July 03, 2018

Exploits Found After Someone Uploaded ' Unarmed ' PoC to VirusTotal

Security researchers at Microsoft have unveiled details of two critical and important zero - day vulnerabilities that had recently been discovered after someone uploaded a malicious PDF file to VirusTotal , and get patched before being used in the wild .
In late March , researchers at ESET found a malicious PDF file on VirusTotal , which they shared with the security team at Microsoft " as a potential exploit for an unknown Windows kernel vulnerability . "
After analyzing the malicious PDF file , the Microsoft team found that the same file includes two different zero - day exploits —one for Adobe Acrobat and Reader , and the other targeting Microsoft Windows .

Since the patches for both the vulnerabilities were released in the second week of May, Microsoft released details of both the vulnerabilities today , after giving users enough time to update their vulnerable operating systems and Adobe software .
According to the researchers , the malicious PDF including both the zero - days exploit was in the early development stage , " given the fact that the PDF itself did not deliver a malicious payload and appeared to be proof - of - concept ( PoC ) code . "
It seems someone who could have combined both the zero - days to build an extremely powerful cyber weapon had unintentionally and mistakenly lost the game by uploading his /her under - development exploit to VirusTotal .
The zero - day vulnerabilities in question are a remote code execution flaw in Adobe Acrobat and Reader ( CVE- 2018 - 4990 ) and a privilege escalation bug in Microsoft Windows ( CVE- 2018 - 8120 ) .
" The first exploit attacks the Adobe JavaScript engine to run shellcode in the context of that module , " Matt Oh, Security Engineer at Windows Defender ATP Research , says .
" The second exploit , which does not affect modern platforms like Windows 10 , allows the shellcode to escape Adobe Reader sandbox and run with elevated privileges from Windows kernel memory . "
The Adobe Acrobat and Reader exploit was incorporated in a PDF document as a maliciously crafted JPEG 2000 image containing the JavaScript exploit code , which triggers a double-free vulnerability in the software to run shellcode.
Leveraging shellcode execution from the first vulnerability , the attacker uses the second Windows kernel exploit to break the Adobe Reader sandbox and run it with elevated privileges .
Since this malicious PDF sample was under development at the time of detection , it apparently included a simple PoC payload that dropped an empty vbs file in the Startup folder .
" Initially , ESET researchers discovered the PDF sample when it was uploaded to a public repository of malicious samples , " ESET researchers concluded .
" The sample does not contain a final payload , which may suggest that it was caught during its early development stages. Even though the sample does not contain a real malicious final payload, the author ( s ) demonstrated a high level of skills in vulnerability discovery and exploit writing. "
Microsoft and Adobe have since released corresponding security updates for both the vulnerabilities in May . For more technical details of the exploits , you can head on to Microsoft and
ESET blogs.
Share This
Previous Post
Next Post

This Post was publish by the above Author