Windows Acrobat Reader 11 Sandbox Escape in MoveFileEx IPC Hook

[GoogleCodeExporter]

The Acrobat Reader Windows sandbox is vulnerable to NTFS junction attack to 
write an arbitrary file to the filesystem under user permissions. This could be 
used to break out of the sandbox leading to execution at higher privileges.

The specific vulnerability is there is a race condition in the handling of the 
MoveFileEx call hook. While the function resolves the location of the source 
and destination and ensures they are within the policy there is a timing race 
once the function calls into the MoveFileEx function in the broker. This race 
can be won by the sandboxed process by using an OPLOCK to wait for the point 
where the MoveFileEx function opens the original file for the move. This allows 
code in the sandbox to write an arbitrary file to the file system.

While this is similar to the previous reported issue with NtSetInformationFile 
it's different in that it doesn't rely on the bug in the processing of the 
filepath instead exploits a TOCTOU race. It's only possible in this case to 
race as it's the broker which opens the file rather than the sandboxed process. 
It would probably be recommended to ensure that you cannot creation junctions 
ever, although this isn't trivial in all cases where you passing back raw 
handles to the callee. 

Version tested: 11.0.8 (10.* not tested)

Attached is a PoC, including source and pre-compiled binaries. To test the PoC 
run the following steps:

1) Copy Testdll.dll and InjectDll.exe to a location the sandboxed process can 
read.
2) Run the command Injectdll.exe pid path\to\testdll.dll where pid is the 
process ID of a sandboxed Adobe Reader process. 
3) Successful exploitation is indicated by a new file being created on the 
desktop call 'abc'. 

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by fors...@google.com on 27 Aug 2014 at 6:09

Attachments:

• poc.zip

[GoogleCodeExporter]

While this bug technically isn't fixed a defence in depth change in 11.0.9 
which fixed 
https://code.google.com/p/google-security-research/issues/detail?id=94 
effectively made this difficult if not impossible to exploit. It was no longer 
possible to use the broker file system hooks to create directory junctions.

Original comment by fors...@google.com on 26 Nov 2014 at 7:11

[GoogleCodeExporter]

Original comment by fors...@google.com on 26 Nov 2014 at 7:12

• Added labels: PublicOn-2014-Nov-26

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Deadline exceeded -- automatically derestricting.

Original comment by fors...@google.com on 26 Nov 2014 at 7:16

[GoogleCodeExporter]

Original comment by fors...@google.com on 9 Dec 2014 at 6:10

• Changed state: Fixed
• Added labels: CVE-2014-9150

[GoogleCodeExporter]

http://helpx.adobe.com/security/products/reader/apsb14-28.html

Original comment by fors...@google.com on 9 Dec 2014 at 6:11

[GoogleCodeExporter]

Original comment by cev...@google.com on 9 Feb 2015 at 3:31

• Added labels: Deadline-Exceeded

[GoogleCodeExporter]

Original comment by cev...@google.com on 10 Feb 2015 at 6:50

• Added labels: Fixed-2014-Dec-9

[GoogleCodeExporter]

can you please tell me what this is? I would like to deepen
http://wdfshare.blogspot.com

Original comment by putuindr...@gmail.com on 18 Mar 2015 at 12:25