PDF File Format And Exploitation - Hemanshu Asolia

PDF File Format and Exploitation by h3m4n

What is PDF? Portable Document Format Document representation independent software, hardware, OS ISO/IEC 32000-1:2008 de-facto standard for printable document

PDF File Structure Header %PDF-1.0 to %PDF-1.7 Body Contains indirect objects Cross-Reference Table Random access to indirect objects xref0 20000000000 65535 f 0000910913 00000 n File Trailer trailer <</Size 181/Root 179 0 R /Info 180 0 R /ID [ <55ED49327E86414ED7562EB23237FA2C> <55ED49327E86414ED7562EB23237FA2C> ] /DocChecksum /3B2D0F3E6C208965E0CE735F1364D709 >> startxref 919337 %%EOF

App Object Model Javascript runs under the context of App Object Model PDF js cannot access HTML DOM objects File Attachment XML Capabilities Forms Web Services Database connections

What's cracking up? Vulnerable APIs getIcons() (CVE-2009-0927) getAnnots() (CVE-20091492) customDictionaryOpen() (CVE-2009-1493) Doc.media.newPlayer (CVE-2009-4324) File parsing vulnerabilities JBIG2( Over a dozen CVE) libTiff (CVE-2010-0188) Social engineered arbit. command execution PDF escape by Didier Stevens Not a bug (feature) Exploitation in the wild Embedded Files libTiff (CVE-2010-0188)

Analysis Tools pdf-parser.py pdfid.py pdfminer debuggers PDFuzzer

Prevention and Mitigation Patch up! Disable Javascript Disable attachment opening with external application Use DEP Disable display of PDF in browser. (Make your IPS happy!) Don't open pdf from strangers Least privileges

So what's next? Less rely on Javascript for exploitation Issues with embedded files is here to stay Built in non-tunable Flash support another issue Portfolio's anyone! Vulnerability with multiple file parsing XFA SOAP Interaction with other applications Adobe finally learning some SDL #FTW! Sandbox ??

Where can I get more samples contagiodump.blogspot.com/ offensivecomputing.net/

References http://partners.adobe. com/public/developer/en/acrobat/sdk/AcroJSGuide.pdf http://en.wikipedia.org/wiki/Portable_Document_Format http://bugix-security.blogspot.com/ http://blog.didierstevens.com/ http://www.securiteam.com/tools/6R0052KN5I.html

Thank You! contact: heman@null.co.in

http://null.co.in	46
http://nullpresentations.blogspot.com	9
http://www.slideshare.net	5
http://webcache.googleusercontent.com	1
http://www.nullpresentations.blogspot.com	1

PDF File Format And Exploitation - Hemanshu Asolia

by n|u - The Open Security Community on May 27, 2010

Accessibility

Categories

Tags

Upload Details

Usage Rights

5 Embeds 62

Statistics

PDF File Format And Exploitation - Hemanshu Asolia — Presentation Transcript