Adobe Reader'S Custom Memory Management: A Heap Of Trouble presented at Blackhat Europe 2010

by Haifei Lovet,

Tags: Security Exploitation

Summary : PDF vulnerabilities are hot. Several AV and security companies, in their 2010 predictions, cited an increase in PDF vulnerabilities volume, possibly driven by demand from Cybercriminals, eager to leverage them in focused and large-scale attacks alike.
But how serious could it really be, and what's the share of casual marketing FUD spreading here? After all, many PDF vulnerabilities out there are structure (i.e. file format) based ones, and essentially result in heap corruption situations. And everybody knows that leveraging a heap corruption bug into actual exploitation, with execution of attacker-supplied code, is no piece of cake. Indeed, MS Windows' heap is hardly predictable, and is armoured with protection mechanisms such as safe-unlinking.
Yet, the main PDF reader software out there, called Adobe Reader, has a specificity that may lead us to revise our beliefs: for performance purpose, it implements its own heap management system, on top of the Operating System's one. And it turns out that, performance sometimes (often? nah...) being the enemy of security, this custom heap management system makes it significantly easier to exploit heap corruption flaws in a solid and reliable way. Coupled with the very recent developments in DEP protection bypass in Flash (eg: JIT spraying [1]), which we will briefly show to be also valid in PDF context, this makes heap corruption exploitation potentially consistent across a very large amount of setups (a very interesting characteristic for the Cybercriminal, either for "blind-shooting" at a targeted system, or for compromising a large amount of systems at once).
This paper introduces Adobe's Reader custom heap management system, dissects its mechanisms, and points out its weaknesses in order to shed light and awareness on the PDF vulnerabilities issue. In addition, limitations will be discussed and possible mitigation leads evoked.