Sophos acquires machine learning visionary Invincea.

E.K.I.A – Adobe Reader Exploit (CVE-2013-3346) & Kernel NDProxy.sys Zero-Day EoP

By
Dec 5, 2013

On November 27, FireEye disclosed a zero-day (now CVE-2013-5065) privilege escalation vulnerability circulating in the wild and being delivered via a PDF exploit for a previously patched vulnerability (CVE-2013-3446) in Adobe Reader.  The Adobe Reader memory corruption vulnerability was patched back in May as part of APSB13-15.  Examining the PDF sample in question we can see that there is a large amount of heavily obfuscated Javascript in object 3:

E.K.IA-1

In addition, object 4 also appears to be heavily obfuscated and we can safely assume that this is where the malware payload is stored.  This stream alone is over 100K of the total 173K PDF file size:

E.K.IA-2

Copying the contents of object 3 and evaluating with Didier Steven’s patched Spidermonkey tool yields the following JavaScript:

E.K.IA-3

In addition to the obvious shellcode and ROP gadgets, we can see the Adobe reader version pre-checks that are performed:

E.K.IA-4

According to the security bulletin from Adobe, the following versions of Adobe Reader are affected by this vulnerability:

  • Adobe Reader XI (11.0.02) and earlier 11.x versions for Windows and Macintosh
  • Adobe Reader X (10.1.6) and earlier 10.x versions for Windows and Macintosh
  • Adobe Reader 9.5.4 and earlier 9.x versions for Windows, Macintosh and Linux

We can also see that the memory corruption vulnerability is triggered by adding a button which calls a function to remove it:

E.K.IA-5

Variable “part2” referenced above by removeButtonFunc() is the NOP sled.

Once the vulnerability is triggered and execution is transferred to the shellcode shown above, the payload stored in object 4 is decoded and executed.  A full technical analysis of the shellcode has been provided here.

The WinXP exploit payload is dropped and executed from the %temp% directory by cmd.exe on the victim machine as recorded by Invincea FreeSpace:

E.K.IA-6

Detailed view of 28F.tmp process launch:

E.K.IA-7

The VirusTotal MD5 drill from the Invincea Management Server indicates that primary A/V vendors are labeling the backdoor payload as Tavdig aka Wipbot.  Full details on this backdoor have been recently documented by Trend Micro here.  In addition, the shellcode attempts to leverage a zero-day input validation flaw in NDProxy.sys in order to escalate to kernel level privileges.  As of this writing, Microsoft has acknowledged that the flaw affects XP and Server 2003 platforms only but has not released an out of cycle security update to address the issue.  A suggested workaround provided by Microsoft includes disabling the NDProxy.sys driver altogether.  However, Invincea users are protected by this exploit of Adobe and WinXP without any update required or disabling of system services.

With the end of life for Windows XP looming, threats like these are especially concerning due to lack of security updates beyond April of next year and the unfortunate reality that Windows XP still holds nearly a third of the total desktop OS market share.

The accompanying video shows Invincea FreeSpace™ detecting and containing this threat in real-time without the need for signature updates, patching or system changes. Enjoy the demo and contact us to get protected today.

 

You may also be interested in...

Ransomware’s Stronghold on Healthcare

read more

X by Invincea: HIPAA and HITRUST Compliance

read more

We’re taking a quantum leap over traditional machine learning

read more