D1-SIGINT - Mahmud AB Rahman - LibTAPAU

8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU

1/47

Securing Our CyberspaceCopyright 2009 CyberSecurity Malaysia

Ministry of Science,

Technology & Innovation

Crowne Plaza|| KL || .MY || 2010-10-13

MAHMUD AB RAHMAN

(MyCERT, CyberSecurity Malaysia)

LibTAPAU:The Danger of LibTIFF +

Adobe PDF


2/47

Copyright 2009 CyberSecurity Malaysia 2

Securing Our Cyberspace



MYSELF

Mahmud Ab Rahman MyCERT, CyberSecurity Malaysia Lebahnet(honeynet), Botnet, Malware


3/47





Agenda

Intro PDF + LibTIFF Attacks Analyzing malicious PDF + LibTIFF Issues Reducing/Mitigation The Problem? Outro/Conclusion


4/47




INTRO

1)Intro

2)PDF attacks

3)Analyzing

4)Issues

5)Mitigation

6)Conclusion


5/47





INTRO : PDF 101

PDF: Portable Destructive File : ) Portable Document Format Open Standard (2008) by Adobe (previously

proprietary)

Mainly for independent format instead of*.doc, .odp, *.xls, *.ppt, *.etc, *.etc

PDF Reader Applications (Adobe Reader, FoxitReader, SumatraPDF,etc,etc)


6/47





INTRO : PDF Format

Has its own language Normally just ASCII characters.(/Filters /

application elements are using binary data(stream)

ASCII Readable (any text editors will do) Start with header (%PDF-[version]) End with eof element (%%EOF)


7/47





INTRO : PDF Format (diagram)

%PDF-1.1

1 0 obj

>

endobj.

5 0 obj>

stream

BT/F1 24 Tf

100 700 Td(Hello w00t!)Tj

ET

endstreamendobj

xref

0 80000000000 65535 f

0000000012 00000 n0000000089 00000 n

trailer

>

startxref

642

%%EOF

PDF Start (version)PDF Object (obj endobj)

-stream element containsdata ( hello w00t!). End

with endstream-Normally needs to decode

the data inside streamelement-JavaScript object starts

with /JS-Main subject to be abuse

Cross Reference

Trailer

End of File


8/47





INTRO : PDF Format

view inside PDF readers


9/47





INTRO : TIFF 101

Tagged Image File Format (abbreviated TIFF) file format for storing images it is under the control of Adobe Systems (2009) widely supported by image-manipulation

application


10/47





INTRO : TIFF 101


11/47





INTRO : Why attacking PDF + LibTIFF?

Just another attacking vector Widely used (popular)

o Wider target Main player application have bugs

o Again, wider targeto Generate more interest (more bugs after the 1st

one (almost 3 years now))

The emerge of client-side attack (PDF plugin onweb browser- create more ways to target)


12/47




PDF ATTACKS

1)Intro

2)PDF attacks

3)Analyzing

4)Issues

5)Mitigation

6)Conclusion


13/47





PDF Attacks: How it works

1

Crafting malicious pdf

3

User open the file withvulnerable pdf reader

2 Forward the pdf file by any means [spam, weblink,webupload,usb,p2p share..etc..etc]

Bug triggered, payload executed

4


14/47





PDF Attacks: How it works

1

Crafting malicious pdf

3

User open the file withvulnerable pdf reader

2 Forward the pdf file by any means [spam, weblink,webupload,usb,p2p share..etc..etc]

Bug triggered, payload executed

4


15/47





LibTIFF Attacks: Recent Bugs

LibTIFFs bugso CVE: 2005-1544o CVE-2006-3459o CVE: 2009-2285 - LZWDecodeCompat()o CVE-2010-0188 Exploitable within PDFo CVE-2010-2067 Stack Overflow


16/47





Villys Python Script Metasploits Module Made-in-China 0day Builder :p

LibTIFF Attacks: Get Your Gun Loaded


17/47







18/47







19/47







20/47





PDF Attacks: DEMO

Breaking the PDF readers


21/47




Analyzing Malicious PDF + TIFF File

1)Intro

2)PDF attacks

3)Analyzing

4)Issues

5)Mitigation

6)Conclusion


22/47






Malicious PDF


23/47






ASCII based characterso Any text editors will do

Some inflators/encoders have been used for datastream

o Analysis becomes more complicatedo Can be deflated/decoded using proper library/

techniques to reveal normal ascii data

Understanding on how PDF language syntax is amust (e.g : object references, JavaScript call,etc,etc)


