EXPMON detected publicly-available Adobe Reader zero-day PoC

As announced on our Twitter/X account a couple of months ago, during a mission to analyze a large public PDF sample set, EXPMON Public detected a PDF sample that triggered suspicious application crash activities in its sandbox environment.

Shortly after the finding, I conducted a quick manual analysis, which revealed that the crash was not just a typical crash in Adobe Reader but was caused by an exploitable use-after-free vulnerability in the software. Upon realizing this, I hid/removed the submission from the EXPMON Public website and reported the issue to Adobe immediately to give the vendor a chance to review it.

Since Adobe has now patched the vulnerability, I just resubmitted the sample here.

https://pub.expmon.com/analysis/148135/

As we could see, several indicators (highlighted in red) were reported during this analysis (for an explanation of what an indicator means in the EXPMON system, please refer to our Web UI & APIs documentation).

1. "crash event found"
2. "crash found"
3. "crash process detected"
4. "user supplied js may be contained in pdf"

The "crash event found", "crash found", and "crash process detected" are all Indicators that signify an application crash occurred during the test. The "user-supplied JS may be contained in PDF" Indicator suggests that the tested PDF sample may contain user-supplied JavaScript.

(Side note: the "user supplied js may be contained in pdf" Indicator is part of a "detection in depth" feature we developed in our EXPMON engine for PDF analysis. This Indicator is particularly useful for advanced PDF exploit hunting, as the vast majority of PDF exploits contain JavaScript.)

The crash-related Indicators clearly describe what happened during the test through their names. At EXPMON, we believe that an application crash is a strong indicator of potential exploitation. That's why we reported this sample as a "potential zero-day attack".

If readers want to learn more about why an application crash is a strong indicator of potential exploitation, there's an insightful story shared by Microsoft's Corporate VP, John Lambert. He explains how Microsoft used crash analysis to detect exploits in the wild, which led to the successful discovery of the infamous MS08-067 zero-day attack. Although this story is from decades ago, the methodology remains effective today.

The background of the sample

The sample was detected by EXPMON Public while on a mission (the mission is still ongoing) to analyze a large public PDF sample set called "corpora-pdf", offered by Digital Corpora. Although the sample is included in the "corpora-pdf-x018.zip" dump, it's later found that the sample was actually originally released in 2020, as part of a Black Hat USA 2020 presentation, titled "Portable Document Flaws 101".

The particular sample was released here.

https://github.com/RUB-NDS/PDF101/blob/master/01-testsuite/01-dos/01-infinite-loop/B-gotoe-dest-loops/B4-gotoe-loop-multiple.pdf

The use-after-free crash

If we open the PDF sample directly with an unpatched, pageheap-enabled version of Adobe Reader, a dialog will pop up saying something like, "There was an error opening this document. Invalid action object", there is only one option: clicking "OK" on this dialog. After we click the "OK", we will experience the following crash.

(2a50.2a40): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

Acrobat!DllCanUnloadNow+0x1fe1b9:

00000000`5f60a939 66448933        mov     word ptr [rbx],r14w ds:0000026b`b21e8d18=????

1:017> r

rax=0000000000000001 rbx=0000026bb21e8d18 rcx=733916ad40d90000

rdx=0000026b3ecc0000 rsi=0000000000000001 rdi=0000026bb21e8ac0

rip=000000005f60a939 rsp=000000bae06fc520 rbp=0000000000000000

 r8=0000026bcd0aafe0  r9=0000000000000001 r10=00000000ffffffef

r11=000000bae06fc200 r12=0000026b5f534e30 r13=0000000000000000

r14=0000000000000000 r15=0000000000000000

iopl=0         nv up ei pl nz na pe nc

cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202

Acrobat!DllCanUnloadNow+0x1fe1b9:

00000000`5f60a939 66448933        mov     word ptr [rbx],r14w ds:0000026b`b21e8d18=????

