"One font vulnerability to rule them all" A story of cross-software ownage, shared codebases and advanced exploitation

Video thumbnail (Frame 0) Video thumbnail (Frame 10830) Video thumbnail (Frame 15055) Video thumbnail (Frame 25234) Video thumbnail (Frame 27173) Video thumbnail (Frame 28431) Video thumbnail (Frame 30735) Video thumbnail (Frame 37814) Video thumbnail (Frame 40536) Video thumbnail (Frame 50690) Video thumbnail (Frame 52207) Video thumbnail (Frame 54132) Video thumbnail (Frame 58169) Video thumbnail (Frame 64113) Video thumbnail (Frame 68969) Video thumbnail (Frame 71372) Video thumbnail (Frame 72664) Video thumbnail (Frame 73956) Video thumbnail (Frame 77115) Video thumbnail (Frame 83260) Video thumbnail (Frame 91608) Video thumbnail (Frame 92992) Video thumbnail (Frame 96921) Video thumbnail (Frame 98427)
Video in TIB AV-Portal: "One font vulnerability to rule them all" A story of cross-software ownage, shared codebases and advanced exploitation

Formal Metadata

"One font vulnerability to rule them all" A story of cross-software ownage, shared codebases and advanced exploitation
Title of Series
Part Number
Number of Parts
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
"Font rasterization software is clearly among the most desirable attack vectors of all time, due to multiple reasons: the wide variety of font file formats, their significant structural and logical complexity, typical programming language of choice (C/C++), average age of the code, ease of exploit delivery and internal scripting capabilities provided by the most commonly used formats (TrueType and OpenType). As every modern widespread browser, document viewer and operating system is exposed to processing external, potentially untrusted fonts, this area of security has a long history of research. As a result, nearly every major vendor releases font-related security advisories several times a year, yet we can still hear news about more 0-days floating in the wild. Over the course of the last few months, we performed a detailed security audit of the implementation of OpenType font handling present in popular libraries, client-side applications and operating systems, which appears to have received much less attention in comparison to e.g. TrueType. During that time, we discovered a number of critical vulnerabilities, which could be used to achieve 100% reliable arbitrary code execution, bypassing all currently deployed exploit mitigations such as ASLR, DEP or SSP. More interestingly, a number of those vulnerabilities were found to be common across various products, enabling an attacker to create chains of exploits consisting of a very limited number of distinct security bugs. In this presentation, we will outline the current state of the art with regards to font security research, followed by an in-depth analysis of the root cause and reliable exploitation process of a number of recently discovered vulnerabilities, including several full exploit chains. In particular, we will demonstrate how a universal PDF file could be crafted to fully compromise the security of a Windows 8.1 x86/x64 operating system via just a single vulnerability found in both Adobe Reader and the Adobe Type Manager Font Driver used by the Windows kernel."
Computer virus Computer program Musical ensemble Context awareness Length State of matter Multiplication sign Range (statistics) 1 (number) Numbering scheme Primitive (album) Shape (magazine) Computer font Mereology Data dictionary Subset Bit rate Core dump Extension (kinesiology) Information security Monster group Physical system Vulnerability (computing) File format Closed set Stress (mechanics) Fitness function Electronic mailing list Bit Flow separation Degree (graph theory) Type theory Category of being Data management Order (biology) Buffer solution Escape character Data type Resultant Point (geometry) Slide rule Computer file Parity (mathematics) Real number Device driver Online help Streaming media Code Product (business) Latent heat String (computer science) Operator (mathematics) Energy level Integer Data structure Set theory Form (programming) Multiplication Information Line (geometry) Exploit (computer security) System call Word Kernel (computing) Physical constant Interpreter (computing) Window
Point (geometry) Implementation Random number generation Computer file Open set Computer font Data dictionary Mereology Stack (abstract data type) Latent heat Differenz <Mathematik> Operator (mathematics) String (computer science) Software testing Data structure Absolute value Form (programming) Addition Multiplication File format Constructor (object-oriented programming) Electronic mailing list Stress (mechanics) Limit (category theory) Exploit (computer security) Type theory Subject indexing Data management Kernel (computing) Computer animation Software Order (biology) Table (information) Spacetime
Functional programming Presentation of a group Musical ensemble State of matter Multiplication sign Direction (geometry) Parameter (computer programming) Computer font Mereology Data dictionary Different (Kate Ryan album) Cuboid Information security Physical system Collaborationism Constraint (mathematics) File format Software developer Electronic mailing list Shared memory Maxima and minima Bit Variable (mathematics) Degree (graph theory) Type theory Message passing Process (computing) Internet service provider Order (biology) Volumenvisualisierung Right angle Quicksort Asynchronous Transfer Mode Reverse engineering Implementation Server (computing) Computer file Letterpress printing Device driver Branch (computer science) Web browser Code Theory Field (computer science) Product (business) Revision control Internetworking Operator (mathematics) String (computer science) Energy level Software testing Set theory Address space Computer architecture Task (computing) Condition number Dependent and independent variables Graph (mathematics) Matching (graph theory) Information Military base Counting Limit (category theory) System call Symbol table Graphical user interface Kernel (computing) Computer animation Software Personal digital assistant Finite-state machine Active contour model Window Operating system Library (computing)
Functional programming Context awareness Open set Stack (abstract data type) Mereology Computer font Element (mathematics) Array data structure Latent heat Data compression Different (Kate Ryan album) String (computer science) Address space Graph (mathematics) Expression Line (geometry) Type theory Message passing Pointer (computer programming) Computer animation Personal digital assistant Interpreter (computing) Statement (computer science) Right angle Window
Point (geometry) Memory management Bit Computer font Code Type theory Kernel (computing) Computer animation Internetworking Semiconductor memory Order (biology) Cuboid Summierbarkeit Remote procedure call Window Computing platform
Functional programming Greatest element State of matter Length View (database) Multiplication sign 1 (number) Parameter (computer programming) Stack (abstract data type) Data dictionary Mereology Neuroinformatik Medical imaging Semiconductor memory Forest Information security Vulnerability (computing) Touchscreen Bit Maxima and minima Sequence Orbit Message passing Process (computing) Vector space Buffer solution output Summierbarkeit Resultant Spacetime Point (geometry) Numbering scheme Game controller Code Revision control Differenz <Mathematik> Well-formed formula Operator (mathematics) String (computer science) Boundary value problem Address space Condition number User interface Addition Multiplication Scaling (geometry) Chemical equation Expression Memory management Bound state Cartesian coordinate system Exploit (computer security) Pointer (computer programming) Loop (music) Kernel (computing) Computer animation Personal digital assistant Interpreter (computing) Table (information) Spectrum (functional analysis) Window
Logical constant Functional programming Randomization Group action INTEGRAL Coroutine 1 (number) Stack (abstract data type) Array data structure Bit rate Square number Negative number Einheitswurzel Information security Physical system Vulnerability (computing) Area Constructor (object-oriented programming) Sound effect Bit Type theory Order (biology) Right angle Point (geometry) Game controller Implementation Numbering scheme Token ring Rule of inference Theory Element (mathematics) Revision control Root Operator (mathematics) Reduction of order Energy level Set theory Address space Condition number Form (programming) Addition Bound state Division (mathematics) Volume (thermodynamics) Cartesian coordinate system Exploit (computer security) Subject indexing Pointer (computer programming) Kernel (computing) Computer animation Personal digital assistant Calculation Local ring Window Computer worm Library (computing)
Functional programming Implementation Game controller Computer file Multiplication sign Range (statistics) Parameter (computer programming) Code Power (physics) Population density Object-oriented programming Computer configuration Linker (computing) String (computer science) File system Ideal (ethics) Cuboid Address space Set theory Sampling (statistics) Bit Directory service Exploit (computer security) Electronic signature Proof theory Category of being Message passing Process (computing) Kernel (computing) Computer animation Visualization (computer graphics) Order (biology) Volumenvisualisierung Writing Window Library (computing) Computer worm
