Thursday, November 11, 2010

cve-2010-4091 – printSeps - exploitation attempts

November 26, 2010 – update:
This is a very useful  presentation (from Immunity Sec) where is possible get some methods for approach the reversing of  Java script engine in Adobe Reader context:

Attacking Embedded Languages
http://www.immunitysec.com/downloads/ID_reCON_2008.odp

November 16, 2010 – update:
In previous post I didn’t report where is the place in the AcroRD32.dll where the memory corruption is triggered (as result of the use after free bug).  The following screen shot is the leak screen shot:

image

At first view, the AcroRd32.dll offset 0094450, seem a zone involved with Acro Heap Manager, so this could confirm some of my doubts for the question like “where to play whit this bug ?”. So, IMHO, this bug is due from the double handling mechanism of the heap. In other words what the OS heap management has previously freed may be that the Adobe Heap Manager try to free again with the result as show.  I hope to release a more detailed analysis as soon as possible.


November 11, 2010
In my previous post (http://extraexploit.blogspot.com/2010/11/full-disclosure-xplpdf-adober-reader-94.html)  it’s been followed  the timeline and what is called exposure time for this bug that seem have a bit strange history. After my initial analysis,  only few details has been released about. But after play a bit with this flaw I can confirm once of the latest and most clear comments fromVUPEN via Twitter:

exploiting the PDF printSeps was complicated. It involves allocating/freeing chained blocks before triggering the flaw

After this tweet I started to looking for more informations about. So IMHO a good support for “allocating/freeing before trigger” the flaw may be get from” heaplib” as well documented in

http://www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf

Is possible fitting the heaplib.js for Adobe Reader and insert inside a crafted PDF for obtaining the heap handling ? For this goal code be usefull play with what is called Acro Managing Pool. A very interesting reference is from a Fortinet researcher:

http://www.fortiguard.com/papers/Adobe_Readers_Custom_Memory_Management_a_Heap_of_Trouble.pdf

The heaplib.js for Internet Explorer is here:
https://www.metasploit.com/redmine/projects/framework/repository/entry/lib/rex/exploitation/heaplib.js.b64

Anyway what I could say from my experience with this flaw is that the PDF posted on full disclosure seem leaks of something and using a debugger may lead you on the wrong way sometimes. Are only ideas which could be wrong as well right. Feedback are welcome.

No comments:

Post a Comment