What would a PDF file have to do with a kernel vulnerability?

Discussion in 'other security issues & news' started by Hungry Man, Dec 11, 2013.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Thanks for posting this :).

    Hopefully this will convince the previously unconvinced that "local elevation of privilege"-related Microsoft updates should be applied.
     
  3. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    689
    Above my head guys, can someone simplify a little please?

    Quite some time ago I ditched Acrobat Reader in favour of FoxitReader because Id seen complaints about it phoning home.
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    The short story is that Adobe has a fairly tight sandbox, for Windows. An attacker broke out of it (in the wild, as in users were actually exploited using this technique) by using a carefully crafted PDF file to get execution in Reader, and then, from the unprivileged/ sandboxed component, they attacked the windows kernel.

    This provided a full sandbox escape, giving them access to the entire system.
     
  5. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    689
    Thanks Hungry Man.
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks for the link!

    Microsoft had issued an alert a couple of weeks ago -- evidently it doesn't affect Operating Systems newer than WinXP:

    Microsoft Releases Security Advisory 2914486
    [Vulnerability in Microsoft Windows Kernel Could Allow Elevation of Privilege]
    27 Nov 2013 2:30 PM
    http://blogs.technet.com/b/msrc/archive/2013/11/27/microsoft-releases-security-advisory-2914486.aspx
    But your link is the first description of how the PDF file does its work.

    I was a bit disappointed in that the exploit's goal didn't do anything more esoteric than write an executable file to disk!

    From blog.spiderlabs.com:

    Of course, getting a trojan/virus onto the computer is the goal of most malware writers, but the possibilities to do other things certainly exist.


    ----
    rich
     
    Last edited: Dec 12, 2013
  7. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    Just another boring social engineering-triggered exploit.
     
  8. topo

    topo Registered Member

    Joined:
    Nov 11, 2013
    Posts:
    66
    on my xp machines with adobe reader 11.0.5 i have always unchecked javascript and in trust manager unchecked allow third party etc. open reader,edit,preferences, and scroll down. i only use reader to view pdf files. this was reccomended 5 yrs ago when reader was being attacked every other day. thanks
     
    Last edited: Dec 13, 2013
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    @Wat,

    A bit more interesting than that. The kernel attack is the interesting part, not the adobe exploitation.

    @Rmus,
    Yes, a bit of a shame. An attacker can do so much more at Ring 0, but they chose not to.

    Attackers are just like defenders - they're always a few years behind the researchers. They'll catch up.
     
  10. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    True enough but the basis of the attack is still contingent upon someone deliberately launching the malicious pdf. I'm more impressed with automated attacks via malicious script or similar.
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Virtually no attack is 100% automated. In very advanced attacks, they can be. At almost all times a user is at the very least required to click a link to a webpage, or visit some page.

    Social engineering is easy. How many times have I convinced you to click a link to my horribly insecure website? That's a fraction of the number of times you could be hacked.
     
  12. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    Which is why I stated automated and not automatic ;)

    I go there by choice, and then I can see there's no suspicious js lurking there either :) Honestly, I feel no concern wherever I surf, I'm that confident in my setup, bolstered always by a fail safe backup plan in place.
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Well, I don't mean to say that your security setup would be easily subverted - it's fine. I just mean that you click a million different things every day, and you take in a ton of untrusted content every day. Social engineering someone is not hard because they all do that.
     
  14. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    Social engineering is easy. Just look at Wilders. I reckon every external link posted the forum is happily clicked by its members without a second thought.
     
  15. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Haha speak for yourself :D

    I only click on the link if it's visible like the first one or else I usually don't bother with the hyperlinks.

    https://www.wilderssecurity.com/

    Wilders Security Forums
     
  16. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    Well I don't either. :)
    Look at it from a different angle but similar problem - isn't it common for many of us at Wilders to test every new security software out there, even those from relatively unknown/new sources?
     
  17. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    Yep, that's what I do. No need to think about it.
     
  18. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Well, that can be easily spoofed, which you won't catch unless hovering the mouse over the hyperlink displays the address, or you look at the page source code. The hyperllink below takes you to time.com news site:

    https://www.wilderssecurity.com/


    ----
    rich
     
  19. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Not to mention I can say "New security product being hosted at www.actuallyevil.com" and no one will know without clicking.

    The point is that social engineering is easy, and most people will fall for it.

    I wouldn't discount an attack just because it requires a minimal amount.

    Regardless, the interesting part of this is that sandboxes are much less useful (as are all host based security tools) when the kernel is weak.
     
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,049

    Oh you sneaky rascal. It is a wake up call to even check links here.
     
  21. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Yeah that's true, if I am not familiar with the poster like a very new forum member that I know nothing about then I am more cautious.

    I copied your link to the search area of my browser and the true destination was shown.

    But then it doesn't make sense why a trusted member like you would post a spoofed link like your example normally, so if you would post a normal link in a thread tomorrow I would probably click on it without checking where to it goes first. :)

    To tell the truth, I don't think that I have ever checked a normal looking link like your example posted on Wilders before clicking on it, so spoofed links on Wilders is rare, I have always landed on the right destination :D
     
  22. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,050
    Location:
    USA
    I always compare to what is displayed in the status bar. If it is not a match, or is blank, then I don't bother to click. I don't trust this site more than any other. :ninja:
     
  23. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    No need for that, just hover your cursor over the link and look at where the status bar would be.
     
  24. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    Script control. That's all you need.
     
  25. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Yes I could but I have my status bar disabled :D Enabled it would be at the bottom of the window.
     
Loading...
Thread Status:
Not open for further replies.