PDF CVE-2010-0188

While analyzing a recent pdf sample exploiting the TIFF vuln it used a known technique to obfuscate it’s content: it appends a pdf to the first one after a bunch of of “garbage” (that contains the dropped executables)

%PDF-1.6
...
%%EOF
[GARBAGE]
%PDF-1.6
...
%%EOF

I tried to run my extractor on the sample to retrieve all the streams decompressed but i didn’t found the one containing the famous exploit

The reason why i wasn’t able to recover the exploit is that the second pdf redefined an object (0 1) and so the first dumped stream was overwritten by the last one thus hiding the exploit.

I just did a little modification to preserve all the streams extracted even if there is a id collision, you can download it

here.

Another Python PDF Parser

(edit): updated screenshots 😉

It’s not a full PDF parser, I just needed to extract streams and javascript from a pdf so it has few options :

1. list objects
2. extract all streams
3. extract javascript
4. dump object

1. list all objects

2. extract streams

you will found one file named: sample_stream-9-0.txt in you dir.

3. extract javascript

check the directory and you’ll find a file named: sample_js-2-0.txt

you can further inspect objects using the dump command, let’s try it on the object containing the javascript (2 0) :

you can download the tool here

and that’s it 😉

PDF Exploit Malware #2 :: Carrier

This time our pdf exploit malware has md5 1c60c948c901b7aa86b3e40a478948b2.
At this moment, virustotal.com reports this sample as “no result“… nice 😉

I named this one “Carrier” (name taken from the Starcraft series).
You will soon discover the reason of this choice.

In order to grab some information, please open it with a text editor.

We can notice only one big stream compressed with zlib. So select the blob and decompress with zlib. We logically split the given javascript code in three parts.

Part I.

We can see a function that removes a toy obfuscation, by simply replacing “!#” (and “\n” if you want) with the string “”.

So after replacing the above string, we have the plain javascript code of this block.

Part II.

At the end of the obfuscated block, we can see a small javascript code:

This is the brain of the whole code. It decides which exploit to use by the reader version number.

Part III.

Well now we jump back to the javascript code with the toy obfuscation (Part I).

After deobfuscating the code, we can easily walk into the javascript. We have four functions. Let’s see one by one.

F1: printd.

It exploits a vulnerability related to the util.printd() method.

F2: emailinfo.

It exploits a vulnerability related to the Collab.collectEmailInfo() method.

F3: util_printf.

It exploits a vulnerability related to the util.printf() method.

F4: geticon.

It exploits a vulnerability related to the Collab.getIcon() method.

Put all Together.

All of the exploits (related to known bugs) use the same shellcode that downloads a malware from the following website:

At this moment this website is online and it is possible to download the malware,
the md5 of the malware is: D37B3145882007E3D4DF2104C3A07948.

Conclusions.

Time to say some final words. This pdf exploit malware has only a toy obfuscation but it carries four exploits, for various versions of Adobe Reader. I will give you a recap picture of the “Carrier” as a last gift (click to enlarge)…

I hope you have enjoyed this new trip into the pdf bug-land.

See you soon 😉

PDF Exploit Malware #1

Today we take a look at a pdf exploit malware (md5 is 1cf1128b9190d7344c200e1e944d7abf).

First of all let’s open the pdf file with a text editor and dig into it:

As we can see from the object definition, we have a stream compressed with zlib:

We can code a small python script that will do all the dirty work (decompress and make code readable) for us.

The following is our stream after decompression:

The above javascript code, retrieves the second stream located in the first page of the pdf file and handles this stream.

To locate the second stream, it uses the syncAnnotScan method in order to scan all the annotations in the document and then it uses getAnnots to retrieve the list of annotation and then picks up the first one, our second stream.  For details about javascript/acrobat, please take a look here.

It decodes this stream by replacing (using a global replacement ‘z’ with ‘%’) with the regexp “/z/g,’%’” so it calls unescape and finally it calls eval.

Our uncompressed stream fixed is (click on the following images to enlarge):

Ok, let’s have fun with this joyful and clear javascript function 😦

The first parameter (FfVKaBvcfE3268e) is set to 0 and the second one (JJ140q) is obviously an encoded code string. As we can see, this function handles the encoded code string (full dump here) in order to deobfuscate the code itself. The code is another javascript, as we can see from the eval (eval(n__YJ78gI18RI)) call at the end of this second function.

At the beginning of the function, we have an anti-debug trick:

This trick is discussed here. It uses its own javascript code (by using the arguments.callee) as the key to deobfuscate the code string discussed above.

If we take a closer look at this function, we can notice that the key is built only by using the number chars into this function code. Here is a small python script that extracts the key:

key = ""

for i in range(0, len(data)):
 if data[i] >= '0' and data[i] <= '9':
  key += data[i]

print key

Let’s look at the final functions (we just focus on the relevant parts).

First of all, the exploit is related to an old version of Adobe Reader as we can see in the following snippet:

Another interesting part is this function in which it handles the shellcode:

We can obtain the website which it connects to download the malware from the shellcode:

At this time this website seems to be offline, so no further analysis can be done on the downloaded malware.

The exploit used is related to an old vulnerability that is reported here.

Ok that’s all… see you next post 🙂