{"id":12300,"date":"2018-05-15T11:10:17","date_gmt":"2018-05-15T19:10:17","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/05\/15\/news-6069\/"},"modified":"2018-05-15T11:10:17","modified_gmt":"2018-05-15T19:10:17","slug":"news-6069","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2018\/05\/15\/news-6069\/","title":{"rendered":"Adobe Reader zero-day discovered alongside Windows vulnerability"},"content":{"rendered":"

Credit to Author: J\u00e9r\u00f4me Segura| Date: Tue, 15 May 2018 18:44:14 +0000<\/strong><\/p>\n

During the first half of 2018, we have witnessed some particularly interesting zero-day exploits, including one for\u00a0Flash<\/a> (CVE-2018-4878<\/a>) and more recently for\u00a0Internet Explorer<\/a> (CVE-2018-8174<\/a>). The former was quickly used by exploit kits such as Magnitude<\/a>, while it is only a matter of time before we see the latter being weaponized more widely.<\/p>\n

We can now add to that list an Adobe Reader zero-day (CVE-2018-4990<\/a>), which was reported by ESET<\/a> and Microsoft and has already been patched. Although it has not been observed in the wild yet, it remains a dangerous threat considering it is coupled with a\u00a0privilege escalation vulnerability in Microsoft Windows.<\/p>\n

To exploit the Windows vulnerability, the attacker must write to an arbitrary address in kernel space, which will not work for Windows 8 and above, as newer security features prevent this kind of mapping.\u00a0Those two combined zero-days were necessary to escape the Acrobat Reader sandbox protection, which to its credit has been improving the security of the software drastically, so much so that malicious PDFs that were once common as part of drive-by download attacks have all but vanished.<\/p>\n

Let’s take a quick look at the malicious PDF using pdf-parser<\/a>:<\/p>\n

python pdf-parser.py --content CVE-2018-4990.pdf<\/pre>\n
\"\"<\/a><\/p>\n
We can see a suspicious obfuscated blurb that most likely contains the JavaScript code we are looking for. We can decode and dump the output to a raw file:<\/p>\n
python pdf-parser.py -c CVE-2018-4990.pdf --object 1 --filter --raw > output.raw<\/pre>\n
\"\"<\/a><\/p>\n
The exploit code is now visible in clear text. For a good explanation on how it is used for the ROP chain and shellcode execution, please refer to the ESET article<\/a>.<\/p>\n
We tested this zero-day against Malwarebytes<\/a>, which was already stopping it without the need for any additional updates. The mitigation happens at the very beginning of the exploitation chain (stack pivoting<\/a>):<\/p>\n
\"\"<\/a><\/p>\n
We recommend users patch their systems to prevent this threat, which will most likely be weaponized in the wild soon. A very plausible attack scenario would be a PDF attachment in a malspam campaign.<\/p>\n
The Adobe security bulletin (CVE-2018-4990) can be found here<\/a>, while Microsoft’s (CVE-2018-8120) is here<\/a>.<\/p>\n
The post Adobe Reader zero-day discovered alongside Windows vulnerability<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n
https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Credit to Author: J\u00e9r\u00f4me Segura| Date: Tue, 15 May 2018 18:44:14 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
A new Adobe Reader zero-day exploit has been discovered, including a full sandbox escape.<\/p>\n
Categories: <\/p>\n