SlideShare a Scribd company logo

Defcon 23 - hariri spelman gorenc - abusing adobe readers java sc

Felipe Prado
Felipe Prado

Defcon 23 - hariri spelman gorenc - abusing adobe readers java sc

Technology
1 of 34
Download to read offline
AbusingAdobeReader’s JavaScriptAPIs Brian Gorenc, Manager, Vulnerability Research AbdulAziz Hariri, Security Researcher Jasiel Spelman, Security Researcher
Agenda •  Introduction •  Understanding the Attack Surface •  Vulnerability Discovery •  Constructing the Exploit
Introduction
Introduction 4 HP Zero Day Initiative AbdulAziz Hariri - @abdhariri Security Researcher at the Zero Day Initiative Root cause analysis, vulnerability discovery, and exploit development Jasiel Spelman - @WanderingGlitch Security Researcher at the Zero Day Initiative Root cause analysis, vulnerability discovery, and exploit development Brian Gorenc - @maliciousinput Head of Zero Day Initiative Organizer of Pwn2Own Hacking Competitions
Research starting in December 2014 Bug Hunters Patched Vulnerabilities CVE-2015-5085, CVE-2015-5086, CVE-2015-5090, CVE-2015-5091, CVE-2015-4438, CVE-2015-4447, CVE-2015-4452, CVE-2015-5093, CVE-2015-5094, CVE-2015-5095, CVE-2015-5101, CVE-2015-5102, CVE-2015-5103, CVE-2015-5104, CVE-2015-5113, CVE-2015-5114, CVE-2015-5115, CVE-2015-5100, CVE-2015-5111, CVE-2015-4435, CVE-2015-4441, CVE-2015-4445, CVE-2015-3053, CVE-2015-3055, CVE-2015-3057, CVE-2015-3058, CVE-2015-3065, CVE-2015-3066, CVE-2015-3067, CVE-2015-3068, CVE-2015-3071, CVE-2015-3072, CVE-2015-3073, CVE-2015-3054, CVE-2015-3056, CVE-2015-3061, CVE-2015-3063, CVE-2015-3064, CVE-2015-3069, CVE-2015-3060, CVE-2015-3062 Unpatched Vulnerabilities ZDI-CAN-3051, ZDI-CAN-3050, ZDI-CAN-3049, ZDI-CAN-3048, ZDI-CAN-3047, ZDI-CAN-3046, ZDI-CAN-3043, ZDI-CAN-3036, ZDI-CAN-3022, ZDI-CAN-3021, ZDI-CAN-2019, ZDI-CAN-3018, ZDI-CAN-3017, ZDI-CAN-3016, ZDI-CAN-3015, ZDI-CAN-2998, ZDI-CAN-2997, ZDI-CAN-2958, ZDI-CAN-2816, ZDI-CAN-2892, ZDI-CAN-2893 …more to come. 5
UnderstandingtheAttackSurface
Understanding Attack Surface 7 Prior research and resources •  The life of an Adobe Reader JavaScript bug (CVE-2014-0521) - Gábor Molnár •  First to highlight the JS API bypass issue •  The bug was patched in APSB14-15 and was assigned CVE-2014-0521 •  According to Adobe, this could lead to information disclosure •  https://molnarg.github.io/cve-2014-0521/#/ •  Why Bother Assessing Popular Software? – MWR Labs •  Highlights various attack vectors on Adobe reader •  https://labs.mwrinfosecurity.com/system/assets/979/original/Why_bother_assessing_popular_software.pdf
Understanding Attack Surface 8 ZDI Research Stats •  Primary Adobe research started internally in December 2014 •  We were not getting many cases in Reader/Acrobat •  Main goal was to kill as much bugs as possible •  Internal discoveries varied in bug type –  JavaScript API Restriction Bypasses –  Memory Leaks –  Use-After-Frees –  Elevation of Privileges –  etc.
Understanding Attack Surface 9 Insights Into Reader’s JavaScript API’s •  Adobe Acrobat/Reader exposes a rich JS API •  JavaScript API documentation is available on the Adobe website •  A lot can be done through the JavaScript API (Forms, Annotations, Collaboration etc..) •  Mitigations exist for the JavaScript APIs •  Some API’s defined in the documentation are only available in Acrobat Pro/Acrobat standard •  Basically JavaScript API’s are executed in two contexts: –  Privileged Context – Only Trusted functions can call it (app.trustedFunction) –  Non-Privileged Context
Understanding Attack Surface 10 Insights Into Reader’s JavaScript API’s •  Privileged vs Non-Privileged contexts are defined in the JS API documentation: •  A lot of API’s are privileged and cannot be executed from non-privileged contexts:
Understanding Attack Surface 11 Insights Into Reader’s JavaScript API’s •  Privileged API’s warning example from a non-privileged context:
Understanding Attack Surface 12 Folder-Level Scripts •  Scripts stored in the JavaScript folder inside the Acrobat/Reader folder •  Used to implement functions for automation purposes •  Contains Trusted functions that execute privileged API’s •  By default Acrobat/Reader ships with JSByteCodeWin.bin •  JSByteCodeWin.bin is loaded when Acrobat/Reader starts up •  It’s loaded inside Root, and exposed to the Doc when a document is open
