One of our readers, Wayne Dilly, sent couple of malicious PDF documents to us. Wayne noticed that some machines got infected and wondered if the PDF documents exploited the vulnerability patched by Adobe couple of days ago (CVE-2008-2992 - see http://isc.sans.org/diary.html?storyid=5282). Unfortunately, Wayne was right – these PDF documents exploit the JavaScript buffer overflow vulnerability. This is not surprising, though, as a fully working PoC has been recently published as well, but it's interesting to see that the attackers modified the PoC a little bit, probably in order to evade anti-virus detection. And indeed – at the time of writing this article, according to VirusTotal 0 (yes – ZERO) AV products detected this malicious PDF. Very, very bad. The payload is in a JavaScript object embedded in the PDF document. Once extracted, it just contains first level obfuscation with a simple eval(unescape()) call. Once deobfuscated, parts of the publicly posted PoC are visible, but the attackers also modified certain parts. For example, the PoC defines a long number variable (referenced to the advisory by CORE), as shown below: var num = 129999999999999999…. [a lot of numbers] |
Bojan 403 Posts ISC Handler Nov 7th 2008 |
Thread locked Subscribe |
Nov 7th 2008 1 decade ago |
Could you please publish details of what "infected" means? Was the malicious code contained in the PDF file or did it go to the Internet to retrieve it? If the latter, does the submitter have an IP address or a URL?
Thanks. |
Anonymous |
Quote |
Nov 7th 2008 1 decade ago |
It's funny that they are using string concatenation to produce a big floating number. I would use math
![]() |
DidierStevens 650 Posts ISC Handler |
Quote |
Nov 9th 2008 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!