Jérôme SeguraMALWAREBYTES:6C5219B55CB625F7D9D16F7CD92E526CAdobe Reader zero-day discovered alongside Windows vulnerability
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
7.6 High
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:H/Au:N/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%
During the first half of 2018, we have witnessed some particularly interesting zero-day exploits, including one for Flash (CVE-2018-4878) and more recently for Internet Explorer (CVE-2018-8174). The former was quickly used by exploit kits such as Magnitude, while it is only a matter of time before we see the latter being weaponized more widely.
We can now add to that list an Adobe Reader zero-day (CVE-2018-4990), which was reported by ESET and Microsoft and has already been patched. Although it has not been observed in the wild yet, it remains a dangerous threat considering it is coupled with a privilege escalation vulnerability in Microsoft Windows.
To exploit the Windows vulnerability, the attacker must write to an arbitrary address in kernel space, which will not work for Windows 8 and above, as newer security features prevent this kind of mapping. Those two combined zero-days were necessary to escape the Acrobat Reader sandbox protection, which to its credit has been improving the security of the software drastically, so much so that malicious PDFs that were once common as part of drive-by download attacks have all but vanished.
Let’s take a quick look at the malicious PDF using pdf-parser:
python pdf-parser.py --content CVE-2018-4990.pdf
We can see a suspicious obfuscated blurb that most likely contains the JavaScript code we are looking for. We can decode and dump the output to a raw file:
python pdf-parser.py -c CVE-2018-4990.pdf --object 1 --filter --raw > output.raw
The exploit code is now visible in clear text. For a good explanation on how it is used for the ROP chain and shellcode execution, please refer to the ESET article.
We tested this zero-day against Malwarebytes, which was already stopping it without the need for any additional updates. The mitigation happens at the very beginning of the exploitation chain (stack pivoting):
We recommend users patch their systems to prevent this threat, which will most likely be weaponized in the wild soon. A very plausible attack scenario would be a PDF attachment in a malspam campaign.
The Adobe security bulletin (CVE-2018-4990) can be found here, while Microsoft’s (CVE-2018-8120) is here.
The post Adobe Reader zero-day discovered alongside Windows vulnerability appeared first on Malwarebytes Labs.
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
7.6 High
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:H/Au:N/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%