BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox
- 2. Who we are
• Research and Analysis: Zhenhua(Eric) Liu
Vulnerability Researcher
zhliu@fortinet.com
• Contributor and Editor: Guillaume Lovet
Sr Manager of Fortinet's EMEA Threat
Research and Response Center
glovet@fortinet.com
- 3. Huge number of vulnerabilities been found
Adobe vulnerabilities history in CVE.
http://www.cvedetails.com/vendor/53/Adobe.html
- 4. Huge number of vulnerabilities been found
Big Fan of you,
Mr. Ormandy
- 5. How many of them can compromise
Adobe Reader X?
Since its launch in November
2010, we have not seen a
single successful exploit in the
wild against Adobe Reader X.
- 6. All because of Protected Mode
(SandBox)
Adobe Reader X Protected
Mode mitigations would
prevent an exploit of this kind
from executing.
- 8. Agenda
• Introduce to the Adobe Reader X Protected
Mode
• The SandBox implementation
• Fuzz Broker APIs
• Bypass the Challenge
• Demo
• Conclusions and Future Work
- 9. Documentation
• The most complete and authoritative
documentation one can find about Adobe
Reader Protect Mode is the series of blogs
written by Kyle Randolph from ASSET.
- 11. Blood and Sand: At the heart of
Adobe Reader's sandbox
http://blogs.adobe.com/asset/files/2010/11/Sandbox-
and-Broker-Process-IPC.png
- 12. Possible Avenues to Achieve Attack
• Attacks From Kernel Land
• Attacks From User Land
-- Broker API Attack Surface
-- Policy Engine
-- IPC Frame Work
-- Named Object Squatting Attacks
-- Plug-in that not been sandboxed.
-- And more… which will be discovered by you.
- 14. Motivations and Questions
“An example is the dialog that confirms if the
user really wants to disable Protected Mode”
Hello from our old
friend.
We start from `hello` for
respective.
- 15. Audit Target
• 1: Are there logic flaws, or weaknesses, that
could be leveraged to circumvent restrictions?
• 2: Are there memory corruption
vulnerabilities?
- 16. The strategy for reversing 1
• Find “thread_provider_->RegisterWait”
• Find function “ThreadPingEventReady” and
the important parameter “service_context”.
• Find IPC message dispatch mechanism
through ThreadPingEventReady, and then find
the entire IPC handler functions.
- 20. The strategy for reversing 2
• find out the “HOOK” function first, then
enumerate entire broker IPC by “xrefs”
function of IDApro. (for Client API)
• Characteristic string like
“AcroWinMainSandbox”. (for Client API)
• Serach pattern strings in .data section of file
“AcroRd32.exe”. (for handler API)
- 21. You are so beautiful
Following
`AcroWinMainSandbox`,
we find Adobe Service
APIs list. (Client side)
- 22. Broker API tag 0x3E is to disable
Protected Mode.
if ( MessageBoxW(hWnd, "..", "..", 0x34) == 6 )
{
hKey = 0;
ret = RegCreateKeyW
(
HKEY_CURRENT_USER,
L"SoftwareAdobeAcrobat Reader
10.0Privileged",
&hKey);
...
- 25. Another Practice For Fun
Tag field
0x43 means to open http
link using default explorer
under High Integrity.
http://10.10.1.127/1.exe
- 29. The exits idea that meets needs
• In particular, the “in memory fuzz” concept
introduced by Michael Sutton in a famous
book“Fuzzing: Brute Force Vulnerability
Discovery”fits our requirements.
- 30. Why we focused Broker Service APIs
• We guess APIs inherited from Google’s
Chrome have been researched a lot by many
researchers.
• Continuously increased Broker Service APIs by
Adobe.
- 31. Why we focused Broker Service APIs
63 Broker Service Dispatchers were 72 Broker Service Dispatchers were
found in AcroRd32.exe 10.0.1.434 found in AcroRd32.exe 10.1.1.33
- 32. In Memory Fuzzer POC: How it works
Step 1 Step 2 Step 3 Step 4 Step 5
Take
snapshot for
Wait for the Restore
sandboxed Stuff fuzzing
Send the IPC broker process snapshot of
process data into the
Message to handle the sandboxed
before IPC Message
IPC message process
sending the
IPC message
第 32 页
- 33. In Memory Fuzzer POC: How it works
Step 1 Step 2 Step 3 Step 4 Step 5
Take
snapshot for
Wait for the Restore
sandboxed Stuff fuzzing
Send the IPC broker process snapshot of
process data into the
Message to handle the sandboxed
before IPC Message
IPC message process
sending the
IPC message
Repeat step 2 - 5 until
fuzz data exhausted
- 35. Pop Pop and Pop XD
Which means the relative
Broker API have been
achieved.
- 36. The Vulnerability CVE-2011-1353
• It was patched by Adobe in September 2011
as a result of our responsible disclosure action
• World is small
Mark Yason and Paul Sabanal of IBM X-Force
have also found this vulnerability.
- 37. See the Problem?
• AddRule( SUBSYS_REGISTRY,
REG_DENY,
"HKEY_CURRENT_USERSoftwareAdobeAcrobat
Reader10.0Privileged"
);
• AddRule( SUBSYS_REGISTRY,
REG_ALLOW_ANY,
"HKEY_CURRENT_USERSoftwareAdobeAcrobat
Reader10.0"
);
- 38. See the Problem?
• AddRule( SUBSYS_REGISTRY,
REG_DENY,
"HKEY_CURRENT_USERSoftwareAdobeAcrobat
Reader10.0Privileged"
);
• AddRule( SUBSYS_REGISTRY,
REG_ALLOW_ANY,
"HKEY_CURRENT_USERSoftwareAdobeAcrobat
Reader10.0"
);
- 40. CVE-2011-1353
Policy Engine
CreateRegKey
Sandbox Request Broker
Process Process
OS
- 41. CVE-2011-1353
Good Policy Engine
Boy?
Sandbox Broker
Process Process
OS
- 42. CVE-2011-1353
Policy Engine
False Positive
Sandbox Broker
Process Process
Good Boy
OS
- 43. CVE-2011-1353
Policy Engine
Sandbox Broker
Process Process
What Can I Do for you?
OS
- 44. CVE-2011-1353
Policy Engine
Sandbox Broker
Process Process
Return Duplicated
Handle
OS
- 45. The patch and little bit more
New function “CanonPathName”
added to Strip off the extra
backslash.
while ( *Cp != '' );
do
{
Cp++;
}
- 49. The Road To The Horizon
APSAs
Like CVE-2011-3232
in the Demo.
- 50. The Road To The Horizon
Heap Spray, ROP,
Heap FengShui, JIT,
Haifei Li’s Flash
ActionScript
Exploit…