in the last few weeks I've given two presentations (@ SyScan360, Singapore and Infiltrate, Miami) about Pwning Adobe Reader using its embedded XFA engine.
The URLs to the slide decks can be found below. Besides the PDFs I also uploaded the PPTX versions since some might have reservations opening PDFs from me (at least with Adobe products...) ;-)
The analytical part of the presentations (symbol recovery, object and jfCacheManager analysis) are mostly identical. The main difference is the practical exploitation part: At SyScan360 I explained how to abuse a 0-DWORD write primitive to create a memory leak (thus bypassing ASLR) and to get near 100% reliable, OS- and version-independant code execution within the sandboxed Reader process. At Infiltrate I used an 0day exploit to showcase the great flexibility of the exploitation technique and explained the general steps to exploit a rather "ugly" vulnerability which does not give you a clean, controlled write primitive.
- SyScan360_2016_-_Pwning_Adobe_Reader_with_XFA.pdf
- SyScan360_2016_-_Pwning_Adobe_Reader_with_XFA.pptx
- Infiltrate_2016_-_Pwning_Adobe_Reader_with_XFA.pdf
- Infiltrate_2016_-_Pwning_Adobe_Reader_with_XFA.pptx
[ Please note that the layout of the Powerpoint version gets a bit screwed up when viewed with mobile PPTX readers (such as the one embedded in iOS)... ]
A technical writeup which goes deeper into the topic of Pwning the Reader will be released soon. Stay tuned :)
Cheers,
Sebastian
