breeding sandworms
play

BREEDING SANDWORMS: HOW TO FUZZ YOUR WAY OUT OF ADOBE READER X'S - PowerPoint PPT Presentation

May 15, 2023 •110 likes •646 views

BREEDING SANDWORMS: HOW TO FUZZ YOUR WAY OUT OF ADOBE READER X'S SANDBOX Who we are Research and Analysis: Zhenhua(Eric) Liu Vulnerability Researcher zhliu@fortinet.com Contributor and Editor: Guillaume Lovet Sr Manager of Fortinet's

  1. BREEDING SANDWORMS: HOW TO FUZZ YOUR WAY OUT OF ADOBE READER X'S SANDBOX

  2. Who we are • Research and Analysis: Zhenhua(Eric) Liu Vulnerability Researcher zhliu@fortinet.com • Contributor and Editor: Guillaume Lovet Sr Manager of Fortinet's EMEA Threat Research and Response Center glovet@fortinet.com

  3. Huge number of vulnerabilities been found Adobe vulnerabilities history in CVE. http://www.cvedetails.com/vendor/53/Adobe.html

  4. Huge number of vulnerabilities been found Big Fan of you, Mr. Ormandy

  5. How many of them can compromise Adobe Reader X? Since its launch in November 2010, we have not seen a single successful exploit in the wild against Adobe Reader X.

  6. All because of Protected Mode (SandBox) Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing.

  7. How Hard Actually? http://blogs.adobe.com/asset/files/2010/11/Win7- Sandbox-Exploit-Steps.png

  8. Agenda • Introduce to the Adobe Reader X Protected Mode • The SandBox implementation • Fuzz Broker APIs • Bypass the Challenge • Demo • Conclusions and Future Work

  9. Documentation • The most complete and authoritative documentation one can find about Adobe Reader Protect Mode is the series of blogs written by Kyle Randolph from ASSET.

  10. Sandbox INTERNALS from ASSET’s blog http://blogs.adobe.com/asset/files/2010/10/Sandbox- Diagrams3.png

  11. Blood and Sand: At the heart of Adobe Reader's sandbox http://blogs.adobe.com/asset/files/2010/11/Sandbox- and-Broker-Process-IPC.png

  12. Possible Avenues to Achieve Attack • Attacks From Kernel Land • Attacks From User Land -- Broker API Attack Surface -- Policy Engine -- IPC Frame Work -- Named Object Squatting Attacks -- Plug-in that not been sandboxed. -- And more… which will be discovered by you.

  13. Attacks From Kernel Land Can we subvert the token pointer ?

  14. Motivations and Questions “An example is the dialog that confirms if the user really wants to disable Protected Mode” Hello from our old friend. We start from `hello` for respective.

  15. Audit Target • 1: Are there logic flaws, or weaknesses, that could be leveraged to circumvent restrictions? • 2: Are there memory corruption vulnerabilities?

  16. The strategy for reversing 1 • Find “thread_provider_->RegisterWait” • Find function “ThreadPingEventReady” and the important parameter “service_context”. • Find IPC message dispatch mechanism through ThreadPingEventReady, and then find the entire IPC handler functions.

  17. Important data structures RegisterWaitForSingleObject (&pool_object, waitable_object, callback, context, INFINITE, WT_EXECUTEDEFAULT )

  18. Important data structures service_context : • +0h Ping handle • +4h pong handle • +8h channel_size • +Ch channel_buffer • +10h shared_base • +14h channel • +18h dispatcher • +1Ch target_info

  19. The result

  20. The strategy for reversing 2 • find out the “HOOK” function first, then enumerate entire broker IPC by “xrefs” function of IDApro. (for Client API) • Characteristic string like “AcroWinMainSandbox”. (for Client API) • Serach pattern strings in .data section of file “AcroRd32.exe”. (for handler API)

  21. You are so beautiful Following `AcroWinMainSandbox`, we find Adobe Service APIs list. (Client side)

  22. Broker API tag 0x3E is to disable Protected Mode. if ( MessageBoxW(hWnd, "..", "..", 0x34) == 6 ) { hKey = 0; ret = RegCreateKeyW ( HKEY_CURRENT_USER, L"Software\\Adobe\\Acrobat Reader\\ 10.0\\Privileged", &hKey); ...

