Pwning Adobe Reader - SyScan360 and Infiltrate 2016 slide decks

• April 12, 2016
• research exploitation
• Sebastian Apelt

Hi everyone, in the last few weeks I’ve given two presentations (@ SyScan360, Singapore and Infiltrate, Miami) about Pwning Adobe Reader using its embedded XFA engine.

The URLs to the slide decks can be found below. Besides the PDFs I also uploaded the PPTX versions since some might have reservations opening PDFs from me (at least with Adobe products…) ;-)

The analytical part of the presentations (symbol recovery, object and jfCacheManager analysis) are mostly identical. The main difference is the practical exploitation part: At SyScan360 I explained how to abuse a 0-DWORD write primitive to create a memory leak (thus bypassing ASLR) and to get near 100% reliable, OS- and version-independant code execution within the sandboxed Reader process. At Infiltrate I used an 0day exploit to showcase the great flexibility of the exploitation technique and explained the general steps to exploit a rather “ugly” vulnerability which does not give you a clean, controlled write primitive.

• SyScan360_2016_Pwning_Adobe_Reader_with_XFA.pdf
• SyScan360_2016_Pwning_Adobe_Reader_with_XFA.pptx
• Infiltrade_2016_Pwning_Adobe_Reader_with_XFA.pdf
• Infiltrade_2016_Pwning_Adobe_Reader_with_XFA.pptx

[ Please note that the layout of the Powerpoint version gets a bit screwed up when viewed with mobile PPTX readers (such as the one embedded in iOS)… ]

A technical writeup which goes deeper into the topic of Pwning the Reader will be released soon. Stay tuned :)

Cheers, Sebastian

• ← Previous Post
• Next Post →

TAGS