Microsoft revealed that 2 Zero-Days found in March were part of a cyber weapon in an early development stage
3.7.18 securityaffairs
Vulnerebility

Microsoft published technical details of 2 zero-days that have been recently discovered after someone uploaded a weaponized PDF file to VirusTotal.
Security researchers from Microsoft have published technical details of two zero-day vulnerabilities that have been recently discovered after someone uploaded a weaponized PDF file to VirusTotal.

The two issues were addressed by Microsoft with May 18 Patch Tuesday before threat actors used it in attacks in the wild.

The first zero-day vulnerability is a remote code execution flaw in Adobe Acrobat and Reader (CVE-18-4990), the second one is a privilege escalation flaw in Microsoft Windows (CVE-18-8120).

“The first exploit attacks the Adobe JavaScript engine to run shellcode in the context of that module. The second exploit, which does not affect modern platforms like Windows 10, allows the shellcode to escape Adobe Reader sandbox and run with elevated privileges from Windows kernel memory. ESET provided an analysis of the exploitation routines in the sample PDF.” reads the analysis published by Microsoft.

Microsoft shared the technical details of both the flaw only now because it gave users enough time to update their operating systems and Adobe software.

In late March, experts at ESET analyzed a malicious PDF file that was uploaded on VirusTotal and provided it to the Microsoft security team.

The experts flagged the document “as a potential exploit for an unknown Windows kernel vulnerability.”

The analysis conducted by the Microsoft team revealed that the document includes two different zero-day exploits, one for Adobe Acrobat and Reader and one for Microsoft Windows.

zero-days

According to Microsoft, the weaponized PDF file was in the early development stage, the code used by attackers appeared a PoC code and the weaponized file did not deliver a malicious payload.

“Although the PDF sample was found in VirusTotal, we have not observed actual attacks perpetrated using these exploits. The exploit was in early development stage, given the fact that the PDF itself did not deliver a malicious payload and appeared to be proof-of-concept (PoC) code.” reads the analysis published by Microsoft.

Someone combined the two zero-days to build a very powerful attack vector.

The Adobe Acrobat and Reader exploit is included in the document as a specially crafted JPEG 2000 image that contains the JavaScript exploit code used to trigger a double-free vulnerability in the software to run shellcode.

zero-days

The attackers were trying to chain this exploit with the second Windows kernel exploit to break the Adobe Reader sandbox and run it with elevated privileges.

Once the attacker has exploited the Adobe Reader vulnerability, he will leverage the Window zero-day flaw to escape the sandbox. The Microsoft Win32k zero-day allows the attacker to elevate the privilege of the PE file to run, which is run in kernel mode, escaping the Adobe Acrobat/Reader sandbox and gaining system-level access.

The PoC payload used in the sample dropped an empty vbs file in the Startup folder.

“Initially, ESET researchers discovered the PDF sample when it was uploaded to a public repository of malicious samples. The sample does not contain a final payload, which may suggest that it was caught during its early development stages.” concluded ESET.

“Even though the sample does not contain a real malicious final payload, the author(s) demonstrated a high level of skills in vulnerability discovery and exploit writing.”

Both Microsoft and ESET published technical details of the two zero-days, both firms also shared the IoCs for the exploits.