1:017> !heap -p -a rbx

    address 0000026bb21e8d18 found in

    _DPH_HEAP_ROOT @ 26b3ecc1000

    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)

                                26bb2e51a90:      26bb21e8000             2000

    00007ffbeb095335 ntdll!RtlDebugFreeHeap+0x0000000000000045

    00007ffbeb04cd18 ntdll!RtlpFreeHeap+0x0000000000083728

    00007ffbeafcc324 ntdll!RtlpFreeHeapInternal+0x00000000000007c4

    00007ffbeafcaff1 ntdll!RtlFreeHeap+0x0000000000000051

    00007ffbe82d364b ucrtbase!_free_base+0x000000000000001b

    000000005fa057c6 Acrobat!DllCanUnloadNow+0x00000000005f9046

    000000005f992dee Acrobat!DllCanUnloadNow+0x000000000058666e

    000000005f9926bb Acrobat!DllCanUnloadNow+0x0000000000585f3b

    000000005f4ffec9 Acrobat!DllCanUnloadNow+0x00000000000f3749

    000000005f4ccc61 Acrobat!DllCanUnloadNow+0x00000000000c04e1

    000000005f4cbb41 Acrobat!DllCanUnloadNow+0x00000000000bf3c1

    000000005f4cb1a8 Acrobat!DllCanUnloadNow+0x00000000000bea28

    000000005e1a87e0 Annots!PlugInMain+0x0000000000039c30

    000000005e1a869e Annots!PlugInMain+0x0000000000039aee

    000000005e1a7e74 Annots!PlugInMain+0x00000000000392c4

    000000005e1a5eeb Annots!PlugInMain+0x000000000003733b

    000000005f4bf949 Acrobat!DllCanUnloadNow+0x00000000000b31c9

    0000000060357d9b Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x000000000008568b

    0000000060325e94 Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x0000000000053784

    0000000060618eaa Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x000000000034679a

    0000000060501074 Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x000000000022e964

    0000000060311650 Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x000000000003ef40

    0000000060307918 Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x0000000000035208

    000000005ff7e502 Acrobat!CTJPEGReader::CTJPEGReader+0x00000000003c3ac2

    000000005ff7e9e9 Acrobat!CTJPEGReader::CTJPEGReader+0x00000000003c3fa9

    00000000603111de Acrobat!AIDE::PixelPartInfo::PixelPartInfo+0x000000000003eace

    000000005f6402f7 Acrobat!DllCanUnloadNow+0x0000000000233b77

    000000005f60a938 Acrobat!DllCanUnloadNow+0x00000000001fe1b8

    000000005f4ffdb6 Acrobat!DllCanUnloadNow+0x00000000000f3636

    000000005f4ccc61 Acrobat!DllCanUnloadNow+0x00000000000c04e1

    000000005f4cbb41 Acrobat!DllCanUnloadNow+0x00000000000bf3c1

    000000005f4cb1a8 Acrobat!DllCanUnloadNow+0x00000000000bea28

As the quick debugging outputs indicated, this is a classic use-after-free crash and it's clearly exploitable.

In summary..

1. This is a use-after-free vulnerability that could potentially lead to arbitrary code execution.
2. Please note that, although the vulnerability is theoretically exploitable, the detected sample is merely a PoC (Proof of Concept). It is not a working exploit and does not contain any malicious payload.
3. The PoC was mistakenly released to the public, but its intentions are benign; it is part of a Black Hat USA 2020 presentation.

One interesting point is that this sample was, in fact, released in 2020 as part of a Black Hat presentation. The sample was mistakenly published as a non-exploitable DoS crash (mistakes happen, please note that we're not criticizing the invaluable work done by the presenters). Surprisingly, this sample went unnoticed by the (whitehat) security community for a total of four years until it was sent to EXPMON Public. Of course, we can't rule out the possibility that malicious actors may have already noticed this 'free' zero-day PoC and weaponized it.

The sample was also on VirusTotal but had zero detections at the time of discovering the sample. It is reasonable that VT's malware-detection sandboxes missed it, as they do not analyze samples from  the vulnerability/exploit perspective, unlike EXPMON. This showed that security is a collaborative effort.

