{"id":24435,"date":"2013-05-06T13:38:18","date_gmt":"2013-05-06T20:38:18","guid":{"rendered":"http:\/\/blogs.mcafee.com\/?p=24435"},"modified":"2025-05-29T21:03:33","modified_gmt":"2025-05-30T04:03:33","slug":"emerging-stack-pivoting-exploits-bypass-common-security","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/emerging-stack-pivoting-exploits-bypass-common-security\/","title":{"rendered":"Emerging ‘Stack Pivoting’ Exploits Bypass Common Security"},"content":{"rendered":"

[This blog was primarily written by Xiaoning Li of McAfee Labs, with assistance from Peter Szor of McAfee Labs.]<\/p>\n

In February 2013, the Adobe Product Security Incident Response Team (PSIRT) released security advisory APSA13-02. <\/a>In that report they listed two vulnerabilities (CVE-2013-0640 and CVE-2013-0641) that were widely exploited. At McAffee Labs and McAfee Labs we ran some further analysis of these exploits and want to share some of the interesting details we discovered.<\/p>\n

Based on information from the PSIRT, both vulnerabilities will impact all versions of Adobe Reader from 9.x to 11.x. (Some Acrobat versions are also vulnerable.) We verified this claim and found the sample affected all of them.<\/p>\n

\"Szor<\/a><\/p>\n

Attack Path<\/b><\/h2>\n

The exploit is spread by a malicious PDF file. When Reader opens the PDF file, it will trigger the vulnerability and start the exploit. This PDF file delivers a very complex attack, bypassing the current Adobe sandbox mechanism to launch the malware.<\/p>\n

This flow shows the basic steps for the attack path:<\/p>\n

\"Szor<\/a><\/p>\n

The files D.T and L2P.T are DLLs in a sandboxed temp path, as in the following:<\/p>\n

\"Szor<\/a><\/p>\n

A new PDF is created in the normal temp path:<\/p>\n

\"Szor<\/a><\/p>\n

The new PDF, Visaform Turkey, will appear to hide the exploitation. The exploit uses a lot of memory in the background.<\/p>\n

\"Szor<\/a><\/p>\n

 <\/p>\n

First Exploit <\/b><\/h2>\n

The PDF\u2019s first exploit uses a heap overflow to overwrite a virtual function pointer, and also uses a memory information leak to bypass the address space layout randomization (ASLR) protection in Windows. Return-oriented programming is used to bypass data execution prevention (DEP).<\/p>\n

Let\u2019s sidetrack for a moment and look at two definitions: Return-oriented programming<\/i><\/b>\u00a0(ROP) is an exploit\u00a0technique in which an attacker controls the\u00a0call stack\u00a0to indirectly execute arbitrary intended or unintended code to deliver an attack, thereby bypassing security features such as DEP. Stack pivoting<\/i><\/b> is a common technique used by ROP-based exploits. Pointing the stack pointer to an attacker-owned buffer, such as the heap, will provide more flexibility for the attacker to carry out a complex ROP exploit.<\/p>\n

Here\u2019s how the exploit works from the first trigger point. The vulnerability is in AcroForm.api. After the exploit prepares customized stack data on the heap, the data triggers the exploit via following instructions in AcroForm.api.<\/p>\n

\"Szor<\/a><\/p>\n

With a modified virtual function pointer, the instruction calls into a special ROP gadget, which will start pivoting.<\/p>\n

The address for the first gadget is 0x209b9f50. Here\u2019s the original code:<\/p>\n

\"Szor<\/a><\/p>\n

But if we decode from 0x209b9f50, the code piece looks like what follows. This is the ROP gadget for stack pivoting:<\/p>\n

\"Szor<\/a><\/p>\n

Now the stack points to a fake stack in the heap. The code log in a debugger at runtime looks like this:<\/p>\n

\"Szor<\/a><\/p>\n

Once the customized stack works, it will start more ROP gadgets. When the next Ret instruction is called, the stack looks like this:<\/p>\n

\"Szor<\/a><\/p>\n

What\u2019s the instruction for 0x6acc1049? It is offset 0x1049 from AcroForm.api because 0x6acc00 is the base address for the target module. Here is the unintended ROP gadget again:<\/p>\n

\"Szor<\/a><\/p>\n

The decoded ROP gadget is just a Ret instruction:<\/p>\n

\"Szor<\/a><\/p>\n

It will repeat from stack 0x11849a34 to stack 0x1184beb4, a whopping 9,344 (0x2480) times!<\/p>\n

Let\u2019s see what the stack content is now:<\/p>\n

\"Szor<\/a><\/p>\n

The next gadget will move the esp register to esi. It will control the stack itself.<\/p>\n

\"Szor<\/a><\/p>\n

The gadget still includes lots of return addresses with repeated patterns, such as these:<\/p>\n

\"Szor<\/a><\/p>\n

With related code pieces:<\/p>\n

\"Szor<\/a><\/p>\n

\"Szor<\/a><\/p>\n

\"Szor<\/a><\/p>\n

So the logic will write target memory with values in the ecx register. The same pattern will repeat many times to modify 0x6b55e001, which is the beginning of the data section of AcroForm.api.<\/p>\n

\"Szor<\/a><\/p>\n

The data from 0x6b55e001 to 0x6b55e04e is modified and writes several API\/DLL names into the area of 0x6b55e001:<\/p>\n