Understanding Attack Surface 13 Decompiling •  JSByteCodeWin.bin is compiled into SpiderMoney 1.8 XDR bytecode •  JSByteCodeWin.bin contains interesting Trusted functions •  Molnarg was kind enough to publish a decompiler for SpiderMonkey –  https://github.com/molnarg/dead0007 –  Usage: ./dead0007 JSByteCodeWin.bin > output.js –  Output needs to be prettified –  ~27,000 lines of Javascript
VulnerabilityDiscovery
Vulnerability Discovery 15 JavaScript Method/Property Overloading •  __defineGetter__ and __defineSetter__
Vulnerability Discovery 16 JavaScript Method/Property Overloading •  __proto__
Vulnerability Discovery 17 Code Auditing for Overloading Opportunities •  Search for ‘eval’
Vulnerability Discovery 18 Code Auditing for Overloading Opportunities •  Search for ‘app.beginPriv(“
Vulnerability Discovery 19 Achieving System-Level eval() •  Overload property access with a custom function
Vulnerability Discovery 20 Executing Privileged APIs •  Replace a property with a privileged function
Vulnerability Discovery 21 Vulnerability Chaining •  Set up the system-level eval such that it executes the bulk of the payload •  Create the replacement attribute such that it now calls a privileged API •  Trigger the call
Vulnerability Discovery 22 Proof of Concept – CVE-2015-3073
ConstructingtheExploit
Constructing the exploit 24 Overview •  Research triggered from https://helpx.adobe.com/security/products/reader/apsb14-15.html: •  Challenge: Gain Remote Code Execution through the bypass issue •  We might be able to do that through the JS API’s that we know about
Constructing the exploit 25 Because documentation sucks.. •  We needed to find a way to dump a file on disk •  The file can be of any type (try to avoid restrictions) •  Let’s have a look at the Collab object…through the JS API from Adobe: •  Through the console:
Constructing the exploit 26 “If you want to keep a secret, you must also hide it from yourself.” – G. Orwell •  From all the 128 undocumented methods, the Collab.uri* family is specifically interesting:
Constructing the exploit 27 “The more you leave out, the more you highlight what you leave in.” - H. Green •  Too good to be true, so I consulted uncle Google before digging more:
Constructing the exploit 28 Show me what you got... •  Quick overview of the interesting methods:
Constructing the exploit 29 •  Overview of the Collab.uri* API’s: –  The API’s are used for “Collaboration” –  uriDeleteFolder/uriDeleteFile/uriPutData/uriCreateFolder are privileged API’s –  uriEnumerateFiles is NOT privileged –  The Collab.uri* methods take a URI path as an argument (at least) –  The path expected should be a UNC path –  The UNC path should start with smb:// or file:// •  The API’s fail to: –  Sanitize the UNC path (smb://localhost/C$/XXX works) –  Check the filetype of the filename to be written on disk (in the case of uriPutData) –  Check the content of oData object to be dumped (in the case of uriPutData)
Constructing the exploit 30 •  What we have so far: –  We can dump files on disk using the Collab.uriPutData() method –  The file contents that we want to dump should be passed as the oData object –  We can attach files in PDF documents and extract the contents –  We should chain the uriPutData call with one of the bypasses that we discussed earlier Then what ? How can we get RCE? Actually there are two obvious ways..
Constructing the exploit 31 Gaining RCE •  First way…a la Vupen: Basically write a file to the startup and wait for a logoff/logon ! •  Second way is writing a DLL that would be loaded by Adobe Acrobat:
Constructing the exploit 32 Putting it all together (Adobe Acrobat Pro) 1.  Attach our payload to the PDF 2.  Create a JS that would execute when the document is open 3.  JS is composed of: 1.  Extraction of the attachment 2.  Bypass JS privileges 3.  Execute Collab.uriPutData to output our payload (startup/dll) Extract Attachment Bypass JS Privileges Call uriPutData with the extracted attachment RCE
Constructing the exploit 33 Putting it all together (Adobe Acrobat Pro) DEMO
Thankyou

