Saturday, September 28, 2024

EXPMON detected publicly-available Adobe Reader zero-day PoC

As announced on our Twitter/X account a couple of months ago, during a mission to analyze a large public PDF sample set, EXPMON Public detected a PDF sample that triggered suspicious application crash activities in its sandbox environment.

Shortly after the finding, I conducted a quick manual analysis, which revealed that the crash was not just a typical crash in Adobe Reader but was caused by an exploitable use-after-free vulnerability in the software. Upon realizing this, I hid/removed the submission from the EXPMON Public website and reported the issue to Adobe immediately to give the vendor a chance to review it.

Since Adobe has now patched the vulnerability, I just resubmitted the sample here.

As we could see, several indicators (highlighted in red) were reported during this analysis (for an explanation of what an indicator means in the EXPMON system, please refer to our Web UI & APIs documentation).

  1. "crash event found"
  2. "crash found"
  3. "crash process detected"
  4. "user supplied js may be contained in pdf"

The "crash event found", "crash found", and "crash process detected" are all Indicators that signify an application crash occurred during the test. The "user-supplied JS may be contained in PDF" Indicator suggests that the tested PDF sample may contain user-supplied JavaScript.

(Side note: the "user supplied js may be contained in pdf" Indicator is part of a "detection in depth" feature we developed in our EXPMON engine for PDF analysis. This Indicator is particularly useful for advanced PDF exploit hunting, as the vast majority of PDF exploits contain JavaScript.)

The crash-related Indicators clearly describe what happened during the test through their names. At EXPMON, we believe that an application crash is a strong indicator of potential exploitation. That's why we reported this sample as a "potential zero-day attack".

If readers want to learn more about why an application crash is a strong indicator of potential exploitation, there's an insightful story shared by Microsoft's Corporate VP, John Lambert. He explains how Microsoft used crash analysis to detect exploits in the wild, which led to the successful discovery of the infamous MS08-067 zero-day attack. Although this story is from decades ago, the methodology remains effective today.


The background of the sample
The sample was detected by EXPMON Public while on a mission (the mission is still ongoing) to analyze a large public PDF sample set called "corpora-pdf", offered by Digital Corpora. Although the sample is included in the "corpora-pdf-x018.zip" dump, it's later found that the sample was actually originally released in 2020, as part of a Black Hat USA 2020 presentation, titled "Portable Document Flaws 101".

The particular sample was released here.


The use-after-free crash
If we open the PDF sample directly with an unpatched, pageheap-enabled version of Adobe Reader, a dialog will pop up saying something like, "There was an error opening this document. Invalid action object", there is only one option: clicking "OK" on this dialog. After we click the "OK", we will experience the following crash.

