CVE-2018-4990 Adobe Reader code execution exploit analysis-exploit warning-the black bar safety net

2018 5 on 15 September, ESET released the article“A tale of two zero-days”, the article disclosed this year 3 month ESET in malware scan engine VirusTotal on the capture of the one used to attack the test PDF document. The PDF document contains a sample of two pieces of 0-day Vulnerability, CVE-2018-4990, CVE-2018-8120 to achieve for Adobe Acrobat/Reader PDF reader arbitrary code execution. Which CVE-2018-4990 Adobe PDF reader code execution vulnerability, CVE-2018-8120 is the Windows operating system Win32k kernel mention the right vulnerability, in the obtain code execution permissions by the kernel to mention the right vulnerability to bypass Adobe PDF reader’s sandbox protection, to achieve arbitrary code execution.
Vulnerability the use of backtracking analysis
360 Threat Intelligence Center analysis confirmed that the disclosed vulnerabilities can be exploited, in this paper we tried to open the POC in the sample for the Adobe Acrobat/Reader code execution vulnerability, CVE-2018-4990 use of the process in detail analysis, and recording of the entire analysis process. As with the analysis of impropriety please understand.
Analysis of the environment
Operating system: Windows 7 SP1
AdobeReader DC: 1700920044
Samples MD5: the bd23ad33accef14684d42c32769092a0
Payload function parses
Use PDFStream open vulnerability of the sample, in the tail can be found to Use JavaScript to trigger the use of the vulnerability:
! [](/Article/UploadPic/2018-6/201861173548288. png? www. myhack58. com)
Through the analysis shows that the JavaScript in the front into PDF reader vulnerability is triggered after the load operation of the load, mainly used to provide the right and execute malicious code. And after the JavaScript code through the two Array instance sprayarr and a1 to achieve memory Spray layout, it should be noted that a1 is the Array in the odd-subscript of the element were released, this is the UAF class exploits a common memory layout techniques: a
! [](/Article/UploadPic/2018-6/201861173548377. png? www. myhack58. com)
Memory deployment is successful, then in myfun1 and myfun2 called twice to trigger a double free of the script, the script code to trigger a double free, which leads to subsequent code is executed, trigger a double free of the script:
varf1 = this. getField(“Button1”);
Finally, the array instance sprayarr2 assignment, each element is a length of 0×20000-0×24 ArrayBuffer, and then traverse the sprayarr can be found which corresponds to a sprayarr the element length is modified to 0×20000-0×24 the default length is 0×10000-0×24）, this time through ultra-long sprayarr[i1]can be modified adjacent the sprayarr[i1+1]object len length of the attribute, from which script code can be seen in length is modified to 0×66666666, and ultimately through the long sprayarr[i1+1]can achieve full memory read and write: a
! [](/Article/UploadPic/2018-6/201861173548237. png? www. myhack58. com)
For this the attacker has prepared a special use of ultra-long sprayarr the object to achieve full memory read and write function:
! [](/Article/UploadPic/2018-6/201861173548144. png? www. myhack58. com)
To obtain a full memory reading and writing, the POC, through forged bookmarkRoot object to achieve code execution:
! [](/Article/UploadPic/2018-6/201861173549831. png? www. myhack58. com)
POC running the following will cause the crash:
! [](/Article/UploadPic/2018-6/201861173549562. png? www. myhack58. com)
Collapse of the reasons for the objecscript address is hard-coded, wherein the 0x23A59BA4-0×23800000 address is not adapted to test the Adobe Reader version, causing the crash:
! [](/Article/UploadPic/2018-6/201861173549851. png? www. myhack58. com)
Through the POC Payload function analysis, we have identified a POC in a few need to analyze the main points, it is also figuring out the whole exploit key:
l sprayarr, a1 in the memory spray memory structure
l trigger the double free of code specific analysis var f1 = this. getField(“Button1”);）
l sprayarr2 initialization of the memory state, the initial of each element length is just sprayarr super long element length, this lets us suspect that sprayarr2 and a sprayarr coincide, perhaps a second point code in the sprayarr a element release? Then sprayarr2 reuse it?）
Script analysis and debug
With a Payload function analysis derived the exploits of the key points we began one by one for debugging analysis.
How to analyze the associated memory structure
Sample specific vulnerability trigger/use parts are the JavaScript, and therefore to debug when we can rely on the corresponding trigonometric function to achieve a specific interrupt. In order to obtain the corresponding memory structure, we can directly modify the corresponding POC, such as POC, create an Array of instances of myContent, the Array in the 0th element assigned the value of 0x1a2c3d4f, in order to facilitate memory search, respectively, after the We are interested in variable assign a value to the Array can be easily positioned memory for analysis:
! [](/Article/UploadPic/2018-6/201861173549861. png? www. myhack58. com)
By the above-described trigonometric function off, this time by the search 0x1a2c3d4f can be found in the corresponding myContent structure, as shown in the address 0x062035f8 the start of the data for the corresponding tag for 0x1a2c3d4f, after the four-byte value 0xffffff81 mark the element of the type type, and then the next turn we assigned the value of the element, as are the Array, so the type are 0xffffff87: the
! [](/Article/UploadPic/2018-6/201861173549846. png? www. myhack58. com)

[1] [2] [3] [4] [5] next