{"id":28945,"date":"2020-05-14T15:09:08","date_gmt":"2020-05-14T19:09:08","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=28945"},"modified":"2021-07-06T17:00:31","modified_gmt":"2021-07-06T21:00:31","slug":"security-flaws-in-adobe-acrobat-reader","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2020\/05\/14\/security-flaws-in-adobe-acrobat-reader\/","title":{"rendered":"Security Flaws in Adobe Acrobat Reader"},"content":{"rendered":"

Yuebin Sun<\/a> (tweet<\/a>, MacRumors<\/a>):<\/p>\n

Today, Adobe Acrobat Reader DC for macOS patched three critical vulnerabilities […] I reported. The only requirement needed to trigger the vulnerabilities is that Adobe Acrobat Reader DC has been installed. A normal user on macOS(with SIP enabled) can locally exploit this vulnerabilities chain to elevate privilege to the ROOT without a user being aware.<\/p>\n

[…]<\/p>\n

SMJobBlessHelper<\/code> is based on NSXPC<\/code>, its client checking exists in [SMJobBlessHelper listener:shouldAcceptNewConnection:]<\/code>. The checking logic is as pseudo-code shows below, gets the client’s PID, and then obtains Bundle ID based on the client’s process path, the client will be trusted if its Bundle ID is “com.adobe.ARMDC”.<\/p>\n

[…]<\/p>\n

Yes, the symlink is still valid, it can help us to bypass temp directory protection. I can force \/var\/folders\/zz\/xxxxx\/T\/download\/ARMDCHammer<\/tt> to link to anywhere.<\/p>\n

[…]<\/p>\n

So if we can replace the “\/tmp\/test\/hello_root” with our malicious file after validateBinary, launchARMHammer will launch our malicious process.<\/p>\n

You may think the race condition window is too narrow to control, I will show the tricks later.<\/p><\/blockquote>\n\n

I don’t like it when third-party code uses the name of a system class or function as a prefix.<\/p>\n\n

Previously:<\/p>\n