There are new articles available, click to refresh the page.
Before yesterdayPlace where polar bears dwell

Using filepickers to escape sandboxes


edit: this would have worked with literally any sandbox inΒ  windows having filepicker functionalityΒ through a broker, not just adobe.Β 

Edit2: that special junction didnt need to be placed on a network share, but also worked locally.

Because I am feeling depressed as fuck, I decided to do another write-up about an un-patched bug (feeling sorry for myself and being sad gets boring after a while).

I really did not get anything for this bug, and I know I'm probably forfeiting an acknowledgement too right now. But I wasted alot of time on this bug, and nobody but me should be able to decide what to do with it. People who criticize this type of behavior I find frankly annoying. I used to be one of those self-righteous types, but I'm also pretty annoying, so perhaps there is a correlation.

Adobe Reader

After finding this lame bug (CVE-2018-4872 ):Β https://sandboxescaper.blogspot.com/2018/01/adobe-reader-escape-or-how-to-steal.html I started thinking about other ways I could escape the sandbox.

To be honest, the Adobe Reader sandbox is pretty tough. Microsoft's sandboxes are way easier, because you get access to a ton of COM, RPC stuff and things like that.

Things I could do on the filesystem were really limited, and I like my filesystem trickery.
Ofcourse, being out of inspiration, and because I'm dumb as hell and can't come up with anything creative myself I went looking at Forshaw's work.

I saw that he did some work using network shares.

Instead of feeding a local filepath into a broker function (broker functions run outside the sandbox) we can use a filepath on an anonymous network share. This basically gives us an adhoc filesystem where we can use junctions and all the fun stuff that we by default do not have access to in the reader sandbox. My thought process was that I could probably use some symlinks or junctions to trick a broker function and bypass a check somewhere.

I tried a bunch of things, and while I got alot of interesting results, I did not get my lucky break.

Again, because I'm stupid, I decided to steal a trick from vault7 (https://wikileaks.org/ciav7p1/cms/page_13763489.html).

If you create a folder with the name:Β f.{0AFACED1-E828-11D1-9187-B532F1E9575D}
and then put a .lnk file in it, it basically becomes a really funny junction that confuses the hell out of code.

The bug

I'm going to explain the full attack chain.

First we create a folder called f.{0AFACED1-E828-11D1-9187-B532F1E9575D} and we put it on an anonymous network share (this can totally be a network share on the internet that is attacker controlled, not just intranet). Inside the folder we put a .lnk file with the following target:

C:\Users\%username%\AppData\Roaming\Adobe\Acrobat\DC\a.htm (use %username% and not the actual username).

It will look like this on our remote network share:

Now from within the Adobe Reader sandbox we call the broker functionality to open a filepicker window and set the folder on our remote share as root (i.e \\\s\b\f.{0AFACED1-E828-11D1-9187-B532F1E9575D} )

This will redirect the filepicker window to a local .htm page on the victim's pc which we dropped in a sandbox write-able location , and for some reason it will render it. It will render it at medium and we even can get some activex objects working without prompts (which should not happen because we are rendering in the local machine zone, which should be locked down! But we are rendering html in a filepicker window.. so I guess I should not be surprised).

This will work with any filepicker window, since they are managed by windows code, here is a filepicker window opened in chrome using this trick:

Now we can run activex in a filepicker window, but how do we exploit it?
You can complete this attack chain in multiple ways.Β 
Since the code rendering the html page is basically a castrated version of IE11, we can just complete the chain with an IE bug and gain medium RCE.
But because memory corruption bugs make me sleepy I wanted a logic bug!

We can use the system monitor activex object to write an .hta file to startup!

Here is the full chain exploiting this bug in Adobe Reader (I made sure to hide the filepicker window, because I was still innocent back then and thought it could be useful for attackers when I made it.. but hey, this proves that even if your poc spawns windows and stuff, its not hard to hide them because code runs fast as hell, the only issue this might have had was latency.. but you could have tested for that prior to running the escape.. but still, its way to complicated.. there is better ways to escape sandboxes, even with logic bugs):

Here is the activex object code:

<OBJECT ID="target" WIDTH="1" HEIGHT="1"

target.DataSourceType =2;Β 
logfiles = target.LogFiles;
Counters = target.Counters;
Counters.Add('\\\\<IMG SRC=\'javascript:WshShell=new ActiveXObject(&quot;WScript.Shell&quot;);WshShell.Run(&quot;notepad.exe&quot);\'>\\LogicalDisk(*)\\*');
target.Relog("C:\\Users\\test\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ByeSandbox.hta",5,1);

So we have a logfile (ew.csv) on our remote network share.
You can generate a log file like this, I forgot how, but I'm sure you can figure it out... but it needs to be in a specific format to be able to be used by the system monitor activex object.

Eitherway, in the csv file we replace all references to our computer name with javascript.

In this line:

Counters.Add('\\\\<IMG SRC=\'javascript:WshShell=new ActiveXObject(&quot;WScript.Shell&quot;);WshShell.Run(&quot;notepad.exe&quot);\'>\\LogicalDisk(*)\\*');

Normally where you would have the computer name, we now also have javascript (this has to be the same as in the csv file).

When we do target.Relog we can write a file with working javascript to any folder outside the sandbox, including start-up. This will result in an .hta file with working javascript code inside (since we have partial control over the contents of the file write).Β 

Meaning its game over and I now have access to your p*rn collection. 😱


I have learned alot from this bug. This bug was not useful for attackers because of its complexity. I should have known when I started entertaining the idea of remote network shares, that it would add to much complexity and stopped right there. The take away: When bughunting, you need to know when to limit your scope.
On the other hand, don't let it stop you from doing crazy stuff.Β 
Everyone is just fuzzing or looking at memcpy functions, and while alot of that stuff is really impressive, I doubt it compares to the fun I had constructing this chain ;).

I do think filepickers are an interesting attack surface, because nearly all sandboxes have broker functionality to open them. If its not done through a broker you wouldn't be able to save files outside the sandbox. Its just not something people really think about when considering a sandbox attack surface.

While I did not get anything from this bug, and I doubt people even give a damn, I hope there is some poor soul out there that might get inspired to get into logic bugs.Β 
I'm not really good at this stuff, but perhaps someone else might actually be useful to this industry and do meaningful stuff.

When the days of memory corruption bugs are counted, logic bugs will rule.Β 

How to backpack in cold and miserable places

1 September 2021 at 03:57


I switched from maps to gps devices fairly quickly.Β 

When I started to hike, I once got stuck on a ridge in Scotland for 3 days because of dense fog and not being able to use maps to navigate as there was no visible trail or visibility to see landmarks.

Ever since then I relied mostly on GPS devices.

During my six week hike in the Arctic I relied on a system of having a solar charger, a battery pack, a satellite phone and gps device.

This was easy in the Arctic as in spring and summer it is almost always light and the sun never sets.

This allowed me to charge my devices while sleeping.

My plan was that if there was any point of failure, my solar charger or gps device, I would fall back on using the gps functionality on my phone and make my way to safety. However, it would have probably been wise to atleast carry some maps and a compass.Β 

I opted for this as that particular hike in the Arctic stretched 700km, and having detailed maps of that entire stretch would have meant a lot of extra weight and space.

In the Arctic I used the garmin explorer plus (Satellite device + gps). And a solar charger from Goal Zero (I have found these to be very good)

Anyway.. I am pretty sure a lot of more hardcore folks would scold my over reliance on technology.. but it works for me and as long as one point of failure doesn't knock out my ability to navigate it is worth the risk for me.


A good 4 season tent is a must. I have two 4 season tents from Hilleberg. The Akto and Nammatj 2. The Nammatj 2 came to good use hiking off-season (fall and winter) in Scotland. With wind speeds of sometimes over 100 km/h in exposed terrain.Β 

I would also carry a sewing kit with repair rope used for repairing sails (which is pretty strong!). Heavy duty stakes and extra guy line rope if there's a possibility of severe weather.

Having reliable shelter is very important when you're not hiking in Summer, or when hiking in extreme environments.Β 

Food and Stove

For long hikes, I love freeze dried food.Β 
To cover a 3 week stretch in the Artic, I carried these:


These are great weight and calorie wise.
In addition I would strongly recommend vitamin C supplements.. to avoid scurvy.

As stove I used this one:


It's a dual purpose stove that can both burn gas and liquid fuel.
Liquid fuel is important in cold weather, as gas does not burn properly below freezing.


