Sunday, July 26, 2009

something about CVE-2009-1862 PoC analysis

Well, strarting from hereEvil.pdf filename it's been decided to start an (yet another) analysis about this critical vulnerabilty.

From the proof of concept founded (http://www.milw0rm.com/exploits/9233):


begin 644 hereEvil.pdf
M)5!$1BTQ+C0*)"!;(#`N,3$Q,S,@+3`N,S(R-S4@,"XR,C$V.2`M
...
and so on... it's been decoded the TAR file above with the following result:

%PDF-1.4
%Çì�¢
1 0 obj
<< /Type /Catalog /Outlines 3 0 R /Pages 4 0 R /Dests 5 0 R /AcroForm 6 0 R /Names 7 0 R /Threads 8 0 R /PageLayout /SinglePage /ViewerPreferences << /PageDirection /L2R >>
>>
endobj
2 0 obj
<< /Creator (Scribus 1.3.3.13) /Producer (Scribus PDF Library 1.3.3.13) /Title <>
/Author <>
/Keywords <>
/CreationDate (D:20090711081156)
/ModDate (D:20090711081156)
/Trapped /False


and so on... it's been obtained a well know PDF format file.

Within this "evil" PDF file, some object encoding definitions are defined as following:

9 0 obj
<<
/Type /XObject
/Subtype /Form
/FormType 1
/BBox [ 0.11133 -0.32275 0.22169 -1.01367 ]
/Resources << /ProcSet [/PDF /Text /ImageB /ImageC /ImageI]
>>
/Length 263
/Filter /#46#6c#61#74#65#44#65#63#6f#64#65 >>
stream


and anothe one:

29 0 obj
<< /Type /XObject /Subtype /Image /Width 272 /Height 345 /ColorSpace /DeviceRGB /BitsPerComponent 8 /Length 5280 /Filter /#46#6c#61#74#65#44#65#63#6f#64#65 >>
stream
...


Within the evil pdf file there are many more object defined in this manner.


The string:


/#46#6c#61#74#65#44#65#63#6f#64#65

stand for:

/FlateDecode

So from this point is possibile to proceed with usual analysis techniques.


1 comment:

  1. After this post it's been found that

    http://xorl.wordpress.com/2009/07/23/adobe-vulnerability-on-milw0rm/

    has discovery this decoding method before the extraexploit post. Some times the timing it's all.

    ReplyDelete