Functional programming Presentation of a group Stochastic process Computer font Semiconductor memory Different (Kate Ryan album) Computer configuration Single-precision floating-point format Gauß-Fehlerintegral Endliche Modelltheorie Resource allocation Partition (number theory) Descriptive statistics Physical system Social class Office <Programm> Email Structural load Data storage device Bit Type theory Proof theory Arithmetic mean Process (computing) Order (biology) Buffer solution Pattern language Right angle Remote procedure call Procedural programming Quicksort Resultant Reverse engineering Point (geometry) Numbering scheme Computer file Electronic data interchange Token ring Tape drive Streaming media Field (computer science) Object-oriented programming Internetworking Robotics Operator (mathematics) Software testing Data structure Nichtlineares Gleichungssystem Computing platform Hydraulic jump Address space Form (programming) Condition number User interface Dialect Information System call Exploit (computer security) Uniform resource locator Kernel (computing) Computer animation Personal digital assistant Window Operating system
Functional programming Device driver Bit Computer font Flow separation Code Preprocessor Process (computing) Pointer (computer programming) Computer animation Semiconductor memory Operator (mathematics) Calculation Remote procedure call Set theory Asynchronous Transfer Mode Exception handling Prolog Computer worm
Revision control Pairwise comparison Computer file Image resolution Calculation Bit Operating system Window Physical system
Windows Registry Musical ensemble State of matter Multiplication sign Primitive (album) Open set Mereology Code Latent heat Sign (mathematics) Object-oriented programming Semiconductor memory Address space Vulnerability (computing) Form (programming) Enterprise architecture File format Structural load Data storage device Bound state Bit Exploit (computer security) Type theory Subject indexing Word Uniform resource locator Kernel (computing) Pointer (computer programming) Computer animation Order (biology) Buffer solution Right angle Buffer overflow Window Resultant
Logical constant Axiom of choice Functional programming Computer program Group action Run time (program lifecycle phase) INTEGRAL Stochastic process Length State of matter Ferry Corsten Multiplication sign Coma Berenices Parameter (computer programming) Mereology Disk read-and-write head Usability Preprocessor Sign (mathematics) Semiconductor memory Single-precision floating-point format Formal verification Cuboid Resource allocation Information security Social class Vulnerability (computing) Physical system Exception handling Identity management Structural load Data storage device Electronic mailing list Bit Virtualization Type theory Befehlsprozessor Process (computing) Order (biology) Interrupt <Informatik> Resultant Writing Reading (process) Asynchronous Transfer Mode Spacetime Windows Registry Point (geometry) Web page Numbering scheme Game controller Virtual machine Control flow Online help Menu (computing) Code Theory Revision control Latent heat Operator (mathematics) String (computer science) Software testing Data structure Router (computing) Hydraulic jump Set theory Address space Condition number Form (programming) Default (computer science) Dialect Dependent and independent variables Information Uniqueness quantification Cellular automaton Content (media) Cartesian coordinate system Limit (category theory) System call Exploit (computer security) Subject indexing Word Pointer (computer programming) Kernel (computing) Loop (music) Computer animation Personal digital assistant Funktionspunktmethode Interpreter (computing) Window
Revision control Computer animation Multiplication sign Calculation Bit Window Physical system
Functional programming Context awareness Presentation of a group Machine code State of matter Multiplication sign 1 (number) Stack (abstract data type) Mereology Mathematics Semiconductor memory Single-precision floating-point format String (computer science) Cuboid Information security Address space Physical system Vulnerability (computing) Standard deviation Dependent and independent variables File format Military base Cellular automaton Content (media) Bit Price index Proof theory Word Befehlsprozessor Kernel (computing) Voting Software Right angle HTTP cookie Window Spacetime
Computer animation
the who a group at a at a a lot but if you look at the issue here in the i have the very thing you and so welcome to
my talk but today we will be talking about performance again this is the 2nd from stock at recon on but it's not about TTF but it's about posted fonts and specifically about the research that I performed uh regarding posted phone security and so about myself
I also or contradict 0 how similar to Steve I am passionate about levels of security as he will rise you'll see also plays CDs I am the vise captain sector and have a look and sweeter I don't post very often but I will definitely put the slides and some additional details about the research for this by the way aquatic extensive so in this talk i'm only actually talking about on the exploitation of 1 the but that I found but they're more blacks and I think all of them are quite interesting so I will be following up with some additional information about all of those of those findings later on so if you're interested in stock and the salesman that amusia to subject to these things so today we will talk about 1st we'll talk about the general structure of type 1 and opened a fonts and then we'll talk about what the Adobe Type Manager from drivers in the Windows kernel and what call races also share the same code because this is actually going to be quite an important part of the talk and then we'll talk about exploitation of 1 specific vulnerability of which has 2 CDs assigned to it but it's actually 1 by our 1st we're going to all Adobe Reader 11 on Windows 8 1 at 32 bits and then we're going to do the same thing and 64 bits with the help of another vulnerability and then I will provide some further thoughts so let's start with a very short primary way of of frost posted forms basically they now have over 30 years other we introduce them in 1984 so actually introduce new types of PostScript fonts state 1 and I 3 forms the 1st that type of makes it only possible to use a set of subset of the posted functionality and take the forms that can use all of its and taken from that actually the other common formats that we're going to talk about and there were originally closed-form outside of the early releases this occasion after a few years after couple started working on a on Competition close to the so the general and structure of the type 1 outcomes is very simple is basically like a postscript file containing dictionaries and primitive types such as integers numbers and real numbers and some other stuff and they also have some nested dictionaries and overall it just basically specifies a just several numbers are specifying the properties of the font and apart from this in Type 1 fonts you also have something caught charts trust strings aren't this is going to be a word that I'm I'm going to be using a lot today and stress strings are basically like PostScript but programs that are used to actually draw all of the outlines of a of so here you can see an example of clustering which consists of immediate values that are pushed on the postage and also some of our operations that are being performed using those values so overall and this just string draws the at during 1 of the points that do so overall there is occasion context of strings in that 1 consists of 3 main parts as we had instruction stream which is basically like a buffer with all of the restrictions that are encoded in that a type 1 file and then we have something called the operand stack which is basically the stack and we also have been posted an intact 1 it is able to store up to 24 numbers which are 32 bits and interestingly various instructions actually take different parts of those values so some of those use the full 32 bit and some of those is only 16 bits of those and we also have something called the size and the rate at which is also going to be very useful to us today and this is just a helper value that is not a that it's just an addressable of parity that we can control the some degree so we can construct the length of its I using and married value instead of dictionary and we also can play initialize it using a B another private dictionary Dictionary of the font so it's not really documented and where that I know of but still most interpreters implemented so this means that Prodi some fun started using it and and so the the products that were forced to implement it so when it comes to the operators have themselves so the instructions we have at several types of instructions they're mostly about just drawing the develops but there are also some scientific commands and 17 commands because they're subroutines and at 1 and also we can just push values to the stack using the byte range 32 to 205 55 I would virus