Recommended

Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
CODE BLUE
 
API Design & Security in django
API Design & Security in djangoAPI Design & Security in django
API Design & Security in django
Tareque Hossain
 
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirusExploiting XPC in AntiVirus
Exploiting XPC in AntiVirus
Csaba Fitzl
 
GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?
Csaba Fitzl
 
Apigility – Lightning Fast API Development - OSSCamp 2014
Apigility – Lightning Fast API Development - OSSCamp 2014 Apigility – Lightning Fast API Development - OSSCamp 2014
Apigility – Lightning Fast API Development - OSSCamp 2014
OSSCube
 
Aci programmability
Aci programmabilityAci programmability
Aci programmability
Cisco DevNet
 
Entomology 101
Entomology 101Entomology 101
Entomology 101
snyff
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfest
Csaba Fitzl
 

Recommended

Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
CODE BLUE
 
API Design & Security in django
API Design & Security in djangoAPI Design & Security in django
API Design & Security in django
Tareque Hossain
 
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirusExploiting XPC in AntiVirus
Exploiting XPC in AntiVirus
Csaba Fitzl
 
GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?
Csaba Fitzl
 
Apigility – Lightning Fast API Development - OSSCamp 2014
Apigility – Lightning Fast API Development - OSSCamp 2014 Apigility – Lightning Fast API Development - OSSCamp 2014
Apigility – Lightning Fast API Development - OSSCamp 2014
OSSCube
 
Aci programmability
Aci programmabilityAci programmability
Aci programmability
Cisco DevNet
 
Entomology 101
Entomology 101Entomology 101
Entomology 101
snyff
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfest
Csaba Fitzl
 
Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityMitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint Security
Csaba Fitzl
 
Ruby on Rails Penetration Testing
Ruby on Rails Penetration TestingRuby on Rails Penetration Testing
Ruby on Rails Penetration Testing
3S Labs
 
Intro to Pentesting Jenkins
Intro to Pentesting JenkinsIntro to Pentesting Jenkins
Intro to Pentesting Jenkins
Brian Hysell
 
Picking gem ruby for penetration testers
Picking gem ruby for penetration testersPicking gem ruby for penetration testers
Picking gem ruby for penetration testers
Paolo Perego
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes
 
Zend con 2016 bdd with behat for beginners
Zend con 2016 bdd with behat for beginnersZend con 2016 bdd with behat for beginners
Zend con 2016 bdd with behat for beginners
Adam Englander
 
Django rest framework tips and tricks
Django rest framework tips and tricksDjango rest framework tips and tricks
Django rest framework tips and tricks
xordoquy
 
Introduction to Apache Ant
Introduction to Apache AntIntroduction to Apache Ant
Introduction to Apache Ant
Muhammad Hafiz Hasan
 
Building and deploying PHP applications with Phing
Building and deploying PHP applications with PhingBuilding and deploying PHP applications with Phing
Building and deploying PHP applications with Phing
Michiel Rook
 
Malicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell StoryMalicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell Story
Daniel Bohannon
 
DevSec Defense
DevSec DefenseDevSec Defense
DevSec Defense
Daniel Bohannon
 
Best Practices in PHP Application Deployment
Best Practices in PHP Application DeploymentBest Practices in PHP Application Deployment
Best Practices in PHP Application Deployment
Shahar Evron
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
Chris Gates
 
Build your APIs with apigility
Build your APIs with apigilityBuild your APIs with apigility
Build your APIs with apigility
Christian Varela
 
Pentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerPentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A Primer
Brian Hysell
 
Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016
Clark Everetts
 
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...
Cisco DevNet
 
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsCusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
August Detlefsen
 
AppSec USA 2015: Customizing Burp Suite
AppSec USA 2015: Customizing Burp SuiteAppSec USA 2015: Customizing Burp Suite
AppSec USA 2015: Customizing Burp Suite
August Detlefsen
 
