In an effort to mitigate the effects of successful exploitation of Adobe Reader vulnerabilities, Adobe announced Adobe Reader Protected Mode back in July 2010. Since its release on November 2010, very little in-depth technical information is available about how the Adobe Reader Protected Mode sandbox works and how it was implemented.
The first part of this talk attempts to close this information gap by diving deep into the implementation details of the Adobe Reader Protected Mode sandbox. We will discuss the results of our reversing efforts to understand the mechanisms and data structures that make up the sandbox.
Using the knowledge gained in the first part, the second part then focuses on the security of the Adobe Reader Protected Mode sandbox. First, we will discuss the limitations and weaknesses of its earlier releases and their security implications, then we will discuss possible avenues to achieve privilege escalation.
At the end of our talk, we will demonstrate how an attacker could leverage the limitations and weaknesses of the Adobe Reader Protected Mode sandbox to carry out information theft or corporate espionage. We will be demonstrating a proof-of-concept information stealing exploit payload bootstrapped by exploiting a publicly known Adobe Reader X vulnerability
Paul Sabanal is a security researcher on IBM ISS's X-Force Advanced Research Team. He has spent most of his career as a reverse engineer, starting out as a malware researcher, and now does vulnerability analysis and exploit development as well. He has previously presented at Blackhat with Mark Yason on the subject of C++ reversing. His main research interests these days are in protection technologies and automated binary analysis tools. He is currently based in Manila, Philippines.
Mark Vincent Yason is a security researcher on IBM's X-Force Advanced Research team. Mark's current focus area is vulnerability and exploit research – he analyzes known vulnerabilities, discovers new vulnerabilities, studies exploitation techniques, and creates detection guidance/algorithms which are used in the development of IDS/IPS signatures. He also previously worked on malware research which naturally involved some degree of software protection research. He authored the paper The Art of Unpacking and co-authored the paper Reversing C++, both of which were previously presented at BlackHat.