Friday, November 19, 2010

cve-2010-4091 exploited ?

November 24,  2010 – Update:

Looking for other  exploiting attempts I found a Malwaretracker sample where the PDF seem spread via URL that contains:  filepdf.php@v=zday

image

The following analysis report the objects used within this PDF (that is different from the fulldisclosure PDF):

http://www.malwaretracker.com/pdfsearch.php?hash=0398e68507882a38a26a341058c94653&submit=Search


November 22 , 2010 – update:

Some interesting (and useful) notes about the original full disclosure PDF PoC published on full disclosure mailing list:

Who’s looking for eggs in your PDF?
http://labs.m86security.com/2010/11/whos-looking-for-eggs-in-your-pdf/

November 19, 2010:

This is my latest result. Seem that with a crafted PDF as explained by Haifei Li in his paper (see previous posts for reference), the code flow looks like could be hijacked. At least I have this impression from the debugger response as you can see in this screen shot:

exploited

feedback and suggestion are welcome. Some notes: this is only an attempt to try to understand better this issue.  My mistakes in this stage are very likely.

No comments:

Post a Comment