November 24, 2010 – Update:
Looking for other exploiting attempts I found a Malwaretracker sample where the PDF seem spread via URL that contains: filepdf.php@v=zday
The following analysis report the objects used within this PDF (that is different from the fulldisclosure PDF):
http://www.malwaretracker.com/pdfsearch.php?hash=0398e68507882a38a26a341058c94653&submit=Search
November 22 , 2010 – update:
Some interesting (and useful) notes about the original full disclosure PDF PoC published on full disclosure mailing list:
Who’s looking for eggs in your PDF?
http://labs.m86security.com/2010/11/whos-looking-for-eggs-in-your-pdf/
November 19, 2010:
This is my latest result. Seem that with a crafted PDF as explained by Haifei Li in his paper (see previous posts for reference), the code flow looks like could be hijacked. At least I have this impression from the debugger response as you can see in this screen shot:
 |
feedback and suggestion are welcome. Some notes: this is only an attempt to try to understand better this issue. My mistakes in this stage are very likely.
0 comments:
Post a Comment