Defense and Mitigation

While this is not a working exploit, the nature of this vulnerability suggests that it could be easy for malicious actors to weaponize/exploit. As warned via EXPMON's Twitter/X account, we recommend that users apply the official Adobe Reader updates immediately if they haven't already done so.

I reported the finding to Adobe on June 22. Adobe first attempted to patch the bug on August 13 (tracked as CVE-2024-39383 in APSB24-57). However, I later found that the bug was not properly fixed so I reported to them and delayed this publication. Adobe has released another patch on September 10, tracked as CVE-2024-41869 in APSB24-70. Users should apply the latest patch/update described in APSB24-70.

Conclusion

The oversight of this public PoC sample highlights the need for innovative exploit-perspective detection solutions. There is a clear gap in the industry and community, demonstrating the necessity of examining things from a vulnerability/exploit perspective. EXPMON is on a mission to help fill this gap.

If you're interested in advanced exploit detection collaborations, or just want to know more about EXPMON, feel free to ping at @EXPMON_ (Twitter/X), or drop a line at contact@expmon.com.

EXPMON detected "zero-day" PDF sample attempting to exploit Foxit Reader's bad design of security warning dialogs

Shortly after my EXPMON Public announcement on April 7, I was notified by a malware researcher that he/she submitted a PDF sample and it got detected as red Malicious. And, even, the Detection Details says that it's potentially a "zero-day".

(P.S. I don't check the system often, if you're an user and happens to find something you could ping me on Twitter/X or email at contact@expmon.com)

Check out the original submission here.

https://pub.expmon.com/analysis/15986/

Looking into the details you would note that there's an "Indicator" called "suspicious process created by main" detected in the environment named "win7sp1(update20180524)_foxitreader(2023.2.0.21408)[foxitreader]".

Technically speaking, this means that the system detected a suspicious process created from the main process (in this env, it's the Foxit Reader process) in the env that runs Foxit Reader version 2023.2.0.21408 on Windows 7. And that our Detection Logic concluded that this is potentially a zero-day exploit, as the Detection Details says.

Malicious - exploitation activity detected in newer environment, potential zero-day attack

You know if the system reports some "zero-day" detection I have an obligation to analyze the sample manually. So I downloaded the sample from the system and tested it in a local env which has the latest Foxit Reader installed. Here are the details.

When I opened the PDF file with Foxit Reader, I got the following security warning dialog.

In the background, there's no suspicious process running. Looks no problem? However, if you look it carefully, you would find out that the *default option* for this dialog is “Trust this document one time only - OK”. That means that a careless user would click the “OK” button (or simply press the "Enter" key) and that would ignore the security warning. And that's exactly what our system “simulates” in the sandbox environment for this sample.

Let’s go ahead, after the first security warning dialog, I got the second one, see the following:

In the background, there's still no suspicious process running at this moment. But this 2nd warning dialog also has the bad UI design -  the *default option* for this dialog is "Open", instead of “Do Not Open”. That means that a careless user would click the "Open" (or simply press the "Enter" key) and that would ignore this security warning, again.

After I clicked the "Open" on the 2nd warning dialog, I observed the "cmd.exe" process running, with malicious parameters.

Apparently, it’s trying to download a .bat file from an attacker-controlled server and execute it.

If we look into the content of the PDF sample, we could confirm our dynamic analysis and find out that this is actually a very simple (but malicious) PDF sample.

Image copied directly from @SquiblydooBlog’s tweet

It has a lot of the ‘:’characters at the beginning of the file, I personally guess it's for bypassing some static-analyzing Anti-virus software.

Please note that I tested the sample on Adobe Reader too - as our EXPMON system did as well (for every .pdf sample, it will be tested in both Adobe Reader and Foxit Reader, as of the current standard version). On Adobe Reader, the attempt to run external commands (through the “/Launch”) is totally disabled. So it's safe for Adobe Reader for this malicious sample.

Is this a zero-day exploit?