and the length of the instruction in order to be able to to encode the full 32 bit range so here we can see I have a short excerpt of the operators that are available data type 1 fonts taken from the official specification so there is there isn't too many of them as you can see most most of them are related to this drawing lines and some other stuff like that but we have 1 interesting instruction which is called this so this is Derek instruction and and yeah in general we have an escape instruction can encode some more interesting ones that that didn't fit into their original encoding and as you could see some of those ideas were missing and now but it wasn't really it is that we to look at this list but data on the reason for this is that basically up between the time that the specification was released and today it was actually I have up evolving very dynamically so that a specific asian changed introducing some operands and operations and removing some others so that is basically the the reason for this and other interesting that property of Type 1 fonts is they they have to be there have to be at least 2 fires in order to real to them at least in the Windows system so we needed to give the file which is basically the core of the funds and we have the TFM file which is the metrics by and there is also a 3rd file that is optional which is related to Multiple Master fonts so just a brief I Introduction to Multiple Master fonts at its it basically an extension of Type 1 fonts that other be introduced several data has several years after type on phones and it just makes it possible to specify 2 or more monsters that you can interpolate between fonts to be able to get different results and not the power of dependent on the specific shape of the glyph but had it more than and so this is
an example of how this would seem on but yeah Multiple
Master fonts were only supported in Adobe Type Manager I released in 1990 and it was the 1st program by later properly also restaurants type 1 forms which is an obvious because Adobe was the inventor of the of the format and Multiple Master fonts where 3 adopted worldwide but partially due to the advent of open diet so there only a couple of Multiple Master fonts existing in the world and where are mostly created by and of itself however the interesting thing is that they are supported by Microsoft GDI so adding the kernel and also what of you read but when it comes to open type it was
released by both Microsoft and Adobe i which work together to create something that would supersede both type 1 fonts and it's basically more of the same there are several major differences such as that there's only 1 file required instead of 2 in order to have the font loaded Our previously textual data such as the dictionaries that were at the beginning of the file were converted to compact binary form so they can consume less space and the testing specification which is the most important part of our significant was significantly extended so they introduced a lot lot lot new instructions and also deprecated or removed some of them so you can see the list of operands or operators so from the OpenID specification considered a a lot more so our specifically they introduced a lot of new instructions so for drawing glyphs and for hinting so that other fonts would be rendered nicely at small point sizes but there is also several constructions that are very interesting from possibly from the exploitation standpoint because they're like Newark admitted loading instructions status and or not absolute value addition subtraction and stuff like that we also have some new instructions for managing this back so we can duplicate the tops the value we can exchange values on the stack get a specific that get a value from a specific index on the stack and stuff like that but also some very weird instruction set as for example the on the 1 we just supposed to insert the random number into the operand stack and we know where font would like to have any nondeterministic step instead of trusting but that it's it wasn't the mentation and so that's most interesting stuff and if we also look at the open sification had to be very on the very end of it there's a very interesting table which specifies all of the limits for all of the structures that should be used for implementing open and stress strings so that is actually a very good starting point for our ability hunting so we can verify that all of those limits insurrection followed by the implementation of the looking into so now let's let's look into the Adobe Type Manager software
basically it was created by Adobe to render Type 1 fonts and it was ported to very early versions of Windows by patching into very high and very low level of the operating system in order to provide kind of Native support for it but Windows NT at any time and this architecture made it kind of impossible to do it anymore so 1st Microsoft would got a low converting Type 1 fonts into TrueType modern system installation and later on in Windows snake and he for our they added to the ATM as a 3rd party from the driver called ATM DLL and it's there until today and stealth they're still in Windows 8 1 arrest arising over on both
fonts so why and why am I talking about all of this well basically I due today must collaboration of vendors during the early days of on development if 1 vendor create again and created an implementation for a specific format they would often shared with the other vendors in order to make sure that it will be widely adopted so that's also what happened we B so that they lie a license the code to Microsoft as a human being and then Microsoft use the coating Windows GDI so the Windows kernel used to uh does does this to render fonts and there's also the direct right library which is a user land library which render response and it is used in for example web browsers such as Internet Explorer Chrome Firefox etc. others also Windows Presentation Foundation which uses the cold and there's a c Adobe Reader by Adobe itself which also has the same common ancestor us all of those other products and the important part is that we will find a single back in the posted implementation OTS or type 1 then now it's very likely that there's bad or some other box might be also common across the other products so this is kind of scary from a security standpoint the but there is some good news if you think about it and it's only the common ancestor of those different code bases its spots really out through the same branch so far it's been living in a different branch is maintained by different groups of people are since out like many many years so it also received a very degree of attention from the security community because some people are only looking back in the Windows kernel and and probably checking if the same bags applied to other be reader for example because they are not interested in that so the good news would be that they don't have to be really affected by the exact same set of box right but this is also bad news and I think it's more bad news the good news because you could actually take all of those different bases and trusted them and to check what sanity checks that exist in some of them and don't Indiana's and you know derive like real 0 is from that so it's not a very good situation so I decided to do is to model yielded digestion state machine had it was implemented in other we don't manager and see if I can find anything there and maybe something that would also on river another software so that's that's their work week primary into reverse engineering and he and the and the 1st thing you see once you loaded in Ireland is that it doesn't have on the symbols available from the Microsoft symbol server because it's basically not like about the code so they don't make the symbols available we unfortunately have to stick with on the names most and address or whatever Our so this is actually quite a bit of interesting information that was missing and I suspect that this might be a reason why it's it was less theory of it and convert to winter debate which has all of the symbols available because the entry of our is actually quite quite high but if we think about it and if we a call that's their share codebases maybe we can actually make the a advantage of the fact that there great and the Windows Presentation Foundation after the same code so maybe we could you know see what the symbols are and those libraries and then but in somehow some way home put them to work with ATM at the and it's definitely possible we can do it and with some functions but there's another very interesting way in which is something that color flake noticed and the thing is that of the has some long time ago actually released some builds of reader out we did about symbols enabled articles we therefore for x and a reader 5 for Windows so what is also included the font engine gene pool type and uh since the code even though it it was very very old ideas were there all right now but it hasn't really changed fundamentally so that there also there are many things that you can take from the old school that many symbols that you can actually just take and put into a team at the end they will work because the functions are very similar and so but this is basically like several of function