Adobe Reader vulnerability exploited in the wild
One of our readers, Wayne Dilly, sent couple of malicious PDF documents to us. Wayne noticed that some machines got infected and wondered if the PDF documents exploited the vulnerability patched by Adobe couple of days ago (CVE-2008-2992 - see http://isc.sans.org/diary.html?storyid=5282).
Unfortunately, Wayne was right – these PDF documents exploit the JavaScript buffer overflow vulnerability. This is not surprising, though, as a fully working PoC has been recently published as well, but it's interesting to see that the attackers modified the PoC a little bit, probably in order to evade anti-virus detection.
And indeed – at the time of writing this article, according to VirusTotal 0 (yes – ZERO) AV products detected this malicious PDF. Very, very bad.
The payload is in a JavaScript object embedded in the PDF document. Once extracted, it just contains first level obfuscation with a simple eval(unescape()) call.
Once deobfuscated, parts of the publicly posted PoC are visible, but the attackers also modified certain parts. For example, the PoC defines a long number variable (referenced to the advisory by CORE), as shown below:
var num = 129999999999999999…. [a lot of numbers]
util.printf("%45000f",num);
However, the exploit code in the wild has the following loops:
var nm = 12;
for(i = 0; i < 18; i++){ nm = nm + "9"; }
for(i = 0; i < 276; i++){ nm = nm + "8"; }
util.printf(unescape(""+"%"+"25%34%35%30%30%30%66"), nm);
See how they manage to do exactly the same thing? Unfortunately, this was probably enough to fool the AV vendors.
In any case, if you haven't patched your Adobe Reader installations – do it ASAP as the attacks are in the wild.
--
Bojan
Web App Penetration Testing and Ethical Hacking | Amsterdam | Mar 31st - Apr 5th 2025 |
Comments
Thanks.
Ray
Nov 7th 2008
1 decade ago
Didier Stevens
Nov 9th 2008
1 decade ago