Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Adobe Reader vulnerability exploited in the wild - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Adobe Reader vulnerability exploited in the wild

One of our readers, Wayne Dilly, sent couple of malicious PDF documents to us. Wayne noticed that some machines got infected and wondered if the PDF documents exploited the vulnerability patched by Adobe couple of days ago (CVE-2008-2992 - see http://isc.sans.org/diary.html?storyid=5282).

Unfortunately, Wayne was right – these PDF documents exploit the JavaScript buffer overflow vulnerability. This is not surprising, though, as a fully working PoC has been recently published as well, but it's interesting to see that the attackers modified the PoC a little bit, probably in order to evade anti-virus detection.

And indeed – at the time of writing this article, according to VirusTotal 0 (yes – ZERO) AV products detected this malicious PDF. Very, very bad.

The payload is in a JavaScript object embedded in the PDF document. Once extracted, it just contains first level obfuscation with a simple eval(unescape()) call.

Once deobfuscated, parts of the publicly posted PoC are visible, but the attackers also modified certain parts. For example, the PoC defines a long number variable (referenced to the advisory by CORE), as shown below:

var num = 129999999999999999…. [a lot of numbers]
util.printf("%45000f",num);

However, the exploit code in the wild has the following loops:

var nm = 12;
for(i = 0; i < 18; i++){ nm = nm + "9"; }
for(i = 0; i < 276; i++){ nm = nm + "8"; }

util.printf(unescape(""+"%"+"25%34%35%30%30%30%66"), nm);


See how they manage to do exactly the same thing? Unfortunately, this was probably enough to fool the AV vendors.

In any case, if you haven't patched your Adobe Reader installations – do it ASAP as the attacks are in the wild.

--
Bojan


 

I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS November Singapore 2019

Bojan

381 Posts
ISC Handler
Could you please publish details of what "infected" means? Was the malicious code contained in the PDF file or did it go to the Internet to retrieve it? If the latter, does the submitter have an IP address or a URL?

Thanks.
Anonymous
It's funny that they are using string concatenation to produce a big floating number. I would use math ;-).
DidierStevens

393 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!