  23. Practice for fun Tag field 0x3E means to “disable Protected Mode”

  24. Practice for fun With a pop confirmation dialogs out

  25. Another Practice For Fun Tag field 0x43 means to open http link using default explorer under High Integrity. http://10.10.1.127/1.exe

  26. Another Practice For Fun 1.exe is a POC file which doing operation in file system

  27. Another Practice For Fun And another confirmation dialog pop out

  28. Fuzz Broker APIs • The needs • The existing idea that meets needs

  29. The exits idea that meets needs • In particular, the “ in memory fuzz ” concept introduced by Michael Sutton in a famous book “ Fuzzing: Brute Force Vulnerability Discovery ” fits our requirements.

  30. Why we focused Broker Service APIs • We guess APIs inherited from Google’s Chrome have been researched a lot by many researchers. • Continuously increased Broker Service APIs by Adobe.

  31. Why we focused Broker Service APIs 63 Broker Service Dispatchers were 72 Broker Service Dispatchers were found in AcroRd32.exe 10.0.1.434 found in AcroRd32.exe 10.1.1.33

  32. In Memory Fuzzer POC: How it works Step 1 Step 2 Step 3 Step 4 Step 5 Take snapshot for Wait for the Restore sandboxed Stuff fuzzing Send the IPC broker process snapshot of process data into the Message to handle the sandboxed before IPC Message IPC message process sending the IPC message 第 32 页

  33. In Memory Fuzzer POC: How it works Step 1 Step 2 Step 3 Step 4 Step 5 Take snapshot for Wait for the Restore sandboxed Stuff fuzzing Send the IPC broker process snapshot of process data into the Message to handle the sandboxed before IPC Message IPC message process sending the IPC message Repeat step 2 - 5 until fuzz data exhausted

  34. Prepare the “Smarter ” Fuzz Data Example: strings in policy rules.

  35. Pop Pop and Pop XD Which means the relative Broker API have been achieved.

  36. The Vulnerability CVE-2011-1353 • It was patched by Adobe in September 2011 as a result of our responsible disclosure action • World is small Mark Yason and Paul Sabanal of IBM X-Force have also found this vulnerability.

  37. See the Problem? • AddRule( SUBSYS_REGISTRY, REG_DENY, "HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Privileged" ); • AddRule( SUBSYS_REGISTRY, REG_ALLOW_ANY, "HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0" );

  38. See the Problem? • AddRule( SUBSYS_REGISTRY, REG_DENY , "HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0\Privileged" ); • AddRule( SUBSYS_REGISTRY, REG_ALLOW_ANY , "HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\10.0" );

  39. Magic String • HKEY_CURRENT_USER\Software\Adobe\Acro bat Reader\10.0 \\ Privileged\bProtectedMode

  40. CVE-2011-1353 Policy Engine CreateRegKey Sandbox Broker Request Process Process OS

  41. CVE-2011-1353 Policy Engine Good Boy? Sandbox Broker Process Process OS

  42. CVE-2011-1353 Policy Engine False Positive Sandbox Broker Process Process Good Boy OS

  43. CVE-2011-1353 Policy Engine Sandbox Broker Process Process What Can I Do for you? OS

  44. CVE-2011-1353 Policy Engine Sandbox Broker Process Process Return Duplicated Handle OS

  45. The patch and little bit more New function “CanonPathName” added to Strip off the extra backslash. while ( *Cp != '\' ); do { Cp++; }

  46. Demo

  47. Conclusions and Future Work

  48. The Road To The Horizon

  49. The Road To The Horizon APSAs Like CVE-2011-3232 in the Demo.

  50. The Road To The Horizon Heap Spray, ROP, Heap FengShui, JIT, Haifei Li’s Flash ActionScript Exploit…

  51. The Road To The Horizon CVE-2011-1353

  52. Free!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ADVANCED HEAP MANIPULATION IN WINDOWS 8 Who Am I Zhenhua(Eric) Liu Senior Security Researcher

ADVANCED HEAP MANIPULATION IN WINDOWS 8 Who Am I Zhenhua(Eric) Liu Senior Security Researcher

ADVANCED HEAP MANIPULATION IN WINDOWS 8 Who Am I Zhenhua(Eric) Liu Senior Security Researcher Fortinet, Inc. Previous: Dissecting Adobe ReaderXs Sandbox: Breeding Sandworms@BlackHat EU 2012 Agenda 0x01: Why start this research 0x02:

1.13k views • 102 slides
Los Alamos Breeding Bird Atlas Kickoff Meeting February 2, 2017 What is a Breeding Bird Atlas?

Los Alamos Breeding Bird Atlas Kickoff Meeting February 2, 2017 What is a Breeding Bird Atlas?

Los Alamos Breeding Bird Atlas Kickoff Meeting February 2, 2017 What is a Breeding Bird Atlas? A breeding bird atlas is a comprehensive avifauna survey designed to reveal the distribution of breeding birds within a given geographical area. The

585 views • 19 slides
Selecting hybrid pine clone/s for deployment the pointy end of breeding for wood quality.

Selecting hybrid pine clone/s for deployment the pointy end of breeding for wood quality.

Australasian Forest Genetics Conference BREEDING FOR WOOD QUALITY Session 1: Breeding and deployment strategies, and breeding objectives Hobart , 11 - 14 April, 2007 Selecting hybrid pine clone/s for deployment the pointy end of breeding

254 views • 22 slides
Breeding Module: Creation of animals 1. Go to Breeding-Population. 2. Click on Population

Breeding Module: Creation of animals 1. Go to Breeding-Population. 2. Click on Population

Breeding Module: Creation of animals 1. Go to Breeding-Population. 2. Click on Population Table then New Entry. Page 1 of 18 Identification, Master Data, Husbandry, Genotype, 3. Input details in

442 views • 18 slides
Cattle Breeding in Estonia Export Experience GE, KZ, UA Long traditions of Cattle breeding 2

Cattle Breeding in Estonia Export Experience GE, KZ, UA Long traditions of Cattle breeding 2

Cattle Breeding in Estonia Export Experience GE, KZ, UA Long traditions of Cattle breeding 2 It will be 110 years of the establishment of the first herd performance recording organization in Estonia in 2019. Fact that our herdbook will

429 views • 17 slides
RAISING MONARCHS successful monarch breeding facility Tips for a successful monarch breeding

RAISING MONARCHS successful monarch breeding facility Tips for a successful monarch breeding

A guide to a RAISING MONARCHS successful monarch breeding facility Tips for a successful monarch breeding operation The facility size and set-up should be adequate to allow for ease of movement, access to equipment and tools, and

495 views • 17 slides
Displacement Assessment: ASSESSMENT DURING THE NON BREEDING SEASON Francis Daunt Marine bird

Displacement Assessment: ASSESSMENT DURING THE NON BREEDING SEASON Francis Daunt Marine bird

Displacement Assessment: ASSESSMENT DURING THE NON BREEDING SEASON Francis Daunt Marine bird impact assessment guidance workshop 20 February 2020 Displacement in the breeding and non-breeding seasons Marked differences in the ecology of

562 views • 14 slides
Why I love my job: The enabling influence of breeding We are here Stan Allen ABC, VIMS Biomass

Why I love my job: The enabling influence of breeding We are here Stan Allen ABC, VIMS Biomass

