ADOBE SANDBOX

WHEN THE BROKER IS BROKEN

Peter Vreugdenhil
Exodus Intelligence
 Intro
• Peter Vreugdenhil
• VP of Operations at Exodus Intelligence
• @WTFuzz
• [email protected]
 Goal of this talk

• Explaining the code responsible for the

interesting parts of the Sandbox
• Making it easier for other researchers to find
sandbox escapes
• Show some potential sandbox escapes
 Content
• Sandbox basics
• The Adobe Sandbox
• Attack surface
• Finding all Broker endpoints
• Finding intercepted API functions
• (Ab)using the broker to escape
Previous work on Adobe Sandbox

• Zhenhua Liu - Breeding Sandworms: How To

Fuzz Your Way Out of Adobe Reader's Sandbox
• Paul Sabanal & Mark Vincent Yason : PLAYING
IN THE READER X SANDBOX
 What is a sandbox?
• Wikipedia:
A sandbox is a security mechanism for separating running
programs. It is often used to execute untested code, or
untrusted programs from unverified third-parties, suppliers,
untrusted users and untrusted websites.
 Sandbox workings

• Untrusted code is running with low/limited

privileges
• Anything requiring elevated privileges goes
through a broker
• Usually certain windows API calls are
intercepted for transparency
 Terminology
• Broker: Medium integrity process
• Client: LOW integrity process
• Cross Call: request from Client to Broker
• Endpoint: Code running in the broker
responsible for handling the Cross Call
• Escape: Executing arbitrary code with Medium
Integrity
 Adobe on Sandboxing

http://blogs.adobe.com/asset/files/2010/11/WinXP-A9-Exploit-Steps1.png
 Adobe Sandbox Basics
• Available since Adobe Reader X
• Improved in Adobe Reader XI
• Based on the Chromium sandbox
– Less restricted
– Much more communication between client and
broker
• 1 confirmed Adobe Sandbox escape in the
wild (so far)
• 1 unconfirmed escape for sale in Russia
 Adobe Sandbox on Windows

• Restricted Token
• Windows Integrity levels
• Separate Desktops
• Separate Jobs
 Adobe Sandbox Restricted Token

• Everything is denied.
• Privileges: SeChangeNotifyPrivilege enabled
 Adobe Sandbox Integrity Levels

• Windows has 5 predefined Integrity levels

– Untrusted
– Low
– Medium
– High
– System
 Adobe Sandbox Integrity levels
• Adobe starts as a MEDium Integrity process
• Spawns a child process as LOW Integrity
• Child process is responsible for parsing and
rendering pdf files
 Adobe Sandbox
• Child process command line arguments
specify communication channel details and
process type
 Adobe Sandbox Desktop
• LOW Integrity child process has its own
desktop (since Reader XI).
• sbox_alternate_desktop_0x<ParentPID>
• Limited access to the Default desktop
• Protects against (among other) shatter attacks
Adobe Sandbox Job
 Adobe Sandbox Attack Surface
• Windows Kernel vulnerabilities
• IPC Communications errors
• Incorrect default permissions
• Logical flaws in Cross Calls
• Memory corruption in Cross Calls
 Adobe Sandbox Attack Surface
• Windows Kernel vulnerabilities
• IPC Communications errors
• Incorrect default permissions
• Logical flaws in Cross Calls
• Memory corruption in Cross Calls
 Broker Client communication

http://blogs.adobe.com/asset/files/2010/11/Sandbox-and-Broker-Process-IPC.png
 Broker Client communication
We will focus on the Broker endpoints

http://blogs.adobe.com/asset/files/2010/11/Sandbox-and-Broker-Process-IPC.png
 Client Broker communication

• AcroRD32.exe responsible for Cross Calls

• Changes with updates
• Finding all Cross Calls through different
versions is possible
• Easy even
 Client Broker communication
• Uses Shared Memory for communication
• Structures and Parameters for Cross Calls are
written to memory by the Client process
• Broker reads them back and acts on them
• Some Parameters can be used to receive
results
• Vulnerabilities can exists in this part of the
process
 Cross Call Parameters
// [ tag 4 bytes]
// [ IsOnOut 4 bytes]
// [ call return 52 bytes]
// [ params count 4 bytes]
// [ parameter 0 type 4 bytes]
// [ parameter 0 offset 4 bytes] ---delta to ---\
// [ parameter 0 size 4 bytes] |
// [ parameter 1 type 4 bytes] |
// [ parameter 1 offset 4 bytes] ---------------|--\
// [ parameter 1 size 4 bytes] | |
// [ parameter 2 type 4 bytes] | |
// [ parameter 2 offset 4 bytes] ----------------------\
// [ parameter 2 size 4 bytes] | | |
// |---------------------------| | | |
// | value 0 (x bytes) | <--------------/ | |
// | value 1 (y bytes) | <-----------------/ |
// | | |
// | end of buffer | <---------------------/
// |---------------------------|
 Cross Call Parameters

