In association with heise online

25 June 2012, 16:01

Worth Reading: Exploited despite sandbox

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Adobe Reader puzzle logo

Adobe Reader X runs in a sandbox at a very restricted privilege level. Important system calls are supposed to be handled by a special broker process that will subject them to extensive testing. However, a small design flaw allows attackers to user system calls, circumvent ASLR (Address Space Layout Randomisation) and DEP (Data Execution Prevention) and execute arbitrary code.

As described by Guillaume Delugré, the broker process is at the heart of the exploit as it uses a memory page allocated via VirtualAllocEx to store the overwritten code of system calls which have been redirected to the broker. Despite having ASLR, however, the memory address returned by VirtualAllocEx is not randomised. This means that the Windows system function call will end up in a predictable, "nearly constant" location which the exploit can then access directly.

In a blog post, Delugré goes on to further detail, providing an interesting and informative account of the rest of the exploit's path up to the execution of the code, which is injected via a specially crafted PDF file. The author also provides some proof-of-concept code and various scripts that helped him assemble the exploit.

Update: A previous version of this item contained the term "sandbox escape" which we have now removed after the author informed us that this might lead to confusion because the exploit code is still subject to sandbox limitations like reduced privileges.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit