Friday, March 12, 2010

CVE-2010-0188 - Adobe Pdf libtiff exploits analysis

Please see some of my research on Mila's Contagio Dump blog.

Part 1. invitation.pdf
Exploit in this file successfully executed in Adobe Reader 9.2, 9.3 on Windows XP (SP2, SP3) but didn't work on Windows Vista and Windows 7.

This pdf can be easily unpacked with pdftk or It is using CVE-2006-3459 libtiff vulnerability, let look at tiff files.

At the end of the file we see integer overflow, you can also see unnecessary data referencing to like /bin/sh /bin/id , this is linux shellcode to execute /bin/id, i think it is because they used the following exploit from Security Focus, and did not change the shellcode.

However, the main shellcode is on the top of the file:

I disassembled the shellcode and it's searching in memory for 0x4656434b04068919,
and then for second 0x4b614b6106118119

The xored file is located between these dwords. The shellcode spawns c:\adobe_update.exe (10608 bytes) , c:\data.exe (32768 bytes), c:\data.bin(91756 bytes) - this is a legitimate pdf file.

Decompiled shellcode is available here .

The dexored embeded data looks like this:
In the beginning of there file there are three dwords, in which the size of generated files is located, followed by the three files together: adobe_updater.exe - this file executess c:\data.exe (32768 bytes), c:\data.bin(91756 bytes) and self deletes after that. ( Virustotal scan result )

Part 2. Another PDF for 8.x
This exploit works on Adobe Reader 8.1.2, posibly on all 8.x.
It used ret code 0x0c0c0c0c, and heap spray technique to execute shellcode

See below deobfuscated javascript for heap spray:

No comments:

Post a Comment