Attackers are using a previously unknown exploitation technique that bypasses both ASLR and DEP to exploit the unpatched Adobe Reader bug that Adobe warned users about on Wednesday. The exploit works on machines running either Windows Vista or Windows 7 and is also dropping a file on compromised machines that is signed using a stolen, valid digital certificate.
Adobe published an advisory about the new Reader bug on Wednesday, but was stingy with the details, saying only that it affected Reader 9.3.4 and earlier versions and could cause the application to crash.
“This vulnerability (CVE-2010-2883) could cause a crash and
potentially allow an attacker to take control of the affected system.
There are reports that this vulnerability is being actively exploited in
the wild. Adobe is in the process of evaluating the schedule for an update to resolve this vulnerability,” the company said in its advisory.
However, researchers who have looked at the publicly available exploits say that the bug itself is a stack-based buffer overflow in Reader that uses a novel exploitation technique that makes use of return-oriented programming to bypass the exploit mitigations ASLR (Address Space Layout Randomization) and DEP (Data Execution Protection).
“What I haven’t mentioned yet, is that this exploit document does
something that I haven’t seen in the wild yet. This exploit works on
Windows Vista and Windows 7. Unlike the previous exploits, it is not
dependent on a hardcoded Windows XP syscall. Additionally, it uses a
previously unpublished technique to bypass ASLR,” Metasploit researcher Joshua J. Drake said in his analysis of the exploit. “The gadgets that
are used for this ROP payload come from a module named ‘icucnv36.dll’.
This module does not support ASLR (nor does it opt in to DEP, although
that is largely irrelevant).”
Adobe’s products are high on the list of targets for attackers these days, and this new attack brings a couple of interesting twists, aside from the bypass of ASLR and DEP on Windows 7.
On Wednesday, Roel Schouwenberg, a researcher at Kaspersky Lab, said that the malicious file installed on machines compromised via the new Reader exploit is digitally signed using a valid certificate belonging to a credit union in Missouri.
“While most malicious PDFs download their payload, this time the PDF
has malicious content embedded. The PDF drops an executable into the
%temp% directory and tries to execute it,” Schouwenberg said. “The file it drops is digitally signed with a valid signature from a US-based Credit Union!”
This is the second major attack in the last few months that has used a stolen certificate to sign a malicious file. The Stuxnet attack, which exploited a previously unknown bug in the Windows shell, included two separate files that were signed by two Taiwanese technology companies. This technique has been seen in the past, but not in the kind of sophisticated exploits involved in the Stuxnet and Reader attacks.
Adobe has not specified when it plans to release a patch for the Reader bug. The company is planning to add a sandbox to upcoming versions of Reader to help prevent attacks against the application from affecting the rest of a system, something that customers and security experts have been calling for Adobe to do for some time.
“It sure seems like the attackers are feeling the pressure of Adobe’s upcoming sandbox,” Drake said in his analysis.