Home > Exploits, Vulnerability > Inside Exploited PDF

Inside Exploited PDF

Early February of this year when series of advisories has been released relating to multiple vulnerabilities found in Acrobat Reader and Acrobat before 8.1.2 – this threat is known as CVE-2008-0655.

This vulnerability carries a high level of risk since a successfully exploited PDF file will allow a remote code execution attack. Consequently, this will give an attacker unauthorized remote control over the victim’s machine.

Because of nature of this vulnerability , there are more and more malicious users attracted in employing this technique. Thus, we are seeing prevalence of this threat and definitely an In-the-Wild malicious PDF file.

Let’s take a deeper look …

Understanding PDF File Format [Read Adobe PDF 101]

Filter indicates how the data in the stream must be decoded. Here are the standard filter names: [Read PDF Reference]

* ASCIIHexDecode
* ASCII85Decode
* LZWDecode
* FlateDecode
* RunLengthDecode
* CCITTFaxDecode
* JBIG2Decode
* DCTDecode
* JPXDecode
* Crypt

Analysis of Exploited PDF

+ Recent malicious PDF sample.
MD5: 72ab6b2f311508fa5e2bc73ef147dc1c
MD5: 16105c0964a3af27838f168d97e10ffe
MD5: d3b4b6040a4849e43da0bc982f9cb69d

+ Static/Strings Inspection

The strings suggest that this PDF file was created in Acrobat 6.0 and stream objects are encoded. A filter which is an optional part of the stream specification indicates that the stream must be decoded. In this case, the filter name is FlatDecode which could be decompressed using zlib/deflate compression method to reproduce the original text or binary.

1 – Stream Object we are interested to investigate
2 – “0D” and “0A” are carriage return and line feel, which explains as new line
3 – Start of compressed or encoded stream

RFC 1950 – ZLIB Compressed Data Format Specification defines zlib stream structure as follows:

Bits 0 to 3 CM Compression Method = 8 denotes deflate
Bits 4 to 7 CINFO Compression Info = 7 indicates a 32k window size

Bits 0 to 4 FCHECK (check bits for CMF and FLG) ;Check bits of 0x78DA is 30938, which is multiple of 31.
Bit 5 FDICT (present dictionary)
Bit 6 to 7 FLevel (compresion level)

Most of the PDF file are encoded for protection, this makes difficult for analyst to analyze the actual code of the exploited file. Here’s the interesting part once you successfully decoded the exploited PDF file.

  1. No comments yet.
  1. September 27, 2008 at 9:49 am
  2. February 28, 2009 at 6:32 am
  3. March 6, 2009 at 12:54 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: