Vulnerability in Adobe Acrobat Reader can allow anyone to hack your macOS run PC/laptop


Vulnerability in Adobe Acrobat allows wannabe hackers to gain ROOT access to your MacBook laptops and macOS run PCs

Its raining vulnerabilities! A security researcher from Tencent Security Xuanwu Lab, Yuebin Sun has found a vulnerability in the popular Adobe Acrobat Reader that could allow potential hackers ROOT control to your macOS run MacBook Pros and PCs.

Sun has detailed the vulnerabilities on his blog which he has written independently. Adobe has already patched the three vulnerabilities in the Adobe Acrobat Reader DC for macOS. The three critical vulnerabilities are listed as CVE-2020-9615, CVE-2020-9614, and CVE-2020-9613. Despite of the patches being released, many macOS users have not updated their Adobe Acrobat Reader DC which leaves them vulnerable to potential hackers. Sun details how hackers could exploit those macOS PCs/laptops which have not updated their Adobe software.

Adobe Acrobat Reader DC is a popular App and developed by Adobe Inc. to view, create, manipulate, print, and manage Portable Document Format (PDF) files. The App opened by default in many PC/laptops when the user wants to read/view or edit PDF documents.

According to Sun, the three vulnerabilities in the Adobe Acrobat Reader DC give potential hackers ROOT access to macOS run PC/laptops. Accessing root privilege gives the hacker complete control to anything including reading/writing all sensitive files/databases such as videos, images, and calendars. However in modern macOS, root processes outside of sandbox are rare, most macOS built-in services run within a sandbox. However, the Adobe vulnerabilities run outside the sandbox

Sun explains that com.adobe.ARMDC.SMJobBlessHelper within /Library/PrivilegedHelperTools/ is one of the components of Adobe Acrobat Reader DC, responsible for software updating. It runs as root and macOS doesn’t sandbox it.

Vulnerability 1: Bad Checking of NSXPC Connection Client

SMJobBlessHelper is based on NSXPC, its client checking exists in [SMJobBlessHelper listener:should AcceptNewConnection:]. The checking logic gets the client’s PID and then obtains Bundle ID based on the client’s process path, the client will be trusted if its Bundle ID is “com.adobe.ARMDC”.

Vulnerability 2: Temp Directory Root Protection Can Be Bypassed

During the updating process before SMJobBlessHelper launches, ARMDCHammer, download folder(in bundle’s parent directory) will be moved to /var/folders/zz/xxxxx/T/. The owner of “/var/folders/zz/xxxxx_ n0000000000000/T/download” is the root. While normal users DO NOT have access to it, a potential hacker may forge the symlink to access it. If ./download/ARMDCHammer is a symlink, after being moved to /var/folders/zz/xxxxx/T/download the symlink is still valid.

This forged symlink can bypass temp directory protection and allow hackers force /var/folders/zz/xxxxx/T/ download/ARMDCHammer to link to anywhere.

Vulnerability 3: validateBinary and launchARMHammer Has a Race Condition window

With the help of vulnerability 2, we can force validateBinary() to check /tmp/test/hello_root. The logic exists in [SMJobBlessHelper doWork]. Hackers can replace the “/tmp/test/hello_root” with a malicious file after validateBinary, launchARMHammer will launch our malicious process.

In his blog, Sun provides details of the three logic vulnerabilities in Adobe Acrobat Reader and show how to exploit them to gain root without sandbox limitation.

If you are an Adobe Acrobat Reader DC user, you should update your software immediately. If you have any questions regarding the above exploits, you can reach Sun on his Twitter handle.


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments