The Acrobat Reader Windows sandbox is vulnerable to NTFS junction attack to write an arbitrary file to the filesystem under user permissions. This could be used to break out of the sandbox leading to execution at higher privileges.

The specific vulnerability is there is a race condition in the handling of the MoveFileEx call hook. While the function resolves the location of the source and destination and ensures they are within the policy there is a timing race once the function calls into the MoveFileEx function in the broker. This race can be won by the sandboxed process by using an OPLOCK to wait for the point where the MoveFileEx function opens the original file for the move. This allows code in the sandbox to write an arbitrary file to the file system.

While this is similar to the previous reported issue with NtSetInformationFile it's different in that it doesn't rely on the bug in the processing of the filepath instead exploits a TOCTOU race. It's only possible in this case to race as it's the broker which opens the file rather than the sandboxed process. It would probably be recommended to ensure that you cannot creation junctions ever, although this isn't trivial in all cases where you passing back raw handles to the callee. 

Version tested: 11.0.8 (10.* not tested)

Attached is a PoC, including source and pre-compiled binaries. To test the PoC run the following steps:

1) Copy Testdll.dll and InjectDll.exe to a location the sandboxed process can read.
2) Run the command Injectdll.exe pid path\to\testdll.dll where pid is the process ID of a sandboxed Adobe Reader process. 
3) Successful exploitation is indicated by a new file being created on the desktop call 'abc'. 

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
 

poc.zip 126 KB Download