Adobe confirms Zero-Day - ROP used to bypass Windows defenses
by Steve Ragan - Sep 9 2010, 17:08Adobe has confirmed active attacks on a new vulnerability in their Reader and Acrobat software, which if exploited, could lead to full system compromise. The attacks, based on recent research, are using ROP (Return Oriented Programming) to bypass DEP and ASLR protections offered by Windows.
Adobe said in their warning that Reader and Acrobat versions 9.3.4 and earlier were vulnerable to a flaw, which if exploited, “…could cause a crash and potentially allow an attacker to take control of the affected system.”
Adobe is currently weighing their options for releasing a fix. This could include an out of cycle patch, but there are no solid plans for such a release.
The interesting aspect to the public attacks on the Adobe vulnerability is that they are using ROP. The last time possible ROP attacks were in the headlines was earlier last week when the unused “_Marshaled_pUnk” parameter was discovered in Apple’s QuickTime by Rubén Santamarta, head of Security Assessment for Wintercore.
Santamarta’s research used ROP to take advantage of the Apple parameter as a means to push malicious code into memory, thus allowing remote code execution. His proof-of-concept example defeated ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) on Windows 7, Vista, and XP.
He did so by using Windows Live Messenger DLLs, which are loaded by default into Internet Explorer without ASLR flags.
While researching the QuickTime story, we reached out to HD Moore, the CSO at Rapid7 and chief architect for the Metasploit project, for his thoughts. He explained that any DLL that is loaded within the browser process that does not support ASLR may be a potential attack vector.
“This includes in-browser plugins like Flash, as well as other third-party add-ins and even other ActiveX controls.”
His thoughts were confirmed by Kaspersky's senior anti-Virus researcher Roel Schouwenberg, who noted recently that the Adobe attacks were using ROP after looking into them further.
“The exploit is pretty basic. What’s interesting about it is that it makes use of Return Oriented Programming to bypass the ASLR and DEP mitigation technologies in Windows Vista and 7,” Schouwenberg said.
The payload dropped by the attack is digitally signed with a VeriSign certificate issued to Vantage Credit Union, a financial firm located in Bridgeton, Missouri.
As with other compromised certificates, this one too is valid. The major difference is that it is a U.S. business, whereas the previous stolen certificates all came from the same industrial park in Taiwan. The certificates from Taiwan, which have since been revoked, were used to sign the Stuxnet Malware that targets SCADA systems.
Until a patch is released, Adobe advises users to maintain anti-virus updates and to use caution when accessing PDF files. We’ve reached out to VeriSign for additional details related to Vantage Credit Union’s compromised certificate. When we hear more from them, we’ll update this story.
[Update: The certificate was revoked less than 24-hours after VeriSign was alerted to the issue. From that, it is safe to assume the credit union is now fully aware of the breach, but the details as to how it happened are still unknown.]
Comment on this Story