DeepSurface Security Advisory: LPE in Adobe Reader on Windows

TL;DR

Adobe Reader is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. This would allow an attacker to perform a local privilege escalation attack against Adobe Reader users using the same Windows system. Through our responsible disclosure program Adobe was contacted and provided a fix for this issue. Adobe also issued CVE-2021-35982 to track the vulnerability.

Overview

Adobe Acrobat Reader DC is a popular application for viewing and interacting with PDF documents.

As part of our security research and product support programs, we discovered numerous products in enterprise environments were installed with insecure filesystem permissions. One of these products was Adobe Reader DC, and we decided to investigate the cause.

We found that when users choose to install Adobe Reader on Windows in a location other than the default, it typically allows for any other user on the same system to take control of the accounts of users who use Adobe Reader.  To be more specific, improper configuration of permissions in the installation directory allows an attacker to perform DLL hijacking/sideloading attacks.

For more information on this vulnerability class, see our previous blog post on the topic, as well as some of the vulnerabilities we have published previously (CVE-2021-29221, CVE-2021-26556).

Exploitation

To demonstrate this flaw, we first downloaded the latest version of Adobe Reader (at that time, being 2021.005.20048) from https://get.adobe.com/reader/enterprise/.

We also changed the installation directory to C:\adobe, which can be created through the installer GUI.

Aside from a custom installation directory, we use the default options.

After installation, we found that the installation folder had improper permissions in that it included, BUILTIN\Users Allow *, which was inherited from the drive root. This gives any local user the ability to create new files (but not modify existing files) in the installation directory.

To fully demonstrate the implications of this vulnerability, first create a new unprivileged user. Then, as this user, download the SensApi.dll file available in our GitHub Repository and move it into the C:\adobe\Reader directory. (For more information on how this file was generated, see the README.md file in the same repository.)


Now as the privileged user, start Adobe Reader. You should see a number of terminal windows appear as the payload gets executed. Assuming the default payload, you should also see a message written to the file C:\pwned.

Timeline

June 10, 2021 Submitted to https://hackerone.com/adobe
July 2, 2021 After hearing no response from Adobe, requested an update.
July 22, 2021 Reminded Adobe of DeepSurface Security's 90-day disclosure policy
July 22, 2021 First response from Adobe indicating engineering team had been working on a fix with an anticipated September release date
July 22, 2021 DeepSurface confirmed this timeline was acceptable.
September 14, 2021 Updated Adobe Reader released along with advisory for CVE-2021-35982.

The Fix

Adobe has released an advisory and updated software to address this issue. Please see the details in: https://helpx.adobe.com/security/products/acrobat/apsb21-55.html

We recommend users ensure any existing Adobe Reader installations (particularly those installed outside of C:\Program Files) are examined to ensure filesystem permissions are secure.

Acknowledgements

We would like to thank the Adobe security team for their support and thoroughness in investigating and fixing this issue.