names that are quite useful from from the old version of that and there is also a bright states have there there are some things in a human didn't help us reversing it 1st of all the other a lot of the bad messages they're not 3 printed out so that there there aren't any debit print and function calls but there are some function calls actually like stops that could have been enabled and probably are enabled in some the deals but they are not enabled the real builds but that the match strings are still there so we have things like variable names both local and global we have some function names are the conditions that the and wanted to and the to be met but haven't been met in case of some assertions those as some sort of a soft spot file paths and stuff like that so it's it's a lot of useful information and that also like type 1 constraint data also the names of the fields that are expected in the dictionaries of Type 1 fonts are you can see some of them here and there are really a lot of them and are very useful so if we wanted to find the single function they interpreted that does all of the testing process in it's really not a very difficult task because 1st of all it has a lot of cross references to art debit messages which are directly related to trust strings as you can see here for example as said as messages saying unstable underflow or arguments count at and the name of of operator from trusted and and 2nd of all if you look at the list of functions the function is actually the largest 1 in the file it has over 20 get kilobytes and it's like 5 times larger than the 2nd largest function in the file so it's really enormous I looks like this in 82 in hideout and actually had to increase the maximum limit of nodes that would be willing to render as a graph because a thousand wasn't enough so it's it's really huge
and if we want to have a confirmation that this is actually right function we can take a look at the bright Windows Presentation Foundation and see that this is the name of the function is actually type 1 in transferring or in the simplest with iPads do that 1 interpret Justin and what the function as you could also see it in the graph the before is that if the Giants which case statements hot handling all of those different instructions in line instead of this function so it's quite simple in general it's just you basically reads some the bite of the charge string and then outperforms the switch case but expression and 1 other interesting or important thing is that the PostScript operand stack which are in open is 40 of 48 elements long is also on the local stock of the interpreter function so it's called P as the case became or all the operand stack and this is the name that was used in the bag messages from medium so I know for sure that it was like that in the source code and we also have a pointer to that are called copious is the which at the beginning of the function of disappointed at the beginning of the of the array and the arrays in the same context of the return address and the other stack frames and stuff like that so and
so the question is like very important question is where is the function so large right because there aren't that many instructions and there are so 1st of all and the function is responsible for both executing type 1 and type 2 which they were OpenType just strings so i'd is used for both of them and ants this this could be useful because Type 1 fonts and now have access to all of the open that instructions and and vise versa and the other thing is that ATM immediately implements every single feature that was ever part of any of type 1 out of a type 1 or open types but specifications so even if there's a given feature was only there for like a year or 2 and it was long forgotten I hate him and he still supported so even the most obsolete deprecated or forgotten once
and yes so I was really enthusiastic when I learned about all of this because it's like basically the perfect perfect starting point for a honorably to researchers and I just wanted to
sum up and the findings that I had during this research because I'm not going to be talking about all of them so there were some quite low-severity bucks that were just like Dulcis innate human D and or small memory disclosures but there was also very interesting memory disclosure that affected all of those called racist so you would use that 1 but to actually this goes on memory from the heap of Internet Explorer and Adobe Reader and Microsoft Windows kernel so on it's what it's another 1 back to rule them all and there are also quite a few bucks that had high-severity so they could be too remote code execution or elevation of privileges in the Windows kernel and the 3 most important 1 were found in both Adobe Reader and the Windows kernel including the 1 that I'm and I'm going to talk about so on the the bottom-most so yeah let's look into the box basic legal out remark of execution in out of the reader and elevation of privileges in the Windows kernel or perhaps also remote code that code execution in the Windows kernel as well but unfortunately all it only affected 32 bits of platforms but as we will see that might not really be a huge problem and it was reproducible we just type 1 fonts but Adobe Reader and Windows kernel supports type 1 support at 1 point so that it's not a problem as well and in order to
to understand the vulnerability you have to look into the the operator that it is in it's in the plant operator and that's why the the body itself is what's called land will orbit by myself and it's related to different forgotten Multiple Master fonts other than operator itself was introduced in 1988 and it was only there for like 2 years now then it was deleted but obviously a medium and is still still has support for and I'm not really going to be talking about the details of what it does on the logical level but for for us it's important that it pops out k times and arguments from the operand stack and where it where k is the number of master designs which is equivalent to the lon of a white vector or table specified in the private Dutch dictionary and N is is a controlled signed 16 bit value which is loaded from the opera and stuff so it pops up a semi-controlled a number of arguments from the stack and then pushes and values back so if you look at the code you can actually see that the interpreter or maybe the devil offer rather had a very good intention to verify that the specified number of arguments are present on the stack and that everything will everything will find on so there is a check whether the stack pointer is within the bounds of the stack buffer itself and there's a check whether there is at least 1 item on the stock which is the n value that we're going to pop I'd also checked whether there are enough items on the stack and heap there is enough space to push their values onto the stack later on and you could also see that's not what was set what some of those conditions actually where in the bottom because they were and the but messages as well but it turns out that even tho they have made a lot of effort to actually check all of those conditions they missed 1 corner case which is a negative value of so uh and that the value of and thus all of those texts and each reach that do blend function which did for the things I which I described before so it loaded the input parameters from the start that some computation called blending operation and force the resulting value back so come from a technical point of view what happened is just OP is is decremented by this expression and at times for a obviously comes from the fact that on there's is the size of operands on the stock and yeah it's so pretty trivial so what happens for negative then is that no actual or pushing takes place in the do blind function but operand stack pointer is actually adjusted accordingly and accordingly to the formula that is shown so well with the Council 16 bit and we can actually arbitrary control the stack pointer are beyond the operand stack array and it is a security boundary because normally the stack should always be within that local array so it turns out we were quite lucky because even tho we can do it at the beginning of their main interpreter loop there is a check whether OK is peace not smaller than whole piece stock our and even than then basically is execution is aborted but there is no singular check for whether appears these larger than operand stacks so whether it hasn't gone beyond that from the other site and thanks to this we can actually have this inconsistent state with the other ones pointer and still execute part instructions which is very good so what we can do with this is that if we set a very large and the maximum length of white vector 16 so we we set it to 16 values then we can increase the operand stack by as much as almost 2 megabytes on the stack and this is well beyond the bacteria itself so we could maybe pointed to somewhere else such as like the Hebrew school or executable images etc. but if we set it and the white vector to something to an array which is less and which is often do so then we can have a very great rat run the reality of the of the axis of the of the control of the pointer so we just issue talk amongst minus X blend sequence then we can set copious speed to any offset relative to all ground stock with the granularity of 4 bytes for example if we look at the spectrum of the interpreter function and what happens is that if we had an operand stack and then the difference of between them at the beginning of the operand stack array and the return address is 300 40 90 works than he proposed minds 349 then performed a blend operation and a pointer will go out of balance and then we performed exchange operation exchanging the to top of values on the stack what we will do is we'll just self lead there at Annapolis and our safety ADP value and if we don't issue and enter commands we will have forests that the returned from the injury but the function and obviously everything will go
