Wednesday, December 16, 2009

New Zero day Adobe Acrobat Reader vulnerability analysis – Part 1

On December 14th, Symantec and Shadowserver reported a new zero day vulnerability in the wild affecting Adobe reader. This is now identified as CVE-2009-4324. Adobe acknowledged the same on their website saying they are investigating this issue. And as usual, it is not the first time that PDF’s are being targeted for exploitation. Earlier we saw that Flash files are being targeted, taking advantage of known vulnerability in the wild. This time it is an Adobe zero day vulnerability being exploited in the wild. A colleague provided me with a sample PDF file exploiting this vulnerability in the wild. I started looking into it in depth. The PDF file was obfuscated and not in the readable format. I used my favorite “pdf-parser.py” from PDF Tools. I ran the malicious PDF file through this parser and took the output of every element of PDF file in a text file. Here is how it looks:

The output file was very big and I wanted to the malicious script code inside it. As I said earlier, the file was obfuscated and contains a lot of objects/elements inside. I was only interested in the some strings like JavaScript, FlateDecode, etc. I tried to search for these blocks inside the output file and I found some of interest:

The above screenshots show some of the interesting blocks and which were used to uncover the malicious code inside. The “pdf-parser.py” tool has some very good options to parse the certain objects inside the file. I looked at the documentation of the tool and some of the options looked valuable to me. Here are some options and documentation directly copied from PDF Tools site.

“Filter option applies the filter(s) to the stream. For the moment, only FlateDecode is supported (e.g. zlib decompression). The raw option makes pdf-parser output raw data (e.g. not the printable Python representation). Objects outputs the data of the indirect object which ID was specified. This ID is not version dependent. If more than one object have the same ID (disregarding the version), all these objects will be outputted.”

This is what we need for running against suspicious blocks or objects inside PDF file. I then ran a command against this object tag ID 110 using command like,

D:\ >pdf-parser.py --object=110 --raw –filter malicious-file.pdf > output.log

The command run successfully and I was interested to see if we get any interesting data in the output file. I opened the file and found very suspicious and obfuscated JavaScript code:

Now, from this it was easy to work. I opened Malzilla (malware hunting) tool and copied above script into decoder section of the tool. I ran the ‘Run Script’ button and found another script but it was in readable format. Here how it looked:

Let’s copy this and put it in a text file so that we can able to see whole script. This is a screenshot of full script used in the PDF file,

If you look at the strings and code above, it is clearly a heap spray code and this code relates to adobe reader. It is checking the version of application and if the application viewer version is greater than 8 then only it will exploit the vulnerability. This identifies that it is targeting latest Adobe reader. There is also one JavaScript function called “util.printd()”, one try{}-catch{} block and this looks the culprit. This function returns a date using a specified format according to documentation on Adobe. If you look at the parameters passed to this function, it is invalid and contains @ and some long numbers. This is likely the vulnerable method causing memory corruption in Adobe reader.

This is the first blog on the series and I will provide more information in the second blog of this series. The second blog will cover if the exploit is successful or not and how it can be leveraged further. I mentioned earlier in the Flash blog series as well that new zero day vulnerabilities continue to be discovered in the wild affecting popular applications like Adobe. The solution to this will be to disable JavaScript withing Acrobat Reader, described by the Shadowserver team, as Adobe does not have patch yet.

That’s it for now. Happy hunting!!!

Umesh

2 comments:

Praveen Darshanam said...

great analysis dude! loving it!! even a novice can understand it.

Alexander Hanel said...

This is a great write up but it should be stated that the exploit is CVE-2009-4324 newplayer()' JavaScript Method Remote Code Execution Vulnerability not util.printd().