Why I love my job: The enabling influence of breeding We are here Stan Allen ABC, VIMS Biomass pyramid Breeding Genetic services Multiplier population Brood stock services Hatchery production Commercial grow out Biomass pyramid Breeding

611 views • 23 slides
Breeding Goals in Balanced Breeding Programmes 15 March 2011 Anne-Marie Neeteson

Breeding Goals in Balanced Breeding Programmes 15 March 2011 Anne-Marie Neeteson

Low Input Breeds - ECO AB Symposium, 29/03/2011 Wageningen (The Netherlands) March 15-16, 2011 Breeding Goals in Balanced Breeding Programmes 15 March 2011 Anne-Marie Neeteson LowInputBreeds This Presentation EFFAB, FABRE TP, ATF

316 views • 10 slides
Phenotyping & Breeding MARS Dissemination event Madrid, 29 October 2015 Breeding for sharka

Phenotyping & Breeding MARS Dissemination event Madrid, 29 October 2015 Breeding for sharka

MARS results: Phenotyping & Breeding MARS Dissemination event Madrid, 29 October 2015 Breeding for sharka resistance Resistant Resistant or Susceptible Local cultivars Adapted Segregating Populations Genotyping Phenotyping

857 views • 17 slides
Challenges in Cannabis Breeding RC RCK - Le Lead ader er in in Can Canna nabis bis Ge

Challenges in Cannabis Breeding RC RCK - Le Lead ader er in in Can Canna nabis bis Ge

The chain begins with us May 2020 Challenges in Cannabis Breeding RC RCK - Le Lead ader er in in Can Canna nabis bis Ge Gene netics tics Breeding ing an and commercia cializ lizat atio ion n of el f elite e can annab

451 views • 9 slides
Breeding for CLCuD Resistance Albert G Santos PhD Breeding Consultant, SANIFA Agri Services,

Breeding for CLCuD Resistance Albert G Santos PhD Breeding Consultant, SANIFA Agri Services,

Breeding for CLCuD Resistance Albert G Santos PhD Breeding Consultant, SANIFA Agri Services, Lahore, Pakistan Don L Keim PhD Cotton Breeder, Plant Science Consultants, Leland, MS Fakhar Uz Zaman Khan Cotton Breeder, SANIFA Agri

512 views • 23 slides
Breeding Management System (BMS) Overview and potential uses FACULTY OF AGRICULTURE &

Breeding Management System (BMS) Overview and potential uses FACULTY OF AGRICULTURE &

Breeding Management System (BMS) Overview and potential uses FACULTY OF AGRICULTURE & ENVIRONMENT Angela Pattison Plant Breeding Institute Overview Bring breeders tools into a SINGLE PLATFORM Integrated with ISIS

475 views • 16 slides
THE FUTURE LIES IN THE QUALITY OF THE PROGENY Paul Lubout History of animal breeding in

THE FUTURE LIES IN THE QUALITY OF THE PROGENY Paul Lubout History of animal breeding in

Wildlife Industry THE FUTURE LIES IN THE QUALITY OF THE PROGENY Paul Lubout History of animal breeding in livestock CONCEPTS Pedigrees Linebreeding Pure breeding History of animal breeding in livestock CONCEPTS Single genes colour

488 views • 46 slides
The purpose of this presentation Relate to you insights about avocado breeding Comments

The purpose of this presentation Relate to you insights about avocado breeding Comments

8/26/2013 The purpose of this presentation Relate to you insights about avocado breeding Comments pertaining to Provide another perspective regarding Avocado Plant Breeding Strategy the recommendation to ramp down 20132033 DRAFT

254 views • 8 slides
Hops: from vine to brewing material History of Hop Breeding in New Zealand Introduced to NZ

Hops: from vine to brewing material History of Hop Breeding in New Zealand Introduced to NZ

Hops: from vine to brewing material History of Hop Breeding in New Zealand Introduced to NZ >150 years ago Latitude sensitive NZ Breeding programme commenced 1950s Disease resistance Seedless Unique flavours and aromas

398 views • 7 slides
Classes, Objects & References The Challenges of Complexity Complexity of Agent-Based Model

Classes, Objects & References The Challenges of Complexity Complexity of Agent-Based Model

Classes, Objects & References The Challenges of Complexity Complexity of Agent-Based Model development is a major barrier to effective delivery of value Complexity leads to models that are late, over budget, and of substandard

918 views • 36 slides
Security-by-Contract: Toward a Semantics for Digital Signatures on Mobile Code* N. Dragoni, F .

