The Acrobat Reader Windows sandbox is vulnerable to NTFS junction attack to write an arbitrary file to the filesystem under user permissions. This could be used to break out of the sandbox leading to execution at higher privileges.
The specific vulnerability is in the handling of the NtSetInformationFile system call hook. This function attempts to resolve the real destination of the rename. If the destination is a junction it reads the junction destination, however it only does this for the first level so it's possible to have a chain of junctions. This allows code in the sandbox to write an arbitrary file to the filesystem.
Version tested: 11.0.8 (10.* not tested)
Attached is a PoC, including source and pre-compiled binaries. To test the PoC run the following steps:
1) Copy Testdll.dll and InjectDll.exe to a location the sandboxed process can read.
2) Run the command Injectdll.exe pid path\to\testdll.dll where pid is the process ID of a sandboxed Adobe Reader process.
3) Successful exploitation is indicated by a new file being created on the desktop call 'abc'.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