• Cross Call tag/ID

• Number of Parameters
• Types of Parameters
 Cross Call IDs
• Chromium has 19 Cross Calls predefined
• 16 are actually used
• ID 0 is unused
• ID 1 and 2 are test only
• Adobe Reader has 260 Cross Calls defined
 Cross Call Parameters Types
Chromium code defines 6 valid Parameter types
enum ArgType {
INVALID_TYPE = 0,
WCHAR_TYPE,
ULONG_TYPE,
UNISTR_TYPE,
VOIDPTR_TYPE,
INPTR_TYPE,
INOUTPTR_TYPE,
LAST_TYPE
};

Adobe sandbox implementation adds two more

 Broker Endpoints
• Every Cross Call is linked to a Broker function
• Finding all the end points would allow us to RE
the broker code
• Finding all the parameters for the functions
would make it easier
 Broker Endpoints
• One function is responsible for defining Cross
Calls
static const IPCCall set_info = {
{IPC_NTSETINFO_RENAME_TAG,
VOIDPTR_TYPE,
INOUTPTR_TYPE,
INOUTPTR_TYPE,
ULONG_TYPE,
ULONG_TYPE},
reinterpret_cast<CallbackGeneric>(
&FilesystemDispatcher::NtSetInformationFile
)
};
ipc_calls_.push_back(set_info);
 Broker Endpoints
If we can find that function we might be able to
find:
– Cross Call ID
– Parameter info
– Broker endpoint function
 Finding Broker Endpoints
1. Finding one broker endpoint function
2. Find structure containing pointer to endpoint
function
3. Find function responsible for adding this
Cross Call
4. Find all Cross Call structures
5. Find all Cross Call endpoints and parameters
 Step 1: Finding one Endpoint
• There are 107 imported functions that are
only called directly from a Cross Call endpoint
• Examples:
– InternetGetCookieA
– DeleteSecurityContext
– FreeCredentialsHandle
– DeviceCapabilitiesW
– DeviceCapabilitiesA
 Step 1: Finding one Endpoint
• Find all Xrefs for InternetGetCookieA
 Finding Broker Endpoints
1. Finding one broker endpoint function
2. Find structure containing pointer to
endpoint function
3. Find function responsible for adding this
Cross Call
4. Find all Cross Call structures
5. Find all Cross Call endpoints and parameters
 Step 2: Find Cross Call Structure
• Find Data Reference for the endpoint (only 1)
 Cross Call Structure
• Cross Call ID
 Cross Call Structure
• Parameters
 Cross Call Parameters Types
Chromium code defines 6 valid Parameter types
enum ArgType {
INVALID_TYPE = 0,
WCHAR_TYPE,
ULONG_TYPE,
UNISTR_TYPE,
VOIDPTR_TYPE,
INPTR_TYPE,
INOUTPTR_TYPE,
LAST_TYPE
};

Adobe sandbox implementation adds two more

 Cross Call Parameters Types
InternetGetCookie function (Windows)
BOOL InternetGetCookie(
_In_ LPCTSTR lpszUrl,
_In_ LPCTSTR lpszCookieName,
_Out_ LPTSTR lpszCookieData,
_Inout_ LPDWORD lpdwSize
);

We can now assume that Parameter Type 7 is a

LPCTSTR
 Cross Call Structure
• Endpoint Function
Step 3: Cross Call Adding Function
 Finding Broker Endpoints
1. Finding one broker endpoint function
2. Find structure containing pointer to endpoint
function
3. Find function responsible for adding this
Cross Call
4. Find all Cross Call structures
5. Find all Cross Call endpoints and parameters
 Step 3: Cross Call Adding Function
• Find the function adding Cross Calls
Step 3: Cross Call Adding Function
Step 3: Cross Call Adding Function
 Finding Broker Endpoints
1. Finding one broker endpoint function
2. Find structure containing pointer to endpoint
function
3. Find function responsible for adding this
Cross Call
4. Find all Cross Call structures
5. Find all Cross Call endpoints and parameters
 Step 4: Find all Cross Call Structures

• Get all the Xrefs to the AddCrossCall function

• Find the parameter each time the function is
called
 Finding Broker Endpoints
1. Finding one broker endpoint function
2. Find structure containing pointer to endpoint
function
3. Find function responsible for adding this
Cross Call
4. Find all Cross Call structures
5. Find all Cross Call endpoints and parameters
 Step 5: Done

• You now have a list of 260 functions in

AcroRd32.exe that handle Cross Calls inside
the Broker
• You know the type of arguments to each
function
• Time to reverse and find a working escape
 Intercepted Windows API Functions
• AcroRD32.exe also intercepts a lot of default
windows API functions
• Most of the intercepted functions are
redirected to a Cross Call
• Matching intercepted functions with Cross Call
IDs would make our work easier
 Intercepted Windows API Functions
• One function responsible for enabling all API
interceptions
 Intercepted Windows API Functions
• Function parameters are
– Name of the .dll file
– Function Name
– Interception type
– Intercept Function
– Unknown
 Intercepted Windows API Functions
1. Find all calls to this function
2. Find all Intercepted Function Names
3. Link Intercept Function to Cross Call IDs
 Find Cross Call ID
• Most Intercept Functions go straight into a
Cross Call
• Finding Cross Call ID can be (somewhat)
automated
• Not all Intercept Function actually end in a
Cross Call
 Intercept Functions
InternetOpenA
 Finding the Cross Call ID
• A 0x30 sized structure is initialized
 Finding the Cross Call ID
• Cross Call ID is first Dword in the structure
 Finding the Cross Call ID
• OR Cross Call ID is pushed as 2nd Argument to
another Function
Adobe Cross Call list
 Endpoint Functions
• Arg_0 is IPCInfo structure
struct IPCInfo {
int ipc_tag;
const ClientInfo* client_info;
CrossCallReturn return_info;
};

