leveraging adobe javascript virtual machine
DESCRIPTION
TRANSCRIPT
Adobe JS
Z Chen
About AdobeJavascript
ExploitsOverview
Try It Out!
Samples In theWild
JoYAN . . . . . .
.
.. ..
.
.
Leveraging Adobe JavaScript Virtual Machine
Zhijie Chen1
1Engeineering Research Center of Information Security,ICST,PKU
May 15, 2009
Adobe JS
Z Chen
About AdobeJavascript
ExploitsOverview
Try It Out!
Samples In theWild
JoYAN 2
Contents
.. .1 About Adobe Javascript
.. .2 Exploits Overview
.. .3 Try It Out!
.. .4 Samples In the Wild
Adobe JS
Z Chen
About AdobeJavascript
ExploitsOverview
Try It Out!
Samples In theWild
JoYAN 3
Contents
.. .1 About Adobe Javascript
.. .2 Exploits Overview
.. .3 Try It Out!
.. .4 Samples In the Wild
Adobe JS
Z Chen
About AdobeJavascript
ExploitsOverview
Try It Out!
Samples In theWild
JoYAN 4
What can it do?
.Adobe Javascript..
.. ..
.
.
Adobe JavaScripts can be created for batch processing of multi-ple documents, processing within a single document, processingfor a given page, and processing for a single form field...
Customize the behavior of a particular PDF document.Customize Acrobat itself.Implement security policies.Interact with databases and web services.Dynamically alter the appearance of a PDF documentCapture user-entered data from form fields.Submit those data through SOAP-based Web Services.Surpport for online team review.
Adobe JS
Z Chen
About AdobeJavascript
ExploitsOverview
Try It Out!
Samples In theWild
JoYAN 5
Adobe JS Objects
.
.. ..
.
.
Acrobat JavaScript defines several objects that allow your codeto interact with Acrobat, a PDF document, or form fields withina PDF document..
.. ..
.
.
Object Purpose Object Purposeapp Acrobat doc PDF documentdbg JavaScript debugger console JavaScript consoleglobal Persistent and cross-
document informationutil JavaScript utility
methodsdialog Adobe Dialog Man-
ager (ADM)security Encryption and digital
signaturesSOAP Web Services search Searching and index-
ingADBC Database connections
and queriesevent JavaScript events
Adobe JS
Z Chen
About AdobeJavascript
ExploitsOverview
Try It Out!
Samples In theWild
JoYAN 6
.Tools I use for manipulating pdf files..
.. ..
.
.
pdftk: PDF toolkit. “If PDF is electronic paper, then pdftkis an electronic staple-remover, hole-punch, binder, secret-decoder-ring, and X-Ray-glasses. ”Scribus: Open Source Desktop Publishing.
Adobe JS
Z Chen
About AdobeJavascript
ExploitsOverview
Try It Out!
Samples In theWild
JoYAN 7
Contents
.. .1 About Adobe Javascript
.. .2 Exploits Overview
.. .3 Try It Out!
.. .4 Samples In the Wild
Adobe JS
Z Chen
About AdobeJavascript
ExploitsOverview
Try It Out!
Samples In theWild
JoYAN 8
Adobe PDF Exploit List
.Exlpoits List from Milw0rm..
.. ..
.
.
Adobe Acrobat Reader 8.1.2 – 9.0 getIcon() Memory Corruption Ex-ploitAdobe 8.1.4/9.1 customDictionaryOpen() Code Execution ExploitAdobe Reader 8.1.4/9.1 GetAnnots() Remote Code Execution ExploitAdobe Acrobat Reader JBIG2 Universal Exploit Bind Shell port 5500Adobe Reader util.printf() JavaScript Function Stack Overflow ExploitAdobe Acrobat 9 ActiveX Remote Denial of Service ExploitAdobe Acrobat Reader <= 8.1.2 Malformed PDF Remote DOS PoCAdobe Reader plug-in AcroPDF.dll 8.0.0.0 Resource ConsumptionAdobe Acrobat Reader Plugin <= 7.0.x (acroreader) XSS VulnerabilityAdobe Reader 7.0.8.0 AcroPDF.dll Internet Explorer Denial of Service
Adobe JS
Z Chen
About AdobeJavascript
ExploitsOverview
Try It Out!
Samples In theWild
JoYAN 9
Leveragine Type I
Play with the bugs when invoking a built-in function/methodwithin the Javascript context.Easy to trigger and exploit.
Adobe JS
Z Chen
About AdobeJavascript
ExploitsOverview
Try It Out!
Samples In theWild
JoYAN 10
Adobe 8.1.4/9.1 customDictionaryOpen() Code Execution Exploit
http://milw0rm.com/exploits/8570
Adobe JS
Z Chen
About AdobeJavascript
ExploitsOverview
Try It Out!
