Adobe Reader vulnerability exploited in the wild

Published: 2008-11-07. Last Updated: 2008-11-07 15:54:09 UTC
by Bojan Zdrnja (Version: 1)
2 comment(s)

One of our readers, Wayne Dilly, sent couple of malicious PDF documents to us. Wayne noticed that some machines got infected and wondered if the PDF documents exploited the vulnerability patched by Adobe couple of days ago (CVE-2008-2992 - see http://isc.sans.org/diary.html?storyid=5282).

Unfortunately, Wayne was right – these PDF documents exploit the JavaScript buffer overflow vulnerability. This is not surprising, though, as a fully working PoC has been recently published as well, but it's interesting to see that the attackers modified the PoC a little bit, probably in order to evade anti-virus detection.

And indeed – at the time of writing this article, according to VirusTotal 0 (yes – ZERO) AV products detected this malicious PDF. Very, very bad.

The payload is in a JavaScript object embedded in the PDF document. Once extracted, it just contains first level obfuscation with a simple eval(unescape()) call.

Once deobfuscated, parts of the publicly posted PoC are visible, but the attackers also modified certain parts. For example, the PoC defines a long number variable (referenced to the advisory by CORE), as shown below:

var num = 129999999999999999…. [a lot of numbers]
util.printf("%45000f",num);

However, the exploit code in the wild has the following loops:

var nm = 12;
for(i = 0; i < 18; i++){ nm = nm + "9"; }
for(i = 0; i < 276; i++){ nm = nm + "8"; }

util.printf(unescape(""+"%"+"25%34%35%30%30%30%66"), nm);


See how they manage to do exactly the same thing? Unfortunately, this was probably enough to fool the AV vendors.

In any case, if you haven't patched your Adobe Reader installations – do it ASAP as the attacks are in the wild.

--
Bojan


 

Keywords:
2 comment(s)

Comments

Could you please publish details of what "infected" means? Was the malicious code contained in the PDF file or did it go to the Internet to retrieve it? If the latter, does the submitter have an IP address or a URL?

Thanks.
It's funny that they are using string concatenation to produce a big floating number. I would use math ;-).

Diary Archives