Adobe Reader's Custom Memory Management: a Heap of Trouble
Latest version at: http://www.fortiguard.com/papers/Adobe_Readers_Custom_Memory_Management_a_Heap_of_Trouble.html
Adobe Reader's Custom Memory Management:
a Heap of Trouble
Version: 1.0
Research and Analysis: Haifei Li hfli@fortinet.com
Contributor and Editor: Guillaume Lovet glovet@fortinet.com
Abstract
PDF vulnerabilities are hot. Several AV and security companies, in their 2010 predictions, cited an
increase in PDF vulnerabilities volume, possibly driven by demand from Cybercriminals, eager to
leverage them in focused and large-scale attacks alike.
But how serious could it really be, and what's the share of casual marketing FUD spreading here?
After all, many PDF vulnerabilities out there are structure (i.e. file format) based ones, and
essentially result in heap corruption situations. And everybody knows that leveraging a heap
corruption bug into actual exploitation, with execution of attacker-supplied code, is no piece of
cake. Indeed, MS Windows' heap is hardly predictable, and is armoured with protection
mechanisms such as safe-unlinking.
Yet, the main PDF reader software outthere, called Adobe Reader, has a specificity that may lead
us to revise our beliefs: for performance purpose, it implements its own heap management
system, on top of the Operating System's one. And it turns out that, performance sometimes
(often? nah...) being the enemy of security, this custom heap management system makes it
significantly easier to exploit heap corruption flaws in a solid and reliable way. Coupled with the
recent developments in DEP protection bypass
[1]
, this makes heap corruption exploitation
potentially consistent across a very large amount of setups (a very interesting characteristic for
the Cybercriminal, either for "blind-shooting" at a targeted system, or for compromising a large
amount of systems at once).
This paper introduces Adobe Reader's custom heap management system, dissects its
mechanisms, and points out its weaknesses (with examples showing how to obtain control of the
execution flow in different heap corruption situations, to illustrate the point) in order to shed
light and awareness on the PDF vulnerabilities issue. In addition, limitations will be discussed and
possible mitigation leads briefly evoked.
剩余36页未读,继续阅读
资源评论