Samples In theWild
JoYAN 11
Adobe Reader 8.1.4/9.1 GetAnnots() Remote Code Execution Exploit
http://milw0rm.com/exploits/8569Not a stack overflow?
Adobe JS
Z Chen
About AdobeJavascript
ExploitsOverview
Try It Out!
Samples In theWild
JoYAN 12
Adobe Reader util.printf() JavaScript Function Stack Overflow Exploit
http://milw0rm.com/exploits/7006http://milw0rm.com/exploits/6994
Adobe JS
Z Chen
About AdobeJavascript
ExploitsOverview
Try It Out!
Samples In theWild
JoYAN 13
Adobe Acrobat Reader 8.1.2 – 9.0 getIcon() Memory Corruption Exploit
.http://milw0rm.com/exploits/8595..
.. ..
.
.
Affected Version : Acrobat Reader 8.1.2 - 9.0Tested On : XP SP2 / SP3Description : This vulnerability allows remote attackers toexecute arbitrary code on vulnerable installations of AdobeAcrobat and Adobe Reader. User interaction is required inthat a user must visit a malicious web site or open a mali-cious file.The specific flaw exists when processing maliciousJavaScript contained in a PDF document. When supply-ing a specially crafted argument to the getIcon() method ofa Collab object, proper bounds checking is not performedresulting in a stack overflow.Failed to uncompress it :(.
Adobe JS
Z Chen
About AdobeJavascript
ExploitsOverview
Try It Out!
Samples In theWild
JoYAN 14
Leveragine Type II
Play with the bugs when parsering a malformed pdf file.Only use the javascript to perform a heapspray.
Adobe JS
Z Chen
About AdobeJavascript
ExploitsOverview
Try It Out!
Samples In theWild
JoYAN 15
Adobe Acrobat Reader JBIG2 Local Buffer Overflow
http://vrt-sourcefire.blogspot.com/2009/02/have-nice-weekend-pdf-love.htmlhttp://milw0rm.com/exploits/8099http://milw0rm.com/exploits/8280
Adobe JS
Z Chen
About AdobeJavascript
ExploitsOverview
Try It Out!
Samples In theWild
JoYAN 16
Leveragine Type III
.
.. ..
.
.
Play with the urls.I don’t know whether it works in the browser context or pdf readercontext..Adobe PDF Reader plug-in AcroPDF.dll ver. 8.0.0.0 ResourceConsumption:http://milw0rm.com/exploits/3430Adobe Acrobat Reader Plugin <= 7.0.x (acroreader) XSS Vul-nerability:http://milw0rm.com/exploits/3084Adobe Reader 7.0.8.0 AcroPDF.dll Internet Explorer Denial ofService:http://milw0rm.com/exploits/3040Adobe Acrobat 9 ActiveX Remote Denial of Service Ex-ploit:http://milw0rm.com/exploits/6424
Adobe JS
Z Chen
About AdobeJavascript
ExploitsOverview
Try It Out!
Samples In theWild
JoYAN 17
To be continued...
.Those I can’t RE them:..
.. ..
.
.
...1 Adobe Acrobat Reader <= 8.1.2 Reader Remote Denial OfService:http://milw0rm.com/exploits/5687, Overflow?
Adobe JS
Z Chen
About AdobeJavascript
ExploitsOverview
Try It Out!
Samples In theWild
JoYAN 18
Contents
.. .1 About Adobe Javascript
.. .2 Exploits Overview
.. .3 Try It Out!
.. .4 Samples In the Wild
Adobe JS
Z Chen
About AdobeJavascript
ExploitsOverview
Try It Out!
Samples In theWild
JoYAN 19
Try it out!
.Adobe Reader util.printf() JavaScript Function Stack Over-flow Exploit..
.. ..
.
.
http://milw0rm.com/exploits/7006http://milw0rm.com/exploits/6994
Adobe JS
Z Chen
About AdobeJavascript
ExploitsOverview
Try It Out!
Samples In theWild
JoYAN 20
Contents
.. .1 About Adobe Javascript
.. .2 Exploits Overview
.. .3 Try It Out!
.. .4 Samples In the Wild
Adobe JS
Z Chen
About AdobeJavascript
ExploitsOverview
Try It Out!
Samples In theWild
JoYAN 21
Sample in the wild
.50.2..
.. ..
.
.hxxp://172.31.25.229/acroPDF.htm
Adobe JS
Z Chen
About AdobeJavascript
ExploitsOverview
Try It Out!
Samples In theWild
JoYAN 22
. Thank you !
.. .. ..
.
.