CVE-2 0 1 5-5 0 9 0 exploit-vulnerability warning-the black bar safety net

ID MYHACK58:62201564931
Type myhack58
Reporter 佚名
Modified 2015-07-22T00:00:00


0x01 introduction 2 0 1 5 year 7 month, Adobe patched several vulnerabilities, wherein the CVE-2 0 1 5-5 0 9 0 exceptionally conspicuous, it is worth get to the bottom. However, Adobe for these vulnerabilities just according to the level of threat are ranked, and gave no details. In fact, an attacker can use this bug to system privilege used to execute code that the attacker can completely take over the target machine. Because this vulnerability affects Adobe Update service, that is, the vulnerability exist in Adobe Reader and Acrobat Pro software. These two programs are installed ARMSvc service update program, and the AdobeARM. exe/AdobeARMHelper. exe is stored in c:\progra~1\common~1\Adobe\ARM\1.0 directory below. Here we exploit the method is for acrobat. exe, however, some slight modifications are also possible for the Reader. The video below, we demonstrate this vulnerability using the process. 0x02 Bug information ARMSvc. exe supported more by the IDA in the HandlerProc function definition of user controls: ! Figure 1 Handler function UserControls inside the code: ! Figure 2 controls For this exploit, we are primarily interested in places that: 1 7 0--create a segment of shared memory. 1 7 9-The implementation of ELEVATE, the 而 ELEVATE 又 会 使用 共享 内存 中的 参数 来 执行 AdobeARMHelper.exe the. User control 1 7 0 the problem is that it creates a weak permissions for shared memory segments. Since any user can read and write the shared memory segment, which means that an attacker is able to pass control to the AdobeARMHelper. exe program parameters. 通过 观察 AdobeARMHelper.exe we found a routine sub_42A260, this routine can be used to find a given directory of the first file. After that, it will check whether the file with the Adobe signature, and if Yes, sub_42A260 will put this file copied to the AdobeARM. exe program located in the directory below. ! Figure 3 signature verification If the signature check fails, the routine will exit: ! Figure 4 signature verification failed If it passes the signature verification, the routine will copy the file: ! Figure 5 signature verification is successful This function does not take into account the following points: No storage is to copy the file path to the directory to be checked. Thus, the attacker can provide its own path, i.e. put this file copied to the attacker specified path below. Find the first file, without check file name. The first file was found, did not check the file extension. The function DOES will carry out the following checks: In the designated folder below to find the first file with Adobe signature. Use method: We are able to do: Control of the SM is passed to the AdobeARMHelper/AdobeARM parameters. 在 需要 的 时候 以 系统 权限 来 执行 AdobeARM.exe the. The use of any Adobe 签名 的 文件 来 复 盖 AdobeARM.exe the. We need to do: Let no Adobe signature code can be executed. Strategy: In order to take advantage of this bug, 我们可以用具有Adobe签名的代码来复盖AdobeARM.exe and through these code do some interesting things. For example, the arh. exe is the Adobe AIR installation package. Theoretically, 我们可以用arh.exe复盖AdobeARM.exe this is completely allowed, because it also has Adobe signature. After that we can by arh. exe to install any AIR application. This strategy the only problem is that the arh. exe does not allow to pass parameters, so, we could not directly by the SM to pass parameters. The best strategy is to use a can pass additional parameters, 带有签名的二进制代码来复盖AdobeARM.exe the. Use method: If we carefully examine Acrobat Pro you will notice that it contains a named AcrobatLauncher. exe binary program, 该程序允许通过指定的PDF文件来启动Acrobat.exe the. AcrobatLauncher. exe is a good thing, because it will simply ignore the extra parameter, and neither the sound, nor the exit. Specific command-line parameters for the AcrobatLauncher.exe -open PDF_FILE for. 0x03 attack chain Trigger SM. To the SM to write the parameters. Trigger a user control ELEVATE, the 把 AcrobatLauncher.exe(作为 AdobeARM.exe copied to the c:\progra~1\common~1\Adobe\ARM\1.0\AdobeARM.exe the. This is basically the update program is overwritten. 运行 新 的 adobearm.exe it will be through our PDF exploit code to execute acrobat. exe program. This step is by ELEVATE control is done automatically. The PDF exploit code will 3 2. dll dump to the c:\progra~1\common~1\Adobe\ARM\1.0 directory. This is done by a JavaScript bypass technology. Clear the temporary folder, so once again call the ELEVATE, adobearmhelper. exe is not from the temporary folder to copy to anything. Rewrite SM, so that 它 就 会 执行 我们 的 新 AdobeARM.exe without doing any modifications. Again perform the ELEVATE, so that you will only use the“-open”一 个 选项 来 执行 AdobeARM.exe that 以 加载 secur32.dll and to SYSTEM The identity of the pop-up calculator. It can be seen, the CVE-2 0 1 5-5 0 9 0 for the attacker provides a very reliable method so that it can be system permissions to run the code. So, if you are using Adobe Reader or Acrobat Pro, then, be sure to give this exploit to hit on the patch.