that we will get some of the screen of that showing that the process of try to execute nonexecutable memory which is the stack so this is obviously quite but on that it gets even better because it turns out that we can use all of the supported opera operators from 1 from the char strings such as addition subtraction the arithmetical about our and this is my this pretty much sufficient to create like a full rupturing using just drawstrings themselves and so yes so as a result the bag enables the creation of a hundred per cent reliable clustering explained which subverts basically all of modern exploit mediations speckled is obviously because I can control where on the stack can modify data that is our because you can just build are opting for yourself SMAP etc. are both Adobe Reader and Windows kernel were affected so this means that you can get see in Adobe Reader and then you'll kinda window scale using this single by of yeah that's pretty interesting ideas out but yeah 64 bits and the problem as i said because if you look at the code then it turns out that the end times master designs expression is passed on salient out before it is added to the US 64 bit pointer of operand stock and then if you specify a negative and valued and the whole of the full expression will fail so the you will execute and we will just be aborted but so the fact is that there are no 64 bits uh version of Adobe Reader to my current dollars so we can see all of the reader and for 64 bit Windows kernel we have still some our formed but that we can exploit to get you so that the sum of sexual exploitation
OK so the overall goal would be to prepare pdf which are of calculator I in their latest other be reader that is affected by the vulnerability on Windows 8 . 1 up for both 32 bit and 64 bit versions of Windows and make it 100 per cent reliable are achieve high integrity level obviously or and the other reduce system security token for the calculator so this means that we want the full system compromised as subverting all available exploit mediations because the vulnerability of us to do this and that since there are no 64 bits of other be reader industry in a single pdf that will exploit the vulnerability and then I instead of the 2nd stand payloads second-stage built we can differentiate between 32 bit and 64 bit kernels and attacked them accordingly so let's start with a data user and explain so on it's really not that great uh as I said before so even though we can set the OP is the pointer well outside of the local stock array are not not really all of the all all operators will work and specifically all operators that actually not increase P is the are checked with a if it's still within bounds me in order to to follow the rule that the function that the pointer should always some point within the local rate so this for example makes it impossible to write come constants in the normal way by just pushing values there because we will be aborted immediately and some other instructions that has that applicator pulp art couples routine random ancestor are forbidden as well so here is an example basically you can see that the 1st thing that the random our implementation does is that it checks whether the OPS B is not larger than than the end of the star and if it is just of what's however I would not not really lost in this situation because there are some comments which rights to this fact but do not increase the stack pointer because it also pop some values from the start foreign and if that happens so in case of those instructions the actually don't check your P is the point at all because they don't we have reason to do to do it because you know if all of the instructions that doing visit check for the condition that in theory it should also be was all it should also be fine our in in cases of those instructions of increases so the lack of the safety net basically makes this vulnerability exploitable and there aren't too many Protestant instructions which makes as possible to write a start but elements it's quite it's it's a few of them so we have like arithmetic instructions that as addition negation division but but we also have some other interesting ones such as get value from the stock and get value from transboundary and we can exchange value on the stock so maybe we can try to do something with this on so well if we think about what we can do in this in this condition we could maybe try to use the index instruction that was my 1st thought because it replaces the tops that at him with the 1 x items below the top where x is the is the origin of life from the stack however it couldn't really work because we don't we control the x under our operands point right and also their arithmetic instructions don't really help us even because we don't control the origin of instructions and they do require controlled or controlled operands for us but it's not really hopeless there is this 1 other instruction and that's called my attention which is get it replaces the index with a value from the corresponding index from the trans and rate so the 1st the 1st idea was that since they index is only 16 bits maybe we could you know put to value that you want to put into the stock at a specific place into all of those uh transits array entries and of course make it's a sufficiently long so that it is full of those values and then we are sure that the index will work in the area and we will get the right value but there others some problems with this 1st of all of our 65 thousands of instructions just just put a single constant at a single specific place in this type it's not really very efficient and the index is also 16 bit value so if the is the original value was a negative number that can get it also bailout but the absolute construction may be fixed this but I haven't checked our however there is a much more smarter how way to do it because we actually can control the volume somehow our which is basically a directly under OPS B and this is the square root instruction so that when square instruction does is that it just puts a square root of the previous value on the stack in place of the old 1 hour so the idea is that after 5 subsequent invocation of distraction whatever was that originally understand we end up with a with fighter was 0 is the original value was 0 or 1 if the value was non-zero after 5 invocation of square root practices can have this and then if we perform these operations and we used a get operation that they're operand for the get operation will either be 0 or 1 so let's see an example of how we could write some data to the stock are let's say we want to put the value 3 1 3 3 7 so we 1st put it on the operand stack and applicators then put it into the trans array index is 0 and 1 using the put operations then we shift the operand stack pointer using the blend but so we put a minus a hundred and and land of OK then we just execute 5 square root instructions so we can see that that the original values basically decreasing until the point where the highest 16 bits which are our idea agreement forget become 1 and then we just you should get instruction which fetches the data from the trans and rate and we have to control the volume under on the stack whatever we want so the other thing that you would like to want to create a full rupture and is sigh region is the data from the start because we cannot we could create a rupture just based on inserting constants so we we have to perform some operations based on existing data from start for example create to calculate the absence of rock and so we can use a similar trick we can just use the square root instruction to either also get a 0 or 1 and then use the put instruction to put 1 value which is before the 0 1 into the trans and array and then he would preinitialized the constant array of 1st went to school to zeros and then after we read evaluate some both entries we will basically end up with a value that we want and another thing that you would like to do is I have 2 operand stack pointer are reset back to the original address of the beginning of the operand stacks so that we can perform further operations there and it turns out that there is a set of 100 . instruction which does exactly that with no side effects so let's see another example of
