People regularly ask me for a PoC (PDF or other type) to test their security setup. For example, they sandboxed Adobe Reader and now they want to test that Adobe Reader can’t write to sensitive Windows directories like system32.
Well, you don’t need a PoC to test your setup in this way. Just develop and compile a DLL that writes to system32, and inject it in the target process.
The problem however, is that not everybody has the skills to develop and compile such a DLL. But almost everybody can write a VBScript that accomplishes the same. Here’s a one-liner that creates test.txt in system32:
CreateObject("Scripting.FileSystemObject").CreateTextFile("c:\windows\system32\test.txt")
But how do you get the target process to execute this script? That is something I worked out 2 years ago: bpmtk: Injecting VBScript. In a nutshell: I developed a DLL that once injected into a process, instantiates a VBScript engine and executes the provided script.
Are you saying that Adobe Reader X when running in a sandbox can still instantiate a VBScript engine when injected with your DLL? Very disappointing.
Comment by Richard — Wednesday 22 June 2011 @ 15:14
@Richard What do you mean?
Comment by Didier Stevens — Wednesday 22 June 2011 @ 16:47
Never mind, I see you are manually injecting the DLL into the Reader process. I was referring to the situation where a malicious PDF would instantiate a VBScript engine inside Reader. I hope the Reader Protected Mode will not allow this.
Comment by Richard — Wednesday 22 June 2011 @ 21:31
@Richard I think this would be possible. But I don’t see a problem. The VBScript engine would run in the confinment of the Reader X sandbox.
Comment by Didier Stevens — Thursday 23 June 2011 @ 0:35
“I developed a DLL that once injected into a process, instantiates a VBScript engine and executes the provided script.”
it would be easier to develop a DLL just to create a file in system32 🙂
Comment by thetester@iname.com — Wednesday 20 July 2011 @ 23:33
@thetester “The problem however, is that not everybody has the skills to develop and compile such a DLL. But almost everybody can write a VBScript that accomplishes the same.”
Comment by Didier Stevens — Thursday 21 July 2011 @ 6:33