24/47






Public Tools


25/47






Public Tools


26/47






Public Tools


27/47






Introducing MyCERT PDF LibTIFF Sploit Analyzero Basic parse for PDF

-For complete PDF Parse (gallus)o Tracing for TIFF Imageo Dumping the image fileo Checking for The Shellcode


28/47







29/47






Hey, thats NOT the sample u used for the previous screenshot, l0ser


30/47







31/47





Analyzing Malicious PDF + TIFF File: DEMO

Analyzing Malicious PDF File


32/47





Analyzing Malicious PDF File: DEMO

Identify the malicious file Extract information Analyze shellcode


33/47




Issues with Malicious PDF file

1)Intro

2)PDF attacks

3)Analyzing

4)Issues

5)Mitigation

6)Conclusion


34/47






Challenges:oJavaScript obfuscated

-Same problem with browser due to JavaScript-Annoying[ var=unescape() == var = un+escape(); == var a=un; varb=escape(); var c=a+b ]

-arguments.callee(), getPageNumber(), getAnnotte()-Anything JS can do, will fits here


35/47






Nice JS eh?


36/47






Challenges:o PDF Syntax Coolness

oThis.Title.Info // This.Author.Names // This.What.Evero Difficult for the analyzer to follow the objects reference.o Default JS emulator is not up for this yet

oEncoding/ Compressoro Many of them (FlateDecode/ASCIIHexDecode/JBIG2Decode/

ASCII85Decode/DCTDecode etc..etc)

o Concatenate Filters (/Filter /FlateDecode /ASCIIHexDecode)o Abbreviation Filter (/Filter [/Fl /AHx] ) == (Filter /

FlateDecode /ASCIIHexDecode)


37/47






Challenges:o Parser Problem

oGreping [objendobj] or [stream..endstream] ?oGreping [EOF] ?oReference loop

o This.Info.Name -> This.Author.Name-> This.Info.Nameo 1 obj 0 /JS 7 0 R -> 7 obj 0 /JS 8 0 R -> 8 obj 0 /JS 10 R

o Embedded malicious PDF inside PDF file.-Manual extracting for the embedded file is difficult.

oPDF file analyzer is not PDF reader-Analyzer needs to understand PDF structure-Analyzer needs to interpret PDF language-Eventually it will become PDF reader by itself : )


38/47





Issues with Malicious PDF + TIFF file

on the fly malicious PDF generatoro Difficult to analyze/ be detected by analysis toolso Have to manually request/download the malicious

pdf file (probably its too late when your browserhave PDF reader plugins)


39/47





Issues with Malicious PDF file

JavaScript obfuscating, period :)o Well, javascript fingerprinting is nothing new : )

oJS checking if ur running inside on the targetedapplication is common.

oApp.version() lack of fully functional pdf analyzers as how PDF

reader works

o Will always be a cat and mouse game


40/47




Mitigation against Malicious PDF file

1)Intro

2)PDF attacks

3)Analyzing

4)Issues

5)Mitigation

6)Conclusion


41/47





Mitigation


42/47





Mitigation

Update/patch your PDF reader->eliminated bug,you're save

o Not quite true when dealing with 0day Analyze/scan PDF file before opening it Only open PDF attachment from trusted people, atleast with pgp signing :)

o Sign the PDF file?. :).paranoid Disable JavaScript- minimize the risk of reliable

exploitationo Some bugs dont require JavaScript (still will 0Wn1ng

as usual). LIBTIFF..:-)


43/47




Conclusion

1)Intro

2)PDF attacks

3)Analyzing

4)Issues

5)Mitigation

6)Conclusion


44/47





Conclusion

Awareness on threats against PDF reader stillneeds more works

Analysis on malicious PDF is possible bycombining multiple tools (editor,decoder,js

emulator, shellocde analyzer) A better PDF analyzer is urgently needed


45/47





Conclusion

The complexity of PDF reader will introducemore bugs and vulnerabilities With JavaScript support, exploitation will be more

reliable (why we still need JavaScript inside PDF

file? ) With JavaScript support, more obfuscated

techniques can be implemented


46/47




Q&A


47/47




THANKS

Email: [email protected]

Web: http://www.cybersecurity.myWeb: http://www.mycert.org.my

Web: www.honeynet.org.myBlog: blog.honeynet.org.my

Web: www.cybersafe.myReport Incident: [email protected]

D1-SIGINT - Mahmud AB Rahman - LibTAPAU

Documents

Transcript of D1-SIGINT - Mahmud AB Rahman - LibTAPAU