A privilege escalation vulnerability that was patched last week in Microsoft Windows and an Adobe Reader remote code execution bug that was fixed yesterday in a product update were both jointly targeted by a PDF-based zero-day exploit prior to their discovery, researchers from ESET reported today.
In a blog post describing the dual exploit, Anton Cherepanov, an ESET senior malware researcher, states the malicious PDF sample was found uploaded to a public repository, but did not yet contain a final payload, meaning it may have been spotted while still under early-stage development.
"The use of the combined vulnerabilities is extremely powerful, as it allows an attacker to execute arbitrary code with the highest possible privileges on the vulnerable target, and with only the most minimal of user interaction," states Cherepanov, noting that the combined use of more than one vulnerability typically signifies the work of an APT group such as Russia's Fancy Bear cyber outfit.
When opened, the PDF sample first embeds JavaScript code in Adobe Reader to exploit the critical double free memory corruption vulnerability CVE-2018-4990 -- one of 47 Acrobat and Reader bugs that Adobe repaired via security updates on May 14. The exploit enables attackers to read and write in memory, allowing them to execute shellcode that executes a malicious PE file.
But for this RCE exploit to be truly devastating, the attackers next have to bypass the Abode Reader protective sandbox and compromise the entire computer -- and that's where the Windows OS bug comes into play. The elevation of privilege vulnerability, CVE-2018-8120, occurs in the Win32k component when it fails to properly handle objects in memory, and can be exploited to run arbitrary code in kernel mode, giving attackers total control.
Cherepanov is credited with finding the Microsoft issue and was given co-credit along with Microsoft researcher Matt Oh for reporting the Adobe vulnerability.
