14 DAY TRIAL // A vulnerability has been available in the sandbox component of Adobe Acrobat Reader since version 11.0.8 of the application, and it has not been fixed in the latest release either.
The glitch consists in a race condition when handling the MoveFileEx call hook, making the product vulnerable to an NTFS junction attack. In theory, this could give a potential attacker the possibility to break out of the sandbox and write arbitrary files to the filesystem, with the same permissions as the current user.
James Forshaw, security researcher at Google, discovered the flaw in August, when he also provided a proof-of-concept to demonstrate it. He disclosed the issue in a responsible manner, before making it publicly available, allowing Adobe 90 days to release a patch.
“While the function resolves the location of the source and destination and ensures they are within the policy there is a timing race once the function calls into the MoveFileEx function in the broker. This race can be won by the sandboxed process by using an OPLOCK to wait for the point where the MoveFileEx function opens the original file for the move. This allows code in the sandbox to write an arbitrary file to the file system,” he wrote.
Adobe updated the application to build 11.0.9, but the researcher says the problem persists in this version too. However, it appears that the company did take some steps to make sure that users do not run any risk.
Forshaw says that in-depth defense changes available in the latest Reader release make the bug “difficult if not impossible to exploit.”
The bottom line is that, at the moment, there no longer exists the possibility to create directory junctions so that sandboxed code can be used to write an arbitrary file on the system.
