Die siberas GmbH ein auf Sicherheitsanalysen und Penetrationstests spezialisiertes Beratungsunternehmen, welches Sie herstellerunabhängig und kompetent im Bereich IT-Sicherheit berät.
Hi everyone, in the last few weeks I’ve given two presentations (@ SyScan360, Singapore and Infiltrate, Miami) about Pwning Adobe Reader using its embedded XFA engine.
The URLs to the slide decks can be found below. Besides the PDFs I also uploaded the PPTX versions since some might have reservations opening PDFs from me (at least with Adobe products…) ;-)
The analytical part of the presentations (symbol recovery, object and jfCacheManager analysis) are mostly identical. The main difference is the practical exploitation part: At SyScan360 I explained how to abuse a 0-DWORD write primitive to create a memory leak (thus bypassing ASLR) and to get near 100% reliable, OS- and version-independant code execution within the sandboxed Reader process. At Infiltrate I used an 0day exploit to showcase the great flexibility of the exploitation technique and explained the general steps to exploit a rather “ugly” vulnerability which does not give you a clean, controlled write primitive.
[ Please note that the layout of the Powerpoint version gets a bit screwed up when viewed with mobile PPTX readers (such as the one embedded in iOS)… ]
A technical writeup which goes deeper into the topic of Pwning the Reader will be released soon. Stay tuned :)
Cheers, Sebastianadobe 1 reader 1 infiltrade 1 syscan360 1