Posted on Friday, November 7th, 2008 | Bookmark on del.icio.us

PDF Exploit - In the wild, and how to decode

by Jose Nazario

Today’s big vulnerability issue is the Adobe Reader and Acrobat Multiple Code Execution Vulnerabilities (aka  CVE-2008-2992 or APSB08-19). In short, PDF files can contain JavaScript which can be used to execute arbitrary code through the util.printf() function. Exploit code is out, and a malicious PDF file is on the loose pushing malcode:

MD5: 23f31c83ee658bb5c2635befde56199a
SHA1: 59c6f7c2deb08e361b041d6ea9ebeca4dfde6091
File type: PDF document
File size: 11209 bytes

The JavaScript in this case looks like a typical heapspray approach: fill the heap with your shellcode, then overflow the vulnerable method and land on the heap to execute your code of choice. This one tries to contact a PHP script on a web server at adxdnet.net, ultimately dropping an EXE on the box. Distribution appears to be drive by download driven.

I had a look at the malicious PDF file using the techniques in this description of using pdftk to analyze malicious PDF files. The pdftk toolkit is very handy, and well worth the investment in learning (free software). What you do is the following:

  • Extract the interesting bits using pdftk: 
    $ pdftk input.pdf output output.pdf uncompress

    This will make the JS visible in the output file.

  • Cut and paste the JS specific region into a file and then analyze it with spidermonkey.
  • Analyze the decoded exploit, it’s not unescaped.

With that you can start to figure out what happens next.

As documents become significantly more “smart”, their risks go through the roof. Have a look at How to Use Adobe Reader 7 With JavaScript Disabled from Adobe; if you run a large site using Acrobat as your PDF reader of choice, you should definitely look at tuning it to prevent such exploits. You should also most definitely update to the latest secure version. We keep seeing Acrobat get hosed with JS exploits, this wont be the last time.

This entry was posted on Friday, November 7th, 2008 at 4:18 pm and is filed under Arbor Networks, Attacks, Malware, Reverse Engineering, Trojan Horses, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

6 Responses | Add your own



Comment Post by: Juha-Matti Laurio — November 8th, 2008 @ 12:22 am EST  Reply

The post was pointing to the different Acrobat issue, i.e. CVE-2008-4814 (but to the Adobe bulletin APSB08-19) first. Thanks for fixing the information and pointing to CVE-2008-2992. The exploit code of this spcific issue -2992 has been released at Milw0rm etc. earlier this week.

Comment Post by: Jose Nazario — November 8th, 2008 @ 2:56 pm EST  Reply

yeah, i misread the adobe bulletin and assumed the wrong CVE ID. someone else out there had a reference to it so i had to update the writeup. :) wanted to make sure i got it right for posterity’s sake.

Comment Post by: J. Warren — November 10th, 2008 @ 9:55 am EST  Reply

If one was thinking of replacing the Adobe Reader with Foxit, -now- would be the time…

Adobe Reader v9… 33.5MB
- http://www.adobe.com/go/getreader
-OR-
- http://www.foxitsoftware.com/downloads/
Latest version: Foxit Reader 2.3 (.exe) 2.3 Build 3309 - 2.57 MB - 10/14/08

Comment Post by: Juha-Matti Laurio — November 10th, 2008 @ 4:43 pm EST  Reply

Fine that the post had the update during the weekend time. Yes, SANS ISC published this id -2992 mentioned at their Diary entry.

Comment Post by: Andrew Hay » Blog Archive » links for 2008-11-10 — November 10th, 2008 @ 5:02 pm EST  Reply

[...] PDF Exploit - In the wild, and how to decode | Security to the Core | Arbor Networks Security (tags: pdf exploit) [...]

Comment Post by: Didier Stevens — November 10th, 2008 @ 6:59 pm EST  Reply

I analyzed 2 malicious PDF files (data.pdf and info.pdf). My info.pdf has the same MD5 hash as the file you analyzed. data.pdf is an older version, I uncovered this via incremental updates and metadata found in data.pdf. Details here:
http://blog.didierstevens.com/2008/11/10/shoulder-surfing-a-malicious-pdf-author/

Leave a Comment