struct ClientInfo {
HANDLE process;
HANDLE job_object;
DWORD process_id;
};
 Restrictions
• The Broker performs a lot of sanity checks
– Dialog boxes asking for permissions
– Interesting API functions already ‘blocked’
(InternetSetStatusCallback for example)
– File Policy tests
• Attack surface is still pretty big
• Adobe 0-Day used 2 Intercepted API Calls to
trigger a heap buffer overflow
 Testing Cross Calls

• We can fuzz the Endpoints

– From Sandboxed process
– From Broker process
• Need to be sure we have all structures correct
 Testing Cross Calls
• Testing Intercepted API calls is easy
• Need a little reversing to make sure you end
up at the actual Cross Call
InternetConnectA

• We can patch this in the Client Process for

easy testing
 Testing Cross Calls
• Non Intercepted API Cross Calls have a
wrapper function in AcroRD32.exe
• Wrapper functions do not require complex
structures
• Might need some additional reversing to get
the parameters correct
 Testing Cross Calls

• String ‘AcroWinMainSandbox’ is just above a

list of Cross Call Wrappers in ArcoRd32.exe
• Quick look through the functions gives away
the Cross Call ID
• This can be linked back to the known
parameters for the Cross Calls
Testing Cross Calls
 Testing Cross Calls

• Injecting python interpreter into sandboxed

process
– Only injects into processes running with LOW
Integrity
• Run python scripts inside the sandbox
• Allows for easy Cross Calls testing
 Bypassing memory ASLR (heapspray)
• You can ‘heapspray’ from the Client into the
broker
• Broker will call ReadProcessMemory to read
large arguments from some Cross Calls
• 0-Day discovered in the wild used this to
bypass memory ASLR
• Creating allocation bigger than 0x80000 will
result in (partly) predictable location
 Cross Call Demos
• Cross Call ID 0x49
• Arguments:
– WChar
 Demo Cross Call 0x49
• Not a sandbox escape
• Only opens .txt .pdf and .log files with the
correct handler
 Demo 1
• This issue has been patched in the latest
version
 How did that work
• Uses Adobe Reader ability to open URLs
• Evades some restrictions
• Works best when Chrome or Firefox are set as
the default browser
• Cross Call ID 0x46
• Parameters
– WChar URL
– ULong
 Cross Call 0x46
• When trying to open a link from a pdf the
following warning is shown
 Cross Call 0x46
• Microsoft Spy++ information on this window
 Cross Call 0x46
• PID 0x5F8 = 1528

• Dialog belongs to sandboxes process and can

be circumvented
• Same with the URL escape, this happens in
the sandboxed process
 Cross Call 0x46
• We can send random strings to the Broker as
argument for this Cross Call
• Sanity checks performed
– PathIsURLW
– Get default ‘open’ handler for ‘http’
– ShellExecuteW
• Parameters are NOT quoted
 Cross Call 0x46
• PathIsURLW doesn’t care
– Anything that matches ^ASCII+:ASCII will pass
• Chrome.exe doesn’t care
– Invalid parameters are ignore
– Whitespace used as parameter delimiter
• Firefox.exe doesn’t care (enough)
• iexplore.exe does care
– Code exec still possible but a lot harder
 Cross Call 0x46
• Code exec with Chrome.exe
Chrome.exe
--a:b=1
--type=plugin
--plugin-path=c:\dr\evil.dll

• Code Exec with Firefox.exe

Firefox.exe
-a:b
-profile “profile”
 Cross Call 0x46
• This Issue has been patched
• Broker code now contains a call to
UrlCanonicalize
Demo 2
 What happened there?
• Cross Call 0x107 is being used
• This is normally used to login a webmail
account
 Cross Call 107
• This is not a browser
• This is a Window hosting ieframe.dll
• Basically the same as iexplore.exe running
inside the Broker process
• But … NO Protected Mode
• Add an IE9 exploit and we’re done
 Cross Call 107
• CreateWindowExW
 Cross Call 107
ieframe!CWebBrowserOC::Navigate2
• Show the Window
 Expanding the Attack Surface

• If you cannot find anything useful …

• Add more processes to communicate with
 type=compute-only-renderer
• You can launch an additional Broker Client pair
• type=compute-only-renderer
• Both processes run as MED integrity
• Creates a Named Pipe for communication
• Sandboxed process can Read and Write to this
Pipe
 64BitsMAPIBroker.exe
• Cross Call 0xBE will Launch 64BitsMAPIBroker
• Creates a Named Pipe
– Potential new attack surface
– Did not test
?