JIT Spraying in PDF

by Haifei Li
February 10, 2010 at 9:55 am

You may have taken note of that recently, security researcher Dionysus Blazakis presented a significant technology to bypass thshe DEP (Data Execution Prevention) and ASLR (Address space layout randomization) at BlackHat DC 2010, which is called “JIT Spraying” (The white paper can be found at here).

In fact, JIT Spraying is a general idea, to generate executable code in accordance with the attacker’s wish in the memory. In that presentation, the researcher shows how to implement this technology in Adobe Flash ActionScript Virtual Machine as an example.

As shown in my other post: A Look Back at PDF Vulnerabilities, Adobe Reader could play Flash file independently (without Adobe Flash Player installed in the system). Following quick test will show that the JIT Spraying therefore works here as well.

1. We use the same ActionScript code showed in the paper.

var y = (0×3c54d0d9 ^ 0×3c909058 ^ 0×3c59f46a ^ 0×3c90c801 ^ 0×3c9030d9 ^ 0×3c53535b);

2. We embed the .swf file into PDF. Note that the red-marked option parameter makes playing the .swf file automatically.

pic1

3. Now let’s see have a look at the right places (highlighted in red below) in the memory space of Adobe Reader process once it loaded our crafted PDF:

pic2

The ActionScript code we used in our embedded flash file clearly appears, in the form of native machine code (see the series of XOR operations above). Meaning, it was compiled by the JIT compiler.

[As a side note, the responsible file for playing Flash is named "authplay.dll", in fact it is a standard Shockwave Flash application.]

Therefore, we know that PDF has the same situation as in the Flash: code can be “sprayed” via the JIT compiler.

As we know, DEP is enabled from Adobe Reader 9.2.0, which indeed prevented a lot of PDF based attacking, such as the popular exploit of the vulnerability CVE-2009-4324 in the wild does not work on the latest Adobe Reader.

Unfortunately, now the situation changes, the DEP on Adobe Reader became much easier to be attacked due to the Flash playing feature in PDF. And it is expected that the working JIT Spraying exploit will appear in the wild in the near future as the researchers (both Blackhats and Whitehats) are paying more attentions on this area, so PDF zero-days will get a brand new way to keep their lives. It is important information for our PDF zero-day defense as well.

Guillaume Lovet contributed to this post

Author bio: Haifei Li is a vulnerability researcher with Fortinet's FortiGuard Global Security Research Team.

One Response to “JIT Spraying in PDF”

  1. John Stoker says:

    Good article, thanks for sharing!

Leave a Reply