 9. Documentation• The most complete and authoritative documentation one can find about Adobe Reader Protect Mode is the series of blogs written by Kyle Randolph from ASSET.
  • 10. Sandbox INTERNALS from ASSET’s bloghttp://blogs.adobe.com/asset/files/2010/10/Sandbox-Diagrams3.png
  • 11. Blood and Sand: At the heart of Adobe Readers sandboxhttp://blogs.adobe.com/asset/files/2010/11/Sandbox-and-Broker-Process-IPC.png
  • 12. Possible Avenues to Achieve Attack• Attacks From Kernel Land• Attacks From User Land-- Broker API Attack Surface-- Policy Engine-- IPC Frame Work-- Named Object Squatting Attacks-- Plug-in that not been sandboxed.-- And more… which will be discovered by you.
  • 13. Attacks From Kernel Land Can we subvert the token pointer?
  • 14. Motivations and Questions“An example is the dialog that confirms if the user really wants to disable Protected Mode” Hello from our old friend. We start from `hello` for respective.
  • 15. Audit Target• 1: Are there logic flaws, or weaknesses, that could be leveraged to circumvent restrictions?• 2: Are there memory corruption vulnerabilities?
  • 16. The strategy for reversing 1• Find “thread_provider_->RegisterWait”• Find function “ThreadPingEventReady” and the important parameter “service_context”.• Find IPC message dispatch mechanism through ThreadPingEventReady, and then find the entire IPC handler functions.
  • 17. Important data structuresRegisterWaitForSingleObject(&pool_object, waitable_object, callback, context, INFINITE, WT_EXECUTEDEFAULT )
  • 18. Important data structuresservice_context:• +0h Ping handle• +4h pong handle• +8h channel_size• +Ch channel_buffer• +10h shared_base• +14h channel• +18h dispatcher• +1Ch target_info
  • 19. The result
  • 20. The strategy for reversing 2• find out the “HOOK” function first, then enumerate entire broker IPC by “xrefs” function of IDApro. (for Client API)• Characteristic string like “AcroWinMainSandbox”. (for Client API)• Serach pattern strings in .data section of file “AcroRd32.exe”. (for handler API)
  • 21. You are so beautiful Following `AcroWinMainSandbox`, we find Adobe Service APIs list. (Client side)
  • 22. Broker API tag 0x3E is to disableProtected Mode.if ( MessageBoxW(hWnd, "..", "..", 0x34) == 6 ) { hKey = 0; ret = RegCreateKeyW ( HKEY_CURRENT_USER, L"SoftwareAdobeAcrobat Reader 10.0Privileged", &hKey); ...
  • 23. Practice for fun Tag field 0x3E means to “disable Protected Mode”
  • 24. Practice for funWith a pop confirmation dialogs out
  • 25. Another Practice For Fun Tag field 0x43 means to open http link using default explorer under High Integrity.http://10.10.1.127/1.exe
  • 26. Another Practice For Fun 1.exe is a POC file which doing operation in file system
  • 27. Another Practice For Fun And another confirmation dialog pop out
  • 28. Fuzz Broker APIs• The needs• The existing idea that meets needs
  • 29. The exits idea that meets needs• In particular, the “in memory fuzz” concept introduced by Michael Sutton in a famous book“Fuzzing: Brute Force Vulnerability Discovery”fits our requirements.
  • 30. Why we focused Broker Service APIs• We guess APIs inherited from Google’s Chrome have been researched a lot by many researchers.• Continuously increased Broker Service APIs by Adobe.
  • 31. Why we focused Broker Service APIs63 Broker Service Dispatchers were 72 Broker Service Dispatchers werefound in AcroRd32.exe 10.0.1.434 found in AcroRd32.exe 10.1.1.33
  • 32. In Memory Fuzzer POC: How it works Step 1 Step 2 Step 3 Step 4 Step 5 Takesnapshot for Wait for the Restore sandboxed Stuff fuzzing Send the IPC broker process snapshot of process data into the Message to handle the sandboxed before IPC Message IPC message process sending theIPC message 第 32 页
  • 33. In Memory Fuzzer POC: How it works Step 1 Step 2 Step 3 Step 4 Step 5 Takesnapshot for Wait for the Restore sandboxed Stuff fuzzing Send the IPC broker process snapshot of process data into the Message to handle the sandboxed before IPC Message IPC message process sending theIPC message Repeat step 2 - 5 until fuzz data exhausted
  • 34. Prepare the “Smarter ” Fuzz DataExample: strings in policyrules.
  • 35. Pop Pop and Pop XDWhich means the relativeBroker API have beenachieved.
  • 36. The Vulnerability CVE-2011-1353• It was patched by Adobe in September 2011 as a result of our responsible disclosure action• World is small Mark Yason and Paul Sabanal of IBM X-Force have also found this vulnerability.
  • 37. See the Problem?• AddRule( SUBSYS_REGISTRY, REG_DENY, "HKEY_CURRENT_USERSoftwareAdobeAcrobat Reader10.0Privileged" );• AddRule( SUBSYS_REGISTRY, REG_ALLOW_ANY, "HKEY_CURRENT_USERSoftwareAdobeAcrobat Reader10.0" );
  • 38. See the Problem?• AddRule( SUBSYS_REGISTRY, REG_DENY, "HKEY_CURRENT_USERSoftwareAdobeAcrobat Reader10.0Privileged" );• AddRule( SUBSYS_REGISTRY, REG_ALLOW_ANY, "HKEY_CURRENT_USERSoftwareAdobeAcrobat Reader10.0" );
  • 39. Magic String• HKEY_CURRENT_USERSoftwareAdobeAcro bat Reader10.0PrivilegedbProtectedMode
  • 40. CVE-2011-1353 Policy Engine CreateRegKeySandbox Request BrokerProcess Process OS
  • 41. CVE-2011-1353 Good Policy Engine Boy?Sandbox BrokerProcess Process OS
  • 42. CVE-2011-1353 Policy Engine False PositiveSandbox BrokerProcess Process Good Boy OS
  • 43. CVE-2011-1353 Policy EngineSandbox BrokerProcess Process What Can I Do for you? OS
  • 44. CVE-2011-1353 Policy EngineSandbox BrokerProcess Process Return Duplicated Handle OS
  • 45. The patch and little bit moreNew function “CanonPathName”added to Strip off the extrabackslash.while ( *Cp != ); do { Cp++; }
  • 46. Demo
  • 47. Conclusions and Future Work
  • 48. The Road To The Horizon
  • 49. The Road To The Horizon APSAs Like CVE-2011-3232 in the Demo.
  • 50. The Road To The Horizon Heap Spray, ROP, Heap FengShui, JIT, Haifei Li’s Flash ActionScript Exploit…
  • 51. The Road To The Horizon CVE-2011-1353
  • 52. Free!