Windows Acrobat Reader 11 Sandbox Escape in NtSetInformationFile

[GoogleCodeExporter]

The Acrobat Reader Windows sandbox is vulnerable to NTFS junction attack to 
write an arbitrary file to the filesystem under user permissions. This could be 
used to break out of the sandbox leading to execution at higher privileges.

The specific vulnerability is in the handling of the NtSetInformationFile 
system call hook. This function attempts to resolve the real destination of the 
rename. If the destination is a junction it reads the junction destination, 
however it only does this for the first level so it's possible to have a chain 
of junctions. This allows code in the sandbox to write an arbitrary file to the 
filesystem.

Version tested: 11.0.8 (10.* not tested)

Attached is a PoC, including source and pre-compiled binaries. To test the PoC 
run the following steps:

1) Copy Testdll.dll and InjectDll.exe to a location the sandboxed process can 
read.
2) Run the command Injectdll.exe pid path\to\testdll.dll where pid is the 
process ID of a sandboxed Adobe Reader process. 
3) Successful exploitation is indicated by a new file being created on the 
desktop call 'abc'. 

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by fors...@google.com on 20 Aug 2014 at 12:48

Attachments:

• poc.7z

[GoogleCodeExporter]

Original comment by fors...@google.com on 8 Sep 2014 at 8:02

• Added labels: CVE-2014-0568

[GoogleCodeExporter]

Fixed here: http://helpx.adobe.com/security/products/reader/apsb14-20.html

Original comment by cev...@google.com on 16 Sep 2014 at 4:43

• Changed state: Fixed
• Added labels: Fixed-2014-Sep-16

[GoogleCodeExporter]

Original comment by fors...@google.com on 24 Sep 2014 at 9:32

• Removed labels: Restrict-View-Commit