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
CODE BLUE
 
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
hackersuli
 

More Related Content

What's hot

Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityMitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint Security
Csaba Fitzl
 
Picking gem ruby for penetration testers
Picking gem ruby for penetration testersPicking gem ruby for penetration testers
Picking gem ruby for penetration testers
Paolo Perego
 
Zend con 2016 bdd with behat for beginners
Zend con 2016 bdd with behat for beginnersZend con 2016 bdd with behat for beginners
Zend con 2016 bdd with behat for beginners
Adam Englander
 

What's hot (20)

Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityMitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint Security
 
Ruby on Rails Penetration Testing
Ruby on Rails Penetration TestingRuby on Rails Penetration Testing
Ruby on Rails Penetration Testing
 
Intro to Pentesting Jenkins
Intro to Pentesting JenkinsIntro to Pentesting Jenkins
Intro to Pentesting Jenkins
 
Picking gem ruby for penetration testers
Picking gem ruby for penetration testersPicking gem ruby for penetration testers
Picking gem ruby for penetration testers
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
Zend con 2016 bdd with behat for beginners
Zend con 2016 bdd with behat for beginnersZend con 2016 bdd with behat for beginners
Zend con 2016 bdd with behat for beginners
 
Django rest framework tips and tricks
Django rest framework tips and tricksDjango rest framework tips and tricks
Django rest framework tips and tricks
 
Introduction to Apache Ant
Introduction to Apache AntIntroduction to Apache Ant
Introduction to Apache Ant
 
Building and deploying PHP applications with Phing
Building and deploying PHP applications with PhingBuilding and deploying PHP applications with Phing
Building and deploying PHP applications with Phing
 
Malicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell StoryMalicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell Story
 
DevSec Defense
DevSec DefenseDevSec Defense
DevSec Defense
 
Best Practices in PHP Application Deployment
Best Practices in PHP Application DeploymentBest Practices in PHP Application Deployment
Best Practices in PHP Application Deployment
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
 
Build your APIs with apigility
Build your APIs with apigilityBuild your APIs with apigility
Build your APIs with apigility
 
Pentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerPentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A Primer
 
Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016
 
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...
 
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsCusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
 
AppSec USA 2015: Customizing Burp Suite
AppSec USA 2015: Customizing Burp SuiteAppSec USA 2015: Customizing Burp Suite
AppSec USA 2015: Customizing Burp Suite
 

Similar to Defcon 23 - hariri spelman gorenc - abusing adobe readers java sc

Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
CODE BLUE
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
Abhay Bhargav
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
Amazon Web Services
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
Amazon Web Services
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationPentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and Manipulation
Andreas Kurtz
 

Similar to Defcon 23 - hariri spelman gorenc - abusing adobe readers java sc (20)

Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
 
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A Bug
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
 
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdfFinding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
 
iOS Application Exploitation
iOS Application ExploitationiOS Application Exploitation
iOS Application Exploitation
 
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsDevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
 
Continuous Integration with Cloud Foundry Concourse and Docker on OpenPOWER
Continuous Integration with Cloud Foundry Concourse and Docker on OpenPOWERContinuous Integration with Cloud Foundry Concourse and Docker on OpenPOWER
Continuous Integration with Cloud Foundry Concourse and Docker on OpenPOWER
 
The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)
 
Beyond the 'cript practical i os reverse engineering lascon
Beyond the 'cript practical i os reverse engineering lasconBeyond the 'cript practical i os reverse engineering lascon
Beyond the 'cript practical i os reverse engineering lascon
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxThe Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
 
Burpsuite yara
Burpsuite yaraBurpsuite yara
Burpsuite yara
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1)
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationPentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and Manipulation
 

More from Felipe Prado

More from Felipe Prado (20)

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got ants
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryption
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a government
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interface
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud security
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portals
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devices
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Recently uploaded (20)

