Adobe Reader X Exploited Despite Sandbox

Discussion in 'sandboxing & virtualization' started by asr, Jun 27, 2012.

Thread Status:
Not open for further replies.
  1. asr

    asr Registered Member

    Joined:
    Oct 24, 2010
    Posts:
    91
    The following thread is originally posted on Security Forum DSL. And my concern could this exploit comprise Sandboxieo_O Would appreciate insight from the members and the developer of Sandboxie. Here is the thread verbatim. Thanks in advance :)

    _________________________________________________________________
    _________________________________________________________________
    Adobe Reader puzzle logo Adobe Reader X runs in a sandbox at a very restricted privilege level. Important system calls are supposed to be handled by a special broker process that will subject them to extensive testing. However, a small design flaw allows attackers to escape from this sandbox and execute arbitrary code – despite having both ASLR (Address Space Layout Randomisation) and DEP (Data Execution Prevention).

    As described by Guillaume Delugré, the broker process is at the heart of the exploit as it uses a memory page allocated via VirtualAllocEx to store the overwritten code of system calls which have been redirected to the broker. Despite having ASLR, however, the memory address returned by VirtualAllocEx is not randomised. This means that the Windows system function call will end up in a predictable, "nearly constant" location which the exploit can then access directly.

    In a blog post, Delugré goes on to further detail, providing an interesting and informative account of the rest of the exploit's path up to the execution of the code, which is injected via a specially crafted PDF file. The author also provides some proof-of-concept code and various scripts that helped him assemble the exploit.



    ? Bypassing ASLR and DEP on Adobe Reader X, blog post by Guillaume Delugré from Sogeti ESEC Lab.
     
  2. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,029
    Location:
    Lloegyr
    For a brief while I actually considered going back to Adobe's Reader as I had heard about the sandbox & that it had improved somewhat overall as a reader. I think I'll stick with PDF XC.
     
  3. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,291
    Location:
    England
  4. CyberMan969

    CyberMan969 Registered Member

    Joined:
    Apr 21, 2011
    Posts:
    589
    I use Foxit PDF Reader. You can install it on an external disk or USB stick and it can then be used on the go as a portable app, without having to be installed on the host computer.
     
  5. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,854
    Folks, no offense, but just because a sandbox was breached doesn't suddenly make it less secure than readers with no sandbox whatsoever. You're still safer using a PDF reader with a sandbox, unless you're trying to take advantage of the low popularity of other readers.
     
  6. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    As pointed out by stapp,this addition puts the exploit into context:

    Update: A previous version of this item contained the term "sandbox escape" which we have now removed after the author informed us that this might lead to confusion because the exploit code is still subject to sandbox limitations like reduced privileges.

    Had the exploint code somehow managed to breach the limitations imposed by the sandbox,this would've been an altogether more serious issue.That's not to completely ignore the implications,as this could allow for example,a social engineering attack to take place.
     
  7. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,854
    Good to know :thumb:
     
Loading...
Thread Status:
Not open for further replies.