Adobe Reader sandbox popped says Google researcher

The Acrobat Reader Windows sandbox contains a vulnerability that could allow attackers to break out and gain higher privileges, Google security bod James Forshaw claims.

The NTFS junction attack is a "race condition" in the handling of the MoveFileEx call hook Forshaw said.

While unpatched, subsequent September updates made the flaw very difficult to exploit.

"While this bug technically isn't fixed, a defence in depth change in 11.0.9 effectively made this difficult if not impossible to exploit," Forshaw said in an advisory for version 11.0.8.

It was a flaw similar to a previous bug in NtSetInformationFile but different because it exploited a time of check to time of use race, a feat possible only because the broker opened the file rather than the sandboxed process, he said.

"While the function resolves the location of the source and destination and ensures they are within the policy there is a timing race once the function calls into the MoveFileEx function in the broker. This race can be won by the sandboxed process by using an OPLOCK to wait for the point where the MoveFileEx function opens the original file for the move. This allows code in the sandbox to write an arbitrary file to the file system.

Forshaw attached a proof-of-concept which on successful exploitation would create a file named 'abc' on the desktop. ®