Sandbox Escape Bug in Adobe Reader Disclosed

Details and exploit code for a vulnerability in Adobe Reader have surfaced and the bug can be used to break out of the Reader sandbox and execute arbitrary code.

The bug was discovered earlier this year by a member of Google’s Project Zero and reported to Adobe, which made a change to Reader that made it difficult to exploit the vulnerability, though it wasn’t patched specifically. Under the disclosure guidelines that Google uses, the details of the vulnerability became public after 90 days. That deadline passed late last week and a detailed description of the vulnerability, along with a proof-of-concept exploit, were made public.

“The specific vulnerability is there is a race condition in the handling of the MoveFileEx call hook. While the function resolves the location of the source and destination and ensures they are within the policy there is a timing race once the function calls into the MoveFileEx function in the broker. This race can be won by the sandboxed process by using an OPLOCK to wait for the point where the MoveFileEx function opens the original file for the move. This allows code in the sandbox to write an arbitrary file to the file system,” the bug report from James Forshaw, a member of Project Zero, says.

Adobe has not patched the vulnerability, which affects Reader 11.0.8 and was discovered in August. But Forshaw said in his report that the company made a change in Reader 11.0.9 that made exploiting the bug much more difficult. That change was part of a fix for a separate vulnerability in Reader that Forshaw discovered.

“While this bug technically isn’t fixed a defence in depth change in 11.0.9 which fixed https://code.google.com/p/google-security-research/issues/detail?id=94 effectively made this difficult if not impossible to exploit. It was no longer possible to use the broker file system hooks to create directory junctions,” the report says.

Suggested articles