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

Defcon 23 - hariri spelman gorenc - abusing adobe readers java sc

  • 1. AbusingAdobeReader’s JavaScriptAPIs Brian Gorenc, Manager, Vulnerability Research AbdulAziz Hariri, Security Researcher Jasiel Spelman, Security Researcher
  • 2. Agenda •  Introduction •  Understanding the Attack Surface •  Vulnerability Discovery •  Constructing the Exploit
  • 4. Introduction 4 HP Zero Day Initiative AbdulAziz Hariri - @abdhariri Security Researcher at the Zero Day Initiative Root cause analysis, vulnerability discovery, and exploit development Jasiel Spelman - @WanderingGlitch Security Researcher at the Zero Day Initiative Root cause analysis, vulnerability discovery, and exploit development Brian Gorenc - @maliciousinput Head of Zero Day Initiative Organizer of Pwn2Own Hacking Competitions
  • 5. Research starting in December 2014 Bug Hunters Patched Vulnerabilities CVE-2015-5085, CVE-2015-5086, CVE-2015-5090, CVE-2015-5091, CVE-2015-4438, CVE-2015-4447, CVE-2015-4452, CVE-2015-5093, CVE-2015-5094, CVE-2015-5095, CVE-2015-5101, CVE-2015-5102, CVE-2015-5103, CVE-2015-5104, CVE-2015-5113, CVE-2015-5114, CVE-2015-5115, CVE-2015-5100, CVE-2015-5111, CVE-2015-4435, CVE-2015-4441, CVE-2015-4445, CVE-2015-3053, CVE-2015-3055, CVE-2015-3057, CVE-2015-3058, CVE-2015-3065, CVE-2015-3066, CVE-2015-3067, CVE-2015-3068, CVE-2015-3071, CVE-2015-3072, CVE-2015-3073, CVE-2015-3054, CVE-2015-3056, CVE-2015-3061, CVE-2015-3063, CVE-2015-3064, CVE-2015-3069, CVE-2015-3060, CVE-2015-3062 Unpatched Vulnerabilities ZDI-CAN-3051, ZDI-CAN-3050, ZDI-CAN-3049, ZDI-CAN-3048, ZDI-CAN-3047, ZDI-CAN-3046, ZDI-CAN-3043, ZDI-CAN-3036, ZDI-CAN-3022, ZDI-CAN-3021, ZDI-CAN-2019, ZDI-CAN-3018, ZDI-CAN-3017, ZDI-CAN-3016, ZDI-CAN-3015, ZDI-CAN-2998, ZDI-CAN-2997, ZDI-CAN-2958, ZDI-CAN-2816, ZDI-CAN-2892, ZDI-CAN-2893 …more to come. 5
  • 7. Understanding Attack Surface 7 Prior research and resources •  The life of an Adobe Reader JavaScript bug (CVE-2014-0521) - Gábor Molnár •  First to highlight the JS API bypass issue •  The bug was patched in APSB14-15 and was assigned CVE-2014-0521 •  According to Adobe, this could lead to information disclosure •  https://molnarg.github.io/cve-2014-0521/#/ •  Why Bother Assessing Popular Software? – MWR Labs •  Highlights various attack vectors on Adobe reader •  https://labs.mwrinfosecurity.com/system/assets/979/original/Why_bother_assessing_popular_software.pdf
  • 8. Understanding Attack Surface 8 ZDI Research Stats •  Primary Adobe research started internally in December 2014 •  We were not getting many cases in Reader/Acrobat •  Main goal was to kill as much bugs as possible •  Internal discoveries varied in bug type –  JavaScript API Restriction Bypasses –  Memory Leaks –  Use-After-Frees –  Elevation of Privileges –  etc.
  • 9. Understanding Attack Surface 9 Insights Into Reader’s JavaScript API’s •  Adobe Acrobat/Reader exposes a rich JS API •  JavaScript API documentation is available on the Adobe website •  A lot can be done through the JavaScript API (Forms, Annotations, Collaboration etc..) •  Mitigations exist for the JavaScript APIs •  Some API’s defined in the documentation are only available in Acrobat Pro/Acrobat standard •  Basically JavaScript API’s are executed in two contexts: –  Privileged Context – Only Trusted functions can call it (app.trustedFunction) –  Non-Privileged Context
  • 10. Understanding Attack Surface 10 Insights Into Reader’s JavaScript API’s •  Privileged vs Non-Privileged contexts are defined in the JS API documentation: •  A lot of API’s are privileged and cannot be executed from non-privileged contexts:
  • 11. Understanding Attack Surface 11 Insights Into Reader’s JavaScript API’s •  Privileged API’s warning example from a non-privileged context:
  • 12. Understanding Attack Surface 12 Folder-Level Scripts •  Scripts stored in the JavaScript folder inside the Acrobat/Reader folder •  Used to implement functions for automation purposes •  Contains Trusted functions that execute privileged API’s •  By default Acrobat/Reader ships with JSByteCodeWin.bin •  JSByteCodeWin.bin is loaded when Acrobat/Reader starts up •  It’s loaded inside Root, and exposed to the Doc when a document is open
