Shulou(Shulou.com)05/31 Report--

This article is to share with you about how to use type confusion to execute code in Adobe Reader. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article.

Preface

The underlying cause of this vulnerability is type confusion. By constructing a XML packet (XDP) template and performing specific JavaScript operations on the XML Forms Architecture (XFA) object, an attacker can force Reader out of the scope of the template object to reference data. If successful, code execution is performed in the sand table renderer.

Loophole analysis

The XDP template code required to trigger this vulnerability is fairly simple:

The vulnerability is triggered by two JavaScript instructions. By attaching one subform to another, we can trigger an OOB read of the underlying template object. In this case, a vulnerability occurs when a subform referenced by xfa is attached. Then call. Presence = "inactive";.

When PageHeap is enabled, a crash occurs on the CMP instruction when reading the OOB of the template object. Although the object appears to be only the 0x140 byte size, we dereferenced the data outside the buffer boundary at the offset 0x1d0:

Based on the crash condition, we know that the only object type is 0x7c00. By observing the symbolic version of acroform.api. In Solaris 9.4.1, we can see that this particular type of id belongs to the XFATemplateModelImpl object, which is just the "template" object of the underlying XDP: back to the non-symbolic version of Windows acroform.api, we can confirm that the size of the template object is 0x140 bytes, which is the size of the OOB object referenced above. We can find it in a few simple steps: Acroform.api can find the static variable 0x7c00 in XFATemplateModelImpl::Type method.

Xref provides XFATemplateModelImpl vtable:

-Xref to vtable start provides constructors. -Xref to the constructor and scroll up a few lines to display the size of the object, that is, 0x140 bytes:

Since we caused the OOB reading of the template object, we can speculate that the code expects a different, larger object rather than the template object, which also indicates that this is a type obfuscation error. Most likely, type confusion occurs between the xfa template and the xfa form object. The xfa template size is 0x140 bytes, that is, the size of the xfa form object is 0x270 bytes.

# # Exploit We cannot execute JavaScript code before the template object is instantiated, knowing that controlling crashes is not a trivial matter. To achieve this, you need to resort to controlled allocation and release during the PDF parsing process or any other controlled data processing prior to XDP parsing. Another way to control a crash is to construct a PDF that contains an additional PDF, which triggers a vulnerability. The Heap feng shui will occur in the "external" PDF, triggering the vuln in the "internal" (attachment) PDF. Then, opening the attached PDF in the same way that it executes JavaScript code requires higher permissions, so it may not work for most users. By executing "poc.pdg", you can observe that this crash can be controlled. Even without PageHeap. A crash eventually occurs because you want to read parts of the Unicode string and use it as a pointer. Here is a crash output without PageHeap:

If you want to test it yourself, PoC is here. It will work on the adobereader version until November 20040, 2018.011. If you look at the suggestions we released this year, you will find a lot of pdf-related cases. Adobereader is probably the most popular, but there is also a lot of bug in Foxit Reader. By adding the built-in PDF renderer to the operating system, you can understand why so many researchers have studied this attack surface.

The above is how to use type confusion to execute code in Adobe Reader. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.