ABUSING ADOBE READER¹S JAVASCRIPT APIS presented at Ruxcon 2015

by Jasiel Spelman, Matt Molinyawe,

Summary : Adobe Reader¹s JavaScript APIs offer a rich set of functionality for document authors. These APIs allow for processing forms, controlling multimedia events, and communicating with databases, all of which provide end-users the ability to create complex documents. This complexity provides a perfect avenue for attackers to take advantage of weaknesses that exist in Reader¹s JavaScript APIs.
In this talk, we will provide insight into both the documented and undocumented APIs available in Adobe Reader. Several code auditing techniques will be shared to aid in vulnerability discovery, along with numerous proofs-of-concept which highlight real-world examples. We¹ll detail out how to chain several unique issues to obtain execution in a privileged context. Finally, we¹ll describe how to construct an exploit that achieves remote code execution without the need for memory corruption.