xorl %eax, %eax

Adobe Vulnerability on milw0rm

with 6 comments

I just had a look at that one and I think that this might be an exploit code for the vulnerability recently disclosed by iDefense or a similar one in FlateDecode. After you uudecode that file, and open hereEvil.pdf you’ll see a pattern similar to the following:

9 0 obj
<<
/Type /XObject
/Subtype /Form
/FormType 1
/BBox &#91; 0.11133 -0.32275 0.22169 -1.01367 &#93;
/Resources << /ProcSet &#91;/PDF /Text /ImageB /ImageC /ImageI&#93;
>>
/Length 263
/Filter /#46#6c#61#74#65#44#65#63#6f#64#65 >>
stream
        ...
endstream
endobj
        ...
     Multiple similar streams
        ...
37 0 obj
<< /S /JavaScript /JS 34 0 R >>
endobj
        ...
startxref
45180
%%EOF

In case you wonder, what that hexadecimal /Filter is, you can convert it to ASCII and you’ll get a nice FlateDecode. Now, skip the two images and text which is normally contained (and displayed) into the file and have a quick look at the Names array.

40 0 obj
<< /Names &#91; (6f2688a5fce7d48c8d19762b88c32c3b) 37 0 R (8ec7ff1ac324a4bed44cc51d362e5b94) 38 0 R (3acb2a202ae4bea8840224e6fce16fd0) 39 0 R &#93; >>
endobj
7 0 obj
<< /JavaScript 40 0 R >>
endobj

Those hashes are common MD5 hashes which are translated to:

6f2688a5fce7d48c8d19762b88c32c3b = 1944
8ec7ff1ac324a4bed44cc51d362e5b94 = 15345
3acb2a202ae4bea8840224e6fce16fd0 = 9174

And objects 37 0, 38 0 and 39 0 are Javascript entries which are invoking three FlateDecode streams like this:

37 0 obj
<< /S /JavaScript /JS 34 0 R >>
endobj
38 0 obj
<< /S /JavaScript /JS 35 0 R >>
endobj
39 0 obj
<< /S /JavaScript /JS 36 0 R >>
endobj

I haven’t converted/decoded those streams to describe it further. Also, according to the document’s entries, the document was created using Scribus PDF Library 1.3.3.13 and it was last modified on 11 July 2009. If anyone messed around with those FlateDecode streams I’d be really happy to know what interesting they contain. :)

Written by xorl

July 23, 2009 at 16:33

6 Responses

Subscribe to comments with RSS.

  1. yo men you got tha wrong pdf… it’s an old Xploit, not the recent one.
    peace

    dogfood

    July 23, 2009 at 22:04

  2. Yeah, There is no reference to Flash in there, just the encoded JavaScript in the FlateDecode blocks. Modded Didier Steve’s pdf-parser.py to use the hex version of FlateDecode in the /Filter area to extract the scripts.

    pARODY

    July 24, 2009 at 10:22

  3. Hey dogfood and pARODY, of course it has nothing to do with Flash, the advisory that I commented, which might be a relevant one, is about Adobe Acrobat not Flash.

    xorl

    July 24, 2009 at 12:08

  4. Hi,
    the bug has nothing to do with flash right, but actually the evil site serving this PDF uses flash to spray the heap and to inject the shellcode.

    k`sOSe

    July 24, 2009 at 15:02

  5. I only noted that due to the comment in the actual exploit /Str0ke sayings its the flash one.

    pARODY

    July 25, 2009 at 09:59

  6. Hi,

    the pdf is exploiting the getIcon() vulnerability disclosed some time ago: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927

    (o)telo

    July 29, 2009 at 13:41


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s