Well, if, by strict speaking/definition, this is indeed a PDF zero-day exploit, as it works on the latest Foxit Reader (version 2024.1.0.23997, as of writing). However, this is somewhat a "lame" one because the user/victim needs to “allow it” twice to achieve code execution. The key point here is the default options for these two security warning dialogs are both for "allowing it", that would increase the possibility of successful exploitation (for careless users). That's what this "zero-day" sample is trying to exploit, as our analysis shows.

Therefore, I wouldn't consider this as an FP of the EXPMON system as it detects this sample as “zero-day”.Instead, I consider it a success story.:)

So, stay safe & be vigilant, Foxit Reader users! I will forward this blog post to the vendor of Foxit Reader. If they have any update say fixing their bad designs of the dialogs, I will update here.

[Update on April 15, 2024]

The vendor, Foxit Software, has replied to my email. It seems to me that they've acknowledged the issues and they will address them, but not going to release a security advisory. Anyway.. I copied the email directly as the following, as there's no need to redact for personal information.

Foxit Reader users are recommended to stay vigilant about suspicious PDF files until an official fix is out.

Additional Information

As of writing, on VT, this sample has a 10/60 detection ratio.

Sample was first saw on VT on March 3, 2024.

And I just got this information related to threat intel from the original sample submitter @SquiblydooBlog:

"it came in an email pretending to be a South Korean legal group, it also contained a few malicious other payloads."

It seems to me that the TA has been trying to leverage this “zero-day” to target Foxit Reader users in South Korea. But please note that this is just my personal impression based on the information I have.

Conclusion

I hope that through this quick analysis of this real-world example, security defenders in this community will better understand how the EXPMON system can help in fighting against advanced zero-day or unknown exploits.

I also encourage users to look at the "Indicators" the system produces - they're very helpful information. Sometimes, even when the Overall Detection Result says "Clean/Undetected", you may still find some suspicious information in the Indicators.

As a side note, please also note that if you're a pro, you could also use our helper tool expmon_sample_submit.py to submit samples. There are some advantages to using the tool - not just it could do a lot of submissions automatically, but also it could obtain accurate raw analysis logs, and sometimes, that information helps.

Opening EXPMON for Everyone

Recently during the winter holidays, I "refreshed" the EXPMON system that my friend and I developed in 2021 (well, we just added a really simple web UI:)). The EXPMON system is mainly a sandbox-based system but with static analysis modules. Unlike all the other sandboxes that I know, EXPMON is specifically designed and built for detecting advanced file-based exploits. Here, "advanced" means unknown (undetectable by other tools) or zero-days (exploiting unpatched vulnerabilities). EXPMON doesn't process malware or anything that does not exploit vulnerabilities. In my opinion, the key difference is that EXPMON was built solely from the perspective of vulnerability research, rather than malware detection.

It's hard to explain all the differences here, so I've authored a document sharing the Methodology and Architecture - please read it if you’re interested in using the system. Personally, I want EXPMON to be as open as possible so that users understand what it can do (and what it can't). EXPMON should not be considered as a "replacement" of any kind of existing threat detection products, but as a cutting-edge "add-on" tool for users concerned about being targeted by advanced (file-based) exploits such as zero-days or hard-to-detect exploits. Look at all those emails / attachments your organizations receive every day - who knows what those files (emails are also files) are really doing?

In fact, I've been personally using the system for about two years, and it has been incredibly helpful to me. Not only do I drop suspicious samples into the system for analysis, but it has also greatly aided my research on apps such as Microsoft Office. For instance, when I encounter a suspicious RTF sample, manually testing it in various environments would be a long and arduous process. With this system, I could accurately observe the Word process activities, even across different environments. Moreover, the indicators reported by the system help me quickly identify any suspicious elements in the sample. On the other hand, with numerous samples analyzed and doing meaningful Big Data analytics, it has also assisted me in understanding and classifying normal behaviors versus abnormal ones, all through automated processes.