(2a50.2a40): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
Acrobat!DllCanUnloadNow+0x1fe1b9:
00000000`5f60a939 66448933        mov     word ptr [rbx],r14w ds:0000026b`b21e8d18=????
1:017> r
rax=0000000000000001 rbx=0000026bb21e8d18 rcx=733916ad40d90000
rdx=0000026b3ecc0000 rsi=0000000000000001 rdi=0000026bb21e8ac0
rip=000000005f60a939 rsp=000000bae06fc520 rbp=0000000000000000
 r8=0000026bcd0aafe0  r9=0000000000000001 r10=00000000ffffffef
r11=000000bae06fc200 r12=0000026b5f534e30 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
Acrobat!DllCanUnloadNow+0x1fe1b9:
00000000`5f60a939 66448933        mov     word ptr [rbx],r14w ds:0000026b`b21e8d18=????
1:017> !heap -p -a rbx
    address 0000026bb21e8d18 found in
    _DPH_HEAP_ROOT @ 26b3ecc1000
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                26bb2e51a90:      26bb21e8000             2000
    00007ffbeb095335 ntdll!RtlDebugFreeHeap+0x0000000000000045
    00007ffbeb04cd18 ntdll!RtlpFreeHeap+0x0000000000083728
    00007ffbeafcc324 ntdll!RtlpFreeHeapInternal+0x00000000000007c4
    00007ffbeafcaff1 ntdll!RtlFreeHeap+0x0000000000000051
    00007ffbe82d364b ucrtbase!_free_base+0x000000000000001b
    000000005fa057c6 Acrobat!DllCanUnloadNow+0x00000000005f9046
    000000005f992dee Acrobat!DllCanUnloadNow+0x000000000058666e
    000000005f9926bb Acrobat!DllCanUnloadNow+0x0000000000585f3b
    000000005f4ffec9 Acrobat!DllCanUnloadNow+0x00000000000f3749
    000000005f4ccc61 Acrobat!DllCanUnloadNow+0x00000000000c04e1
    000000005f4cbb41 Acrobat!DllCanUnloadNow+0x00000000000bf3c1
    000000005f4cb1a8 Acrobat!DllCanUnloadNow+0x00000000000bea28
    000000005e1a87e0 Annots!PlugInMain+0x0000000000039c30
    000000005e1a869e Annots!PlugInMain+0x0000000000039aee
    000000005e1a7e74 Annots!PlugInMain+0x00000000000392c4
    000000005e1a5eeb Annots!PlugInMain+0x000000000003733b
    000000005f4bf949 Acrobat!DllCanUnloadNow+0x00000000000b31c9
    0000000060357d9b Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x000000000008568b
    0000000060325e94 Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x0000000000053784
    0000000060618eaa Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x000000000034679a
    0000000060501074 Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x000000000022e964
    0000000060311650 Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x000000000003ef40
    0000000060307918 Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x0000000000035208
    000000005ff7e502 Acrobat!CTJPEGReader::CTJPEGReader+0x00000000003c3ac2
    000000005ff7e9e9 Acrobat!CTJPEGReader::CTJPEGReader+0x00000000003c3fa9
    00000000603111de Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x000000000003eace
    000000005f6402f7 Acrobat!DllCanUnloadNow+0x0000000000233b77
    000000005f60a938 Acrobat!DllCanUnloadNow+0x00000000001fe1b8
    000000005f4ffdb6 Acrobat!DllCanUnloadNow+0x00000000000f3636
    000000005f4ccc61 Acrobat!DllCanUnloadNow+0x00000000000c04e1
    000000005f4cbb41 Acrobat!DllCanUnloadNow+0x00000000000bf3c1
    000000005f4cb1a8 Acrobat!DllCanUnloadNow+0x00000000000bea28

As the quick debugging outputs indicated, this is a classic use-after-free crash and it's clearly exploitable.


In summary..
  1. This is a use-after-free vulnerability that could potentially lead to arbitrary code execution.
  2. Please note that, although the vulnerability is theoretically exploitable, the detected sample is merely a PoC (Proof of Concept). It is not a working exploit and does not contain any malicious payload.
  3. The PoC was mistakenly released to the public, but its intentions are benign; it is part of a Black Hat USA 2020 presentation.
One interesting point is that this sample was, in fact, released in 2020 as part of a Black Hat presentation. The sample was mistakenly published as a non-exploitable DoS crash (mistakes happen, please note that we're not criticizing the invaluable work done by the presenters). Surprisingly, this sample went unnoticed by the (whitehat) security community for a total of four years until it was sent to EXPMON Public. Of course, we can't rule out the possibility that malicious actors may have already noticed this 'free' zero-day PoC and weaponized it.

The sample was also on VirusTotal but had zero detections at the time of discovering the sample. It is reasonable that VT's malware-detection sandboxes missed it, as they do not analyze samples from  the vulnerability/exploit perspective, unlike EXPMON. This showed that security is a collaborative effort.


Defense and Mitigation
While this is not a working exploit, the nature of this vulnerability suggests that it could be easy for malicious actors to weaponize/exploit. As warned via EXPMON's Twitter/X account, we recommend that users apply the official Adobe Reader updates immediately if they haven't already done so.

I reported the finding to Adobe on June 22. Adobe first attempted to patch the bug on August 13 (tracked as CVE-2024-39383 in APSB24-57). However, I later found that the bug was not properly fixed so I reported to them and delayed this publication. Adobe has released another patch on September 10, tracked as CVE-2024-41869 in APSB24-70. Users should apply the latest patch/update described in APSB24-70.


Conclusion
The oversight of this public PoC sample highlights the need for innovative exploit-perspective detection solutions. There is a clear gap in the industry and community, demonstrating the necessity of examining things from a vulnerability/exploit perspective. EXPMON is on a mission to help fill this gap.

If you're interested in advanced exploit detection collaborations, or just want to know more about EXPMON, feel free to ping at @EXPMON_ (Twitter/X), or drop a line at contact@expmon.com.