An unidentified hacker group appears to have accidentally exposed two fully-working zero-days when they've uploaded a weaponized PDF file to a public malware scanning engine.

The zero-days where spotted by security researchers from Slovak antivirus vendor ESET, who reported the issues to Adobe and Microsoft, which in turn, had them patched within two months.

Zero-days caught while still under development

Anton Cherepanov, the ESET researcher who spotted the zero-days hidden inside the sea of malware samples, believes he caught the zero-days while the mysterious hacker(s) were still working on fine-tuning their exploits.

"The sample does not contain a final payload, which may suggest that it was caught during its early development stages," Cherepanov said.

The two zero-days are CVE-2018-4990, affecting Adobe's Acrobat/Reader PDF viewer, and CVE-2018-8120, affecting the Win32k component of Windows.

The two zero-days are meant to be used together and make up a so-called "exploit chain." The Adobe zero-day is intended to provide the ability to run custom code inside Adobe Acrobat/Reader, while the Windows zero-day allows attackers to escape Adobe's sandbox protection and execute additional code on the underlying OS.

How the exploit chain works

"The malicious PDF sample embeds JavaScript code that controls the whole exploitation process. Once the PDF file is opened, the JavaScript code is executed," Cherepanov wrote in a report detailing the exploit chain today, which can be narrowed down to the following steps:

⧁ User receives and opens boobytrapped PDF file

⧁ Malicious JavaScript code executes when user opens PDF

⧁ JavaScript code manipulates a button object

⧁ Button object, consisting of a specially-crafted JPEG2000 image, triggers a double-free vulnerability in Adobe Acrobat/Reader

⧁ JavaScript code uses heap-spray techniques to obtain read and write memory access

⧁ JavaScript code then attacks Adobe Reader's JavaScript engine

⧁ Attacker uses the engine's native assembly instructions to execute its own native shellcode

⧁ Shellcode initializes a PE file embedded in the PDF

⧁ The part of the Microsoft Win32k zero-day kicks and lets the attacker elevate the privilege of the PE file to run, which is run in kernel mode, breaking out of the Adobe Acrobat/Reader sandbox to system-level access.

The exploit chain is a masterpiece of offensive hacking, but it would never as dangerous as it could have been because of an operational mistake its creators made by uploading it to a known virus scanning engine in the hopes of testing its detection level.

Cherepanov spotted two suspicious PDF samples [1, 2] at the end of March. Both zero-days are now patched. Microsoft patched CVE-2018-8120 last week, in the May 2018 Patch Tuesday, and Adobe patched CVE-2018-4990 yesterday in APSB18-09.