Anyway.. I wondered, with this newly-developed web UI, why not just open it for everyone? Personally, it would be great for me to see something I spent quite a lot of time on in 2021 benefiting the security defense community at large. Especially I failed to see a "making sense" exploit detection system or a system designed from vulnerability exploitation perspective within the community.

Therefore, let me introduce you to EXPMON Public. From now on, everyone can access the following URL and submit samples to the system for advanced exploit detection.:)

https://pub.expmon.com

I've also authored another document showing how to use the Web UI as well as the Web APIs, please check it here. Additionally, we've released a helper tool called “expmon_sample_submit.py”, which assists users in automatically submitting samples to the EXPMON system and obtaining analysis results, via the Web APIs. Please check it out on our GitHub repository https://github.com/EXPMON/PubTools.

Here are some notes:

1. Make sure to read the Methodology and Architecture and Web UI & APIs documents before using the system. So you know what you're doing and what results you should expect.

One important thing to note is that the system only focuses on exploits, with its main goal being the detection of unknown and zero-day exploits. It does not detect other types of threats, such as .exe malware or very outdated exploits (e.g., CVE-2012-0158). Therefore, you should not rely on the system to determine whether a sample is malicious or not. Instead, it serves as an advanced "add-on" feature to identify advanced file-based exploits.

That also means that the vast majority of submissions will likely be classified as "CLEAN" (doesn't mean they're not malicious, though). The thing is, one day, if it detects your sample as something like "Malicious - potential zero-day exploit", you'll go "whoa!" :)

I will also perform regular Big Data analytics based on the “environment-binding” data produced by the system and those may find hard-to-detect exploits too. In fact, this is one of the most advantages that the system provides - providing meaningful Big Data analytics thanks to the “environment-binding” architecture!

2. Currently, the supported file types and apps are listed at here. We may add more supported file types or apps in future, if needed (suggestions? contact me:)).

The current supported file types include all Word, Excel, and PowerPoint file types, Outlook email file types (.msg and .eml), PDFs (for both Adobe Reader and Foxit Reader), as well as some newer Office file types such as MS-Access (.accdb, .mdb), Publisher (.pub), and OneNote (.one). There are some advanced features depending on the file type. For example, when you submit a .msg or .eml sample, not only will the email file be analyzed in Outlook, but also the attachments (e.g., .rtf) will be analyzed.

3. Because the file types EXPMON deals with are mostly Office documents and PDFs, they may contain sensitive information. Please ensure that you have permission to share the samples before submitting them. EXPMON assumes no legal responsibility for any damage it may cause.

Please also note that this is a public system, and everyone can see what you have submitted through the “Recent” page, although they cannot download the samples (if not being hacked :P). However, you should be aware that all submitted samples, especially malicious ones, may be shared with the security defense community, for good purposes.

If you accidentally submitted a sample and wish to remove it, please contact at contact@expmon.com. However, I cannot guarantee a timely response.

Read our (simple) Terms of Service and Privacy Policy here.

If you want to use the system for advanced exploit detection but your samples can't be shared, this is understandable. Please contact contact@expmon.com to see if it's doable to deploy the system in your network.

4. If you want to submit a lot of samples, feel free to use the Web APIs (check the instructions). But please don't “DoS” us or do anything malicious. :)

In fact, we've released a helper tool named "expmon_sample_submit.py" for automated submission, check it at our GitHub repository.

5. You may note that the Controller is currently connected to only 4 VMs, so it can't process many samples simultaneously. However, if you've already submitted samples, they will be in the pending list, although it may take longer to receive the results.

Another small note: you may notice that the first sample may take longer to analyze. This is because I've enabled the "shutdown the VM server if no sample is received within 15 minutes" feature. For the first sample, the VM server needs to be powered on, so it takes more time.

The system is hosted in a place in Canada, and the system or the network may not be that stable. Well.. hopefully it will work for some time!

Anyway, you know how to contact me if you have something to say about the system.

That's it. Enjoy your hunting for advanced exploits!:)

Cheers,

Haifei