An unidentified hacker group appears to have accidentally exposed two fully-working zero-days when they’ve uploaded a weaponized PDF file to a public malware scanning engine.
The zero-days where spotted by security researchers from Slovak antivirus vendor ESET, who reported the issues to Adobe and Microsoft, which in turn, had them patched within two months.
Zero-days caught while still under development
Anton Cherepanov, the ESET researcher who spotted the zero-days hidden inside the sea of malware samples, believes he caught the zero-days while the mysterious hacker(s) were still working on fine-tuning their exploits.
“The sample does not contain a final payload, which may suggest that it was caught during its early development stages,” Cherepanov said.
The two zero-days are CVE-2018-4990, affecting Adobe’s Acrobat/Reader PDF viewer, and CVE-2018-8120, affecting the Win32k component of Windows.
The two zero-days are meant to be used together and make up a so-called “exploit chain.” The Adobe zero-day is intended to provide the ability to run custom code inside Adobe Acrobat/Reader, while the Windows zero-day allows attackers to escape Adobe’s sandbox protection and execute additional code on the underlying OS.
How the exploit chain works
⧁ User receives and opens boobytrapped PDF file
⧁ Button object, consisting of a specially-crafted JPEG2000 image, triggers a double-free vulnerability in Adobe Acrobat/Reader
⧁ Attacker uses the engine’s native assembly instructions to execute its own native shellcode
⧁ Shellcode initializes a PE file embedded in the PDF
⧁ The part of the Microsoft Win32k zero-day kicks and lets the attacker elevate the privilege of the PE file to run, which is run in kernel mode, breaking out of the Adobe Acrobat/Reader sandbox to system-level access.
The exploit chain is a masterpiece of offensive hacking, but it would never as dangerous as it could have been because of an operational mistake its creators made by uploading it to a known virus scanning engine in the hopes of testing its detection level.
Cherepanov spotted two suspicious PDF samples [1, 2] at the end of March. Both zero-days are now patched. Microsoft patched CVE-2018-8120 last week, in the May 2018 Patch Tuesday, and Adobe patched CVE-2018-4990 yesterday in APSB18-09.