Adobe Reader vulnerability exploited in the wild

Published: 2008-11-07
Last Updated: 2008-11-07 15:54:09 UTC
by Bojan Zdrnja (Version: 1)
2 comment(s)

One of our readers, Wayne Dilly, sent couple of malicious PDF documents to us. Wayne noticed that some machines got infected and wondered if the PDF documents exploited the vulnerability patched by Adobe couple of days ago (CVE-2008-2992 - see http://isc.sans.org/diary.html?storyid=5282).

Unfortunately, Wayne was right – these PDF documents exploit the JavaScript buffer overflow vulnerability. This is not surprising, though, as a fully working PoC has been recently published as well, but it's interesting to see that the attackers modified the PoC a little bit, probably in order to evade anti-virus detection.

And indeed – at the time of writing this article, according to VirusTotal 0 (yes – ZERO) AV products detected this malicious PDF. Very, very bad.

The payload is in a JavaScript object embedded in the PDF document. Once extracted, it just contains first level obfuscation with a simple eval(unescape()) call.

Once deobfuscated, parts of the publicly posted PoC are visible, but the attackers also modified certain parts. For example, the PoC defines a long number variable (referenced to the advisory by CORE), as shown below:

var num = 129999999999999999…. [a lot of numbers]
util.printf("%45000f",num);

However, the exploit code in the wild has the following loops:

var nm = 12;
for(i = 0; i < 18; i++){ nm = nm + "9"; }
for(i = 0; i < 276; i++){ nm = nm + "8"; }

util.printf(unescape(""+"%"+"25%34%35%30%30%30%66"), nm);


See how they manage to do exactly the same thing? Unfortunately, this was probably enough to fool the AV vendors.

In any case, if you haven't patched your Adobe Reader installations – do it ASAP as the attacks are in the wild.

--
Bojan


 

Keywords:
2 comment(s)

Vmware patches

Published: 2008-11-07
Last Updated: 2008-11-07 12:59:01 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)

Vmware have released more patches. One is a new advisory, the other is an update.

VMSA-2008-0018 VMware Hosted products and patches for ESX and ESXi

VMSA-2008-0016.1 VMware Hosted products, VirtualCenter Update 3 and patches for ESX and ESXi resolve multiple security issues

As Vmware has become an important part of our infrastructure we have to collectively ensure that we deploy and maintain virtual systems in a secure fashion. Which included design, architecture, patching, and hardening.

Cheers,
Adrien de Beaupré
intru-shun.ca

Keywords:
0 comment(s)

Comments


Diary Archives