how we basically just put as 0 have got to get it on operand stack then put it to 0 so inside of the trans and array to allocate sought to to initialize those 2 entries and then we again shift operand stack pointer form 5 square roots and then we put the value that we went into the trans and array it will be an index 1 because the original data was and then we reset the stack pointer we get both transient and array index is 0 and 1 into the operand stack with to get instructions we sound both of those uh that both of those numbers and at this point we have red our number color value from the stock so at this point we can therefore many operations we like for example we can subtract and specific value from from that address In order to get that base address of of some library to want to use for opting and so this gives us
all we need to actually create a reliable abrupt end and so we cannot think about what option could do to make it as elegant for us to make it as elegant as possible for us to to continue the exploitation so 1 thing would be to call a library with that path to the exploit PDF itself and because the PDF magic doesn't really have to appear at the beginning of the file can be somewhere later on I think in the 1st kilobyte of something so we could just create a binary polyglot which would be both at P and a PDF file and the p if I would give you deal that has the 2nd stage of code that we can execute and Bertini has already done as a proof of concept doesn't 12 however i . 2 problems that we have to overcome 1st of all this is that the problem is that there there's no 1 pointed to want to the power of our file on the threats stock so we cannot just copy of the address of the string and provided as parameter to load library and the other thing is that for whatever reason I don't know really what it is is that Adobe Reader recently begun rejecting PDF files that start specifically with the density signature of so that won't work so
easily so we have to settle for a less elegant solution but that is quite standard so we would like basically to call your 12 protect over stock in order to make it both readable writable and executable and then also put that 1st stage failed to their and and that's it and the next and then headed that so and the 1st so the 1st frame of the rope is just that's internal implementation of the get proprietors which takes the value of a function set of kernels 33 uh at 32 and then just jumps to it there so it's pretty simple it's just several the works of the rocks and you can see you can see here in divided it works we have like arbitrary code execution set of Adobe Reader from the stuff that is very good OK so even know that works I wasn't really convinced to writing a 2nd stage font-related with again exploiting not simply in order to what that 18 of the uh it's definitely possible but it's a it's a bit of a pain guess so I still wanted to have a control DLL loaded the the library after all so that I can write the 2nd stage built in IRC + + preferably and to our advantage 1st of all the renderer process at the time of the exploitation holds inactive hormone to be explained deified we've read access and secondly even though the rendered at the samples processes so quite limited when it comes to writing have capabilities to the file system it can rise to a temporary directory in update out of your property like so far the ideal would be to compile a 2nd stage the yellow would be explained pdf file specified in this that leave as a linker option in visual studio in order to create a polyglot and then replays of course that tool 1st magic bytes with something else for example small and the letters and that way we create the PDF B polyglot and then in the ass and pale for that so I decided to do would be to iterate over all possible humble values from within some sensible range then get the name of each of the objects of the handles and see if it ends we found . pdf if it is then I just assume it's our PDF file because it's the only 1 are currently handled by the end of the process and I would say I'll write that the original and the signature after copying the file into the time temporary directory and then invoke LoadLibrary over that file within the temporary directory and you can see that after I did it worked pretty well I could actually write C + + second-stage payload and which show us a message box instead of of the readers so I could now right C + + code that could 11 privileges pretty
convenient so as I said before we can only know how we can have a single 2nd stage because there is only 1 because all 4 of Adobe the reader and it can basically um exploit both at 32 and 64 bit kernels we can we must only recognize the underlying system using a single API function and then we can drive exploitation accordingly in both cases we have to create a window and then the only difference is in the wings of window procedure so long about rendering the font because in order to an attack 1882 attributable in their ability to actually have to render the font or at least try to get it rendered so this requires several API calls to achieve so thus creating the window then loading that I exploit wanting to the system creating a handle to the font selecting it and then I finally our drawing some text using that font and it turns out that all of them actually work fine How instead of the sandbox because Swedish advances is not locked tonight or another the reader except 1 function and yet the most important 1 loading the phone so what I saw is that we do today doesn't really want to load any fonts by a function which by the way takes the final of the of the new fonts that we want to load and of the other the redesigned books so that's that's a bit of a problem and if we look if we look at the documentation we can see that there is another function for loading in Windows it's called platforms memories of sex which installed fonts directly from memory so that would be convenient because those in the problem was and that she was in France as much Our however it didn't really provide any means of loading of fonts consisting of 2 files so it's good to very well know GTF file or an all TFI but we needed to know the Type 1 font and but we couldn't really do it with this function and people on the Internet have also been wondering and and find a solution and I also confirmed that it was actually a problem but by reverse engineering with 32 K and there there are no other official or documented functions that we could use to actually shield type upon forms but obviously we reverse engineer so we can open up I don't see what our system calls there might be that reference the frontloading cold and it turns out that there is 1 1 from the related system call as well that is not documented in where called and T and NT DTI at remote font to be seen and if you type that into will I it will result in 0 0 results basically either officially or unofficially and if we stream the GDI graphics and just will for for the rest and we will see that there is 1 a result which is the description of microsoft office so we look at the description of the patterns I basically just says that the function can be used to load funds from memory similarly to other functions doesn't really give us too much information we have to do it by ourselves and now fortunately it's it's not similar to the error function that I mentioned it's not just robot robot buffer with funds data but it's font files that are preceded by phone header sorry by headed that specifies what the partition of the memories and to where in memory each of the fires that we want to know this so I had to reverse engineer the structure and itself so it contains sound like a number of fields that they're pretty easy to figure out how to initialize them so we just have to initialize the type conforms to 1 and that will make me 32 K to assume that we want to load a type of file and we can just say that the number of classes your because the weakest decay will and we know that we we need to look to files and then we specify the OPS offsets of the files and then after that I just want to date of the files and after we do this I confirm that the winter to the k will successfully load the files the tape on from from memory and so we will reach all of the relevant 18 medical of so we can actually at the beginning the