  • 13. Understanding Attack Surface 13 Decompiling •  JSByteCodeWin.bin is compiled into SpiderMoney 1.8 XDR bytecode •  JSByteCodeWin.bin contains interesting Trusted functions •  Molnarg was kind enough to publish a decompiler for SpiderMonkey –  https://github.com/molnarg/dead0007 –  Usage: ./dead0007 JSByteCodeWin.bin > output.js –  Output needs to be prettified –  ~27,000 lines of Javascript
  • 15. Vulnerability Discovery 15 JavaScript Method/Property Overloading •  __defineGetter__ and __defineSetter__
  • 17. Vulnerability Discovery 17 Code Auditing for Overloading Opportunities •  Search for ‘eval’
  • 18. Vulnerability Discovery 18 Code Auditing for Overloading Opportunities •  Search for ‘app.beginPriv(“
  • 19. Vulnerability Discovery 19 Achieving System-Level eval() •  Overload property access with a custom function
  • 20. Vulnerability Discovery 20 Executing Privileged APIs •  Replace a property with a privileged function
  • 21. Vulnerability Discovery 21 Vulnerability Chaining •  Set up the system-level eval such that it executes the bulk of the payload •  Create the replacement attribute such that it now calls a privileged API •  Trigger the call
  • 22. Vulnerability Discovery 22 Proof of Concept – CVE-2015-3073
  • 24. Constructing the exploit 24 Overview •  Research triggered from https://helpx.adobe.com/security/products/reader/apsb14-15.html: •  Challenge: Gain Remote Code Execution through the bypass issue •  We might be able to do that through the JS API’s that we know about
  • 25. Constructing the exploit 25 Because documentation sucks.. •  We needed to find a way to dump a file on disk •  The file can be of any type (try to avoid restrictions) •  Let’s have a look at the Collab object…through the JS API from Adobe: •  Through the console:
  • 26. Constructing the exploit 26 “If you want to keep a secret, you must also hide it from yourself.” – G. Orwell •  From all the 128 undocumented methods, the Collab.uri* family is specifically interesting:
  • 27. Constructing the exploit 27 “The more you leave out, the more you highlight what you leave in.” - H. Green •  Too good to be true, so I consulted uncle Google before digging more:
  • 28. Constructing the exploit 28 Show me what you got... •  Quick overview of the interesting methods:
  • 29. Constructing the exploit 29 •  Overview of the Collab.uri* API’s: –  The API’s are used for “Collaboration” –  uriDeleteFolder/uriDeleteFile/uriPutData/uriCreateFolder are privileged API’s –  uriEnumerateFiles is NOT privileged –  The Collab.uri* methods take a URI path as an argument (at least) –  The path expected should be a UNC path –  The UNC path should start with smb:// or file:// •  The API’s fail to: –  Sanitize the UNC path (smb://localhost/C$/XXX works) –  Check the filetype of the filename to be written on disk (in the case of uriPutData) –  Check the content of oData object to be dumped (in the case of uriPutData)
  • 30. Constructing the exploit 30 •  What we have so far: –  We can dump files on disk using the Collab.uriPutData() method –  The file contents that we want to dump should be passed as the oData object –  We can attach files in PDF documents and extract the contents –  We should chain the uriPutData call with one of the bypasses that we discussed earlier Then what ? How can we get RCE? Actually there are two obvious ways..
  • 31. Constructing the exploit 31 Gaining RCE •  First way…a la Vupen: Basically write a file to the startup and wait for a logoff/logon ! •  Second way is writing a DLL that would be loaded by Adobe Acrobat:
  • 32. Constructing the exploit 32 Putting it all together (Adobe Acrobat Pro) 1.  Attach our payload to the PDF 2.  Create a JS that would execute when the document is open 3.  JS is composed of: 1.  Extraction of the attachment 2.  Bypass JS privileges 3.  Execute Collab.uriPutData to output our payload (startup/dll) Extract Attachment Bypass JS Privileges Call uriPutData with the extracted attachment RCE
  • 33. Constructing the exploit 33 Putting it all together (Adobe Acrobat Pro) DEMO