A tale of two zero-days

Posted on May 15, 2018

A tale of two zero-days

Late in March 2018, ESET researchers identified an interesting malicious PDF sample. A closer look revealed that the sample exploits two previously unknown vulnerabilities: a remote-code execution vulnerability in Adobe Reader and a privilege escalation vulnerability in Microsoft Windows. The use of the combined vulnerabilities is extremely powerful, as it allows an attacker to execute arbitrary code with the highest possible privileges on the vulnerable target, and with only the most minimal of user interaction.

APT groups regularly use such combinations to perform their attacks, such as in the Sednit campaign from last year. The malicious PDF sample embeds JavaScript code that controls the whole exploitation process. Once the PDF file is opened, the JavaScript code is executed.

At the beginning of exploitation, the JavaScript code starts to manipulate the Button1 object. This object contains a specially crafted JPEG2000 image, which triggers a double-free vulnerability in Adobe Reader. The JavaScript uses heap-spray techniques in order to corrupt internal data structures.

After all these manipulations the attackers achieve their main goal: read and write memory access from their JavaScript code. Using these two primitives, the attacker locates the memory address of the EScript.api plugin, which is the Adobe JavaScript engine. Using assembly instructions (ROP gadgets) from that module, the malicious JavaScript sets up a ROP chain that would lead to the execution of native shellcode.

As the final step, the shellcode initializes a PE file embedded in the PDF and passes execution to it.

Source: welivesecurity.com