so 1 thing we have to consider is that where what where do we put all of those are kernel exploit fonts because since we want to create a single PDF of doing which is just a single file that about everything and pops Cox everywhere I we have to we have to embed a lot of information there so we can also tie either puts that are kernel exploiting the resources because of the yellow or we can just appended idea and of the file so this is the structure of my proof of concept file I can just see all of the information that I mentioned before so you have on a polyglot of pdf and the our which exploits Adobe Reader and then after that we have some partying and the exploits for 32 bit and 64 bit with the exploits of of the Windows kernel so far that's right acknowledged like 32 bit let's start with the debate because there is that this is the same with the ability that we can use with Adobe Reader and so if you if you know a little bit about Windows kernel and how it stores objects in memory know that elevation of privileges to spare you this very easy you have to just find like in a process that you know that is very privileged and you have to copy the security token of the process and copy that instead of the In structure that describes our processes that you want 1 of 8 and it can be really easy implemented in a short snippet of 86 as some sort a obstacle in a human you would be to 1st OK right of lexical memory copy that you'll be show called there I'm jump to the shellcode and have it do its job and then what is also important we have to clean recover up from this whole condition because we don't we want to the operating system to crush at that point so how it should be fairly easy overall because the testing explaination process is exactly the same as with Adobe Reader that that instruction I works in the same way I what what is also convenient is that the addresses of 8 him he did the other we cadences and and kernel are all on the stock so we can make use of all of rock guidance from all of those 3 models but options Starting with Windows 8 most memory collocations was kernel memory equations are allocated from the pool that is nonexecutable so we cannot really reuse some other out pull a location that is that was allocated from such false we have created an allocation by ourselves specifying the nonpaged wolflike which still allocates normal executable non-favorable memory that we can use to store the failed so this is how the 1888 him of Europe they look looks like it's also very very simple answer which is allocated some memory and then we adjust the registers like as a yes i EDI and seeks to point to the right memory regions we perform a copy operations to copy like 128 bytes or maybe some more into the new allocation and then we just jump into it and of course we have to have you'll keep a low on the status well to be able to copy it to the new allocation and after we do this we can see that it works as well pretty well we have to our kernel-mode execution in
ATM of the so what we have to do now is just right there you you shall code itself and it's just about as a set of drivers in several kernel-mode past lectures and replacing some pointers the only interesting thing here that I didn't mention is that we have to also if we want to spank operator we also have to be change the axes active process limited assigned to the job I to more than 1 because otherwise we will not be able to create and other process with the job on so we are so as since we haven't Spontal calculator yet because we are not able to do it but I decided that are my show code is just going to elevate the privileges of the out of the reader a 32 bit process and then after we have this I we can do anything from our 2nd stage the yellow and then at the end you're just jump into other 0 so all of the this is not really obvious why that would work out because it shouldn't really recover cleanly but it does it does because a human provide so there or other performs very aggressive exception handling and it handles all invalid you remote memory references and just ignores them as if nothing happened so it's actually not very nice for people that are fighting for example OpenType fonts because then if there was never ever an exception that resulted in values are more memory to father would never know about but on the other hand it's quite convenient for us here because we can just jump Weber 0 and 8 him and you would you would just take care of the rest and returned to use among us it's nothing happens so we can see that
it's it worked as well we can see that the payload once could actually elevated privileges of the 2 processes of out the reader and the final step would be just pop up a copy of calculator I using create process on but after after several minutes of trying to make this happen I realized that Adobe Reader books that chroma-based preprocessing function so we just have to restore it to to make it work and the and this is very simple we just put the original 5 by function prolog instead of of the memory so I have a light you know that I would like to show you I have to
get all missions prepared I don't know the
but the resolution is pretty low but the thing it should work anyway so we have to talk the PDF file its 1st see that on the
version of Adobe Reader is what we want what's working is slowly but yeah it's 11
0 10 and we can also
see that the operating system is Windows 8 well it's kind of obvious so can open the file OK
so the comparator popped up and then we can also see that it has elevated
privileges maybe I will do a
magnifier to make is that the visible
so long as there is scope to this now
it's not working very nice but you can see
that the calculator has elevated privileges so here that's the 32 bit for system compromise using 1 for the ability
be OK so I think I
still have a little bit of time so I can discuss this 64 bit exploitation of Windows kernel so but obviously as I said before we cannot make use of the previous but because it doesn't exist or rather it's mitigated by how the code was written so we have to use some other about and I had 3 objects when thinking about it and but there is a right where which works by an uninitialized pointer from the kernel pulls out there was a consul base buffer overflow and a limited pool based buffer underflow so I thought that the 1st one ability would actually prefer group provided the best mn primitives for us to perform the d'exploitation itself so let's learn about the vulnerability and also the makes it possible to do elevation of privileges also so and I will show up and so it represses on both large debtors and with type on an open forms so in order to understand the vulnerability we also have to look back and a very old specification from 1988 our where the registry object was defined so a registry of is also related to multiple masters i which by the way we're being tried to be introduced to the open Data format for a while but Our since it failed they dropped the idea and it was also subsequently removed from the specification in 2004 with all of the atom Whittaker must related things but of course they can to words so we have to learn about 2 instructions and drawstrings called store and load and these 2 are instructions basically copy memory between the Registry object enterprise and a so what the registry object is just an array of state 3 pointers and these pointers holds out the addresses of summer locations so we can address the registry object using indexes 0 1 or 2 as set in the the specification and yet this is the nice part so it says that if we try to do an out of bounds are index and results undefined which is also always a good sign the
specification because they might have gone it get it wrong and internally the registry items are basically starts and said over the their as in 3 item array of registry items structures we just store the size of the item and the pointer to the items and that verification of the registry index us of course exist does the box and note that are trivial but talking about the but here in the list of the action but not with the index that we specified is larger than 3 but they really should specify I should check for whether it is larger or equal than 3 but because the only valid thing this indexes are 0 1 and 2 so this is 1 of the all by 1 will or ability in accessing the registering and as a result using the load and store operators we can actually trigger the following men public calls with controlled constant array in size so we can either com of we can either copy into but that pointed at a specified by the 3rd entry in the registry operator we can read from and of course provided that the size of registry item 3 is larger than 0 and we have to remember that the variable is of type sign so the registry operator is part of the overall like that very large enough on state structure and what is very convenient for us is that it is uninitialized during the interpreter runtime so it halts whatever values were there when the structure was OK so this means that if we can spray such that we can control the whole structure of both the size and the data then we can have like unlimited read and write capabilities in the Windows kernel inside of the testing program so this is how we can how we can reproduce is vulnerability provided that we have sprayed the kernel pool and it's just a matter of 5 instructions 4 of them are just providing arguments to restore instruction are so it said the registry index and end offsets within the transmit array and registry items at the time and then the number of the words that we want to copy after that just called the store instruction and so far yeah the vulnerability of course so if we think about how we can know how we can spread it will allow and knowing that delegation that we want to spray is within a session full we can look up some existing research and it turns out that the argument was actually doing stuff stuff like that 2nd 2011 for Windows 7 and what he did is he just called a single function call set class long pointer which is sigh responsible for setting the unique old menu name of arbitrary then asso discusses we investigate ways to create an allocation of an arbitrary size and content which should be a unique of string and it still works today in Windows 8 1 so I was experimenting for a little while trying to see what our how many calls would suffice to have this memory regions breaks in the right way and so I came up with this like a nested loop to allocate this create allocations between the 2004 doesn't help 4 thousand bytes for a hundred times and an hour on all of my desk machines I the memory that we had to spray would be sprayed reliably with the data that we have to provide in this case it would be as 0 1 0 1 0 1 0 1 value for the size and then and invite kernel pointer for the data point and after we have this and I was sprayed memorable and actually I invoke all of those instructions shown in the title that we can see that the memory is actually being referenced and we have a write operation here so that was quite easy I guess we have now that we now have a right and read and write with were condition and the question is what you read and write because we're on Windows 8 . 1 trying to subvert all exploit deviations and as it turns out Microsoft actually went to great lengths to make it impossible to get any information about the kernel outer-space from within mode and specifically from within a low integrity processes and of course we would like to use whatever resources we have right now and not number and another theory and this