Flowing water in cold and miserable places is usually perfectly fine to drink. Especially when it comes directly from snow melt. The only thing that makes you sick is either dead animals or animal poop.. this is usually only a problem at low altitudes or stagnant water such as lakes. I've rarely used a water filter on any of my hikes and I'm still alive. Water with soil particles in it is usually not dangerous and safe to drink even though it may not look completely clean.. as long as it's flowing water. Soil/dirt doesn't make you sick. Just animals.

Sleeping bag / mat

I have several sleeping bags. For winter I have one that can easily withstand -25c temperatures.
In summer I usually use a down quilt. As those pack smaller then normal sleeping bags.
In below freezing conditions, make sure to bring a 4-season sleeping mat. You need enough insulation from the ground.. it is very uncomfortable otherwise.
It's important to anticipate for the correct temperatures. Especially in cold weather.

River Crossings

From personal experience, this has always been my biggest issue. Be extra careful when crossing rivers. They can be extremely easy to underestimate. It all depends on the current and how deep you have to go. Sometimes I can go waist deep if the current isn't too bad. And sometimes I struggle if the water is just to my knees. One time in Scotland, I screwed up and was grabbed by the current.. my backpack kept me afloat.. but it was a terrifying experience. Especially being alone out there in the middle of nowhere. Slowly test the water, and if in any doubt, withdraw.Β 
Sometimes it's better to wait until morning to cross a river, as there will have been less snow melt.Β 

Avalanches and snowy terrain

Never cross a glacier alone, especially not without technical gear. In winter, when there is a lot of fresh snow, you also need to be wary of possible avalanches. Avoid camping in gullies or near steep slopes. I recommend doing a lot of reading to learn about avalanches if you're headed into avalanche prone terrain. Crossing snow fields, from personal experiences, is usually fine.. just keep in mind that even in snow fields, especially near slopes, crevasses can form (albeit usually not very deep). Go slow, take the safest route and observe the terrain for irregularities. A lot of this comes from experiences.. but sadly you do not have a lot of chances to screw up and learn from mistakes either.


I can tell you from experience it's nearly impossible to hike on top of a ridge with 100 km/h winds. Keep an eye out for the weather forecast. Make sure to check to forecast for the relevant altitude. Sea level winds and mountain winds can differ day and night. In case of doubt, make camp on a sheltered slope and wait it out or descent down the mountain.

Gear ListΒ 

This is a short list that I made, which gives some general guidelines while packing. Ofcourse it varies wildly on where you're going. I always use waterproof storage bags to compartmentalize my gear inside my backpack. It keeps everything sorted and dry.

Main equipment
Waterproof storage bags (sea to summit or whatever)
Backpack + rain cover (I prefer 100L backpack, so nothing is hanging outside if rainy)
Sleeping mat
Sleeping bag
Sat phone
Bear spray + bear sack for food storage
Basic first aid (usually I only bring blister packs. They can also be used to cover up wounds, anything more severe usually requires evac anyway)
Solar charger and/or battery pack
Repair kit and some cord
Walking poles
Glacier glasses / Snow goggles (depending on conditions)
Cooking and stuff
Stove + stove fuel + windshield for stove
Cooking pot
Sugary stuff to turn water into sports drink
Freeze dried food! (or whatever)
Water bottle and water bag for storing clean water when camping
Water filter (probably not needed, but never know)
Hiking boots
1 softshell pant
1 hardshell pant (for rain)
2 base layer shirts
1 mid layer fleece
1 insulation layer (i.e down jacket)
1 rain jacket
Something to keep head warm (balaclava in very cold and windy weather)
thin gloves (if gets chilly/windy)
big gloves (if very cold weather to pull over liner gloves)
Snow/Mud Gaithers
Other stuff
Camera to be famous on twitter
Tooth paste, tooth brush and a brick of soap used to wash clothes
Toilet Paper

Arctic adventure photos!

These are mostly picture of the first part of my 700km trek in the arctic. There was a lot of snow! During the second part of my trek the heatwave that was tormenting the rest of Europe finally hit and most of the snow melted. For the first part I had to traverse nearly 400km without options to resupply, so I had to carry a loooot of food! Towards the end I was hiking on 1000 calories a day, which was really hard, walking in snow all day is exhausting and it was hard making distance in this type of terrain. I did not meet any other hikers during the first part. It was one of the wildest things I have done in my life. I miss it a lot right now.

  • There are no more articles