Security-by-Contract: Toward a Semantics for Digital Signatures on Mobile Code* N. Dragoni, F .

Security-by-Contract: Toward a Semantics for Digital Signatures on Mobile Code* N. Dragoni, F . Massacci, K. Naliuka and I. Siahaan Department of Information and Communication Technologies University of Trento, ITALY dragoni@dit.unitn.it

841 views • 35 slides
EDUCATIONAL INSTITUTION SAFETY Presented by: Zaharuddin bin Haji Abdul Rahman, Inspector

EDUCATIONAL INSTITUTION SAFETY Presented by: Zaharuddin bin Haji Abdul Rahman, Inspector

EDUCATIONAL INSTITUTION SAFETY Presented by: Zaharuddin bin Haji Abdul Rahman, Inspector (Non-Industry) PAST ACCIDENTS / INCIDENTS SCHOOL RELATED ACCIDENTS LOCALLY 2011 Sekolah Rendah Mabohai Reversing Car hit 2015 and killed 2

355 views • 16 slides
OpenStreetMap Mapathon Mapping pedestrian crossings with Pic4Review 1 Rally De Leon Data Team

OpenStreetMap Mapathon Mapping pedestrian crossings with Pic4Review 1 Rally De Leon Data Team

OpenStreetMap Mapathon Mapping pedestrian crossings with Pic4Review 1 Rally De Leon Data Team Member OpenStreetMap User ID: Rally Sidewalk Advocate 2 OpenStreetMap Wikipedia of maps Open & Free Anybody can edit and improve the map

435 views • 24 slides
Overview of the PEBBL and PICO Projects: Massively Parallel Branch and Bound Jonathan Eckstein

Overview of the PEBBL and PICO Projects: Massively Parallel Branch and Bound Jonathan Eckstein

Overview of the PEBBL and PICO Projects: Massively Parallel Branch and Bound Jonathan Eckstein Business School and RUTCOR Rutgers University Joint work with a large team, mostly from Sandia National Laboratories, and in particular William E.

507 views • 28 slides
Spark Overview / High-level Architecture Indexing from Spark Reading data from Solr + term

Spark Overview / High-level Architecture Indexing from Spark Reading data from Solr + term

Spark Overview / High-level Architecture Indexing from Spark Reading data from Solr + term vectors & Spark SQL Document Matching user since 2010, committer since April 2014, work for SolrCloud features and bin/solr! Release manager

569 views • 22 slides
Introduction to symmetric crypto Some cipher history D. J. Bernstein 1973, and again in 1974:

Introduction to symmetric crypto Some cipher history D. J. Bernstein 1973, and again in 1974:

1 2 Introduction to symmetric crypto Some cipher history D. J. Bernstein 1973, and again in 1974: U.S. National Bureau of Standards solicits proposals How HTTPS protects connection: for a Data Encryption Standard. Public-key encryption

1.67k views • 131 slides
TRECVID-2013 Semantic Indexing task: Overview Georges Qunot Laboratoire d'Informatique de

TRECVID-2013 Semantic Indexing task: Overview Georges Qunot Laboratoire d'Informatique de

TRECVID-2013 Semantic Indexing task: Overview Georges Qunot Laboratoire d'Informatique de Grenoble George Awad Dakota Consulting, Inc Outline Task summary Evaluation details Inferred average precision Participants

735 views • 39 slides

More recommend