so there are still things that of Windows doesn't prevent us from acquiring about the parameter space and we have the 2 instructions that are quite useful called as a as ITT and as DDT art which just give us into user and the addresses of the and DDT CPU up structures inside of the kernel space so that they are available in user mode by default and they're really impossible to dissolve the slave or restrict that's operating system without using virtualization technology and so they provide us a very convenient and is are primitive in the world of Windows 8 from 1 kernel exploitation not so another interesting thing is that on CPU 0 in Windows and the structure of DDT and ITT and how there are placed in memory is quite but now peculiar because we have DDT and a full of directly after that we have ITT the 1st structures of ABX by the other 1 is often thousand bytes storing up to 100 50 hours 6 are structures of size 16 bytes and then because of the fact that those 2 structures don't align with the size of the page of the small for kph we have a lot of unused memory after that and of course IT T is responsible for storing function pointers it's full of stack of function pointers and some of those function pointers are you facing such as the CPU exception handlers which are below entries of ITT but if we thought about overwriting that's not really the safest choice because other processes may reference it as well and the kernel and made me do it too so something unexpected could happen but there are also some interrupt are designed specifically for user-mode usage a set of the 3 shown below but 1 of the problems that we might have to consider is that you are the function pointers are actually partitioned instead of the structure so it's not just the 60 for a bit of a function pointer but it is actually spread instead of the structure and how we could deal with this using yeah having instructions of the testing program because yeah why not I makes it makes it possible for us to do this but we also put things keeps keep things simple and just use kind of a trampoline are of the form John register and and we could find such a gadget within the same memory page of the function that we are operating and so and in that way we could just right the Apollo 16 bits of the address instead of the full and this would be for a fully unreliable so the idea of important not thing is that 88 he has read write and execute axis on CPU 0 so that it both has function pointers and this art W E cell we couldn't imagine a better situation for us we could just use the unused bytes after he had introduced or our shellcode are of course we we have to care about things such as that I say only provides 32 bits of ITT R and the compatibility mode that we are executing and so we have to switch temporarily to 64 bits in order to get the address we can do it using this simple microsomes you will studio and not going to delve into this but it's it's it's pretty straightforward to get the ITT our ror registry so are what we should do in the 1st saw in the 2nd stage the yellow is just make sure that we are running on CPU 0 using a single API function that spread the session baseball also shown before and that just what the kernel exploit font and let it do its work and inside of the front forms drawstring inside of the load it forms with 1st copy the entire ITT into the town and array then we adjust and she 91 29 which is the Q rice security for function so that it points in step instead of the function points to where John are 11 which resides in the same memory page and then right that back would ITT from so yeah I just wanted to make it a little ironic that we're using the security interrupt to elevate our privileges and then we just saved and modified part of the ITT entries somewhere after ITT and you write you'll be shellcode up later on so this is how it looks like a during the execution of the 1st thing we have to ITT and we had Johnson during so 1st we call the all of IT teams head of the transit array I then we make it back out of the ITT entered the overriding but later on we're just subtracting a value from the ITT entry instead of the trans and array or maybe at some value to pointed to the jump or 11 guided and here we have this we just put it on the inside of the identity itself and then put exit the X stakes 64 show code into the transmembrane copy it into the EAT or after the T inside of the unused memory region and and once this is done the only thing left for us to do is that we have trigger the function pointed that we have overridden we are 11 sets to the edges of the show code that we have put internal memory and what the show of dust is the same thing as it did for 32 bit versions of Windows that it just elevates the privileges of the other the review process and increases the active process limit after that we also on hope preprocessing and spunk operator so I O showed that the you know of this in my other
ship now here I will just
show you that this is 64 bit version of
Windows Our yeah as you can see here in this maybe a will run 1st time
so we have a just double-click on the book PDF and here OK there's not a calculator and also citizen of it the so
that the
room maybe not but you can see that
all of the Adobe Reader processes and calculate I are indeed elevated to NT operating system what is is it
yet so we have our mission accomplished we ended up with a single pdf file that affects both the Windows 32 bit and 64 bit the latest 1 Windows 8 . 1 and Adobe Reader 11 and so on yeah so we buy puzzle of the deviations that we wanted stuck stuck cookies by the design of the vulnerability a seller because we only used addresses that we I delete or requested from the CPU that because we all of the we're on all of the state an executable memory sandboxing I with for their ability in the Windows kernel which was the same for 32 bit and a little bit different 1 for 64 bit and smack also because we around the shellcode from executive below memory in the kernel space and we maintained complete availability have because there was no brute-forcing single guessing involved in all stages were deterministic maybe I except for the full string 1 and 64 bit but I think it should be pretty reliable as well so the final thoughts about that independent voters that some even though funds received a lot of of attention from the security community apparently they're not debts and this was shown by this presentation and the previous 1 as well I gotta say that there might have been there there seem to be more of them being found on each year so there are also some more bucks from me coming out and some of those detained 6 uh the details of the other ones they mentioned today and it's also quite doubtful that they ever will are completely cease to exist so it's a good thing that some companies are actually putting some indications of some design changes in place to make those box unexploitable are just but not worth exploiting because they are not in the privileged contexts and our yeah we should also be aware of the fact that shirt native code bases still exist and this is obviously very very scary in the context of software security and especially on in content in the context of of file formats that's the word devloped about 20 or 30 years ago and the cold war he hasn't changed that much since then so even in 2 thousand 15 but we follow those medications that we have it turns out that it's still a matter of just a single good but not to get a full system compromise and with that i thank you very much and I'm happy to answer any questions be fat
you yeah at the so when you do that but the 2nd time in the kernel he jumped to 0 and I was here safe return did you ever Kuwait a safe return in reader but I I didn't because that there was no reason to do it in the proof of concept right because the i it's not really important for me to to make Adobe Reader responsive after the explaination states but it could definitely be done because some there are several functions of the cell stack frames that can be returned from a liar there so it's not really a problem but I didn't which part of performance of the is called thanks yeah OK no questions thank you the