Your SlideShare is downloading. ×
Leveraging Adobe JavaScript Virtual Machine
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Leveraging Adobe JavaScript Virtual Machine

1,351
views

Published on

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,351
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
15
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Adobe JS Z Chen About Adobe Javascript Exploits . . Overview Leveraging Adobe JavaScript Virtual Machine Try It Out! . .. . . Samples In the Wild Zhijie Chen1 1 Engeineering Research Center of Information Security,ICST,PKU May 15, 2009 JoYAN . . . . . .
  • 2. Contents Adobe JS Z Chen About Adobe Javascript . Exploits . . About Adobe Javascript 1 Overview Try It Out! . Samples In the Wild . . Exploits Overview 2 . . . Try It Out! 3 . . . Samples In the Wild 4 JoYAN 2
  • 3. Contents Adobe JS Z Chen . About Adobe Javascript . . About Adobe Javascript 1 Exploits Overview Try It Out! . Samples In the . . Exploits Overview 2 Wild . . . Try It Out! 3 . . . Samples In the Wild 4 JoYAN 3
  • 4. What can it do? Adobe JS Z Chen . Adobe Javascript . About Adobe .. Javascript Adobe JavaScripts can be created for batch processing of multi- Exploits ple documents, processing within a single document, processing Overview for a given page, and processing for a single form field... Try It Out! Samples In the Customize the behavior of a particular PDF document. Wild Customize Acrobat itself. Implement security policies. Interact with databases and web services. Dynamically alter the appearance of a PDF document Capture user-entered data from form fields. Submit those data through SOAP-based Web Services. . Surpport for online team review. .. . JoYAN . 4
  • 5. Adobe JS Objects Adobe JS Z Chen . Acrobat JavaScript defines several objects that allow your code. About Adobe Javascript to interact with Acrobat, a PDF document, or form fields within Exploits a . PDF document. .. . . Overview Try It Out! . Object Purpose Object Purpose . Samples In the Wild app Acrobat doc PDF document dbg JavaScript debugger console JavaScript console global Persistent and cross- util JavaScript utility document information methods dialog Adobe Dialog Man- security Encryption and digital ager (ADM) signatures SOAP Web Services search Searching and index- ing ADBC Database connections event JavaScript events and queries . JoYAN .. . . 5
  • 6. Adobe JS Z Chen About Adobe Javascript Exploits Overview . Tools I use for manipulating pdf files . Try It Out! .. Samples In the pdftk: PDF toolkit. “If PDF is electronic paper, then pdftk Wild is an electronic staple-remover, hole-punch, binder, secret- decoder-ring, and X-Ray-glasses. ” . Scribus: Open Source Desktop Publishing. .. . . JoYAN 6
  • 7. Contents Adobe JS Z Chen . About Adobe Javascript . . About Adobe Javascript 1 Exploits Overview Try It Out! . Samples In the . . Exploits Overview 2 Wild . . . Try It Out! 3 . . . Samples In the Wild 4 JoYAN 7
  • 8. Adobe PDF Exploit List Adobe JS Z Chen . Exlpoits List from Milw0rm . About Adobe Javascript .. Adobe Acrobat Reader 8.1.2 – 9.0 getIcon() Memory Corruption Ex- Exploits Overview ploit Try It Out! Adobe 8.1.4/9.1 customDictionaryOpen() Code Execution Exploit Samples In the Adobe Reader 8.1.4/9.1 GetAnnots() Remote Code Execution Exploit Wild Adobe Acrobat Reader JBIG2 Universal Exploit Bind Shell port 5500 Adobe Reader util.printf() JavaScript Function Stack Overflow Exploit Adobe Acrobat 9 ActiveX Remote Denial of Service Exploit Adobe Acrobat Reader <= 8.1.2 Malformed PDF Remote DOS PoC Adobe Reader plug-in AcroPDF.dll 8.0.0.0 Resource Consumption Adobe Acrobat Reader Plugin <= 7.0.x (acroreader) XSS Vulnerability . Adobe Reader 7.0.8.0 AcroPDF.dll Internet Explorer Denial of Service .. . . JoYAN 8
  • 9. Leveragine Type I Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! Samples In the Play with the bugs when invoking a built-in function/method Wild within the Javascript context. Easy to trigger and exploit. JoYAN 9
  • 10. Adobe 8.1.4/9.1 customDictionaryOpen() Code Execution Exploit Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! Samples In the Wild http://milw0rm.com/exploits/8570 JoYAN 10
  • 11. Adobe Reader 8.1.4/9.1 GetAnnots() Remote Code Execution Exploit Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! Samples In the Wild http://milw0rm.com/exploits/8569 Not a stack overflow? JoYAN 11
  • 12. Adobe Reader util.printf() JavaScript Function Stack Overflow Exploit Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! Samples In the Wild http://milw0rm.com/exploits/7006 http://milw0rm.com/exploits/6994 JoYAN 12
  • 13. Adobe Acrobat Reader 8.1.2 – 9.0 getIcon() Memory Corruption Exploit Adobe JS Z Chen . http://milw0rm.com/exploits/8595 . About Adobe .. Javascript Affected Version : Acrobat Reader 8.1.2 - 9.0 Exploits Overview Tested On : XP SP2 / SP3 Try It Out! Description : This vulnerability allows remote attackers to Samples In the Wild execute arbitrary code on vulnerable installations of Adobe Acrobat and Adobe Reader. User interaction is required in that a user must visit a malicious web site or open a mali- cious file.The specific flaw exists when processing malicious JavaScript contained in a PDF document. When supply- ing a specially crafted argument to the getIcon() method of a Collab object, proper bounds checking is not performed resulting in a stack overflow. . Failed to uncompress it :(. .. . JoYAN . 13
  • 14. Leveragine Type II Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! Samples In the Wild Play with the bugs when parsering a malformed pdf file. Only use the javascript to perform a heapspray. JoYAN 14
  • 15. Adobe Acrobat Reader JBIG2 Local Buffer Overflow Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! Samples In the http://vrt-sourcefire.blogspot.com/2009/02/have-nice-weekend-pdf-love.h Wild http://milw0rm.com/exploits/8099 http://milw0rm.com/exploits/8280 JoYAN 15
  • 16. Leveragine Type III Adobe JS Z Chen . About Adobe Play with the urls. . Javascript Exploits I don’t know whether it works in the browser context or pdf reader Overview context.. Try It Out! Samples In the Adobe PDF Reader plug-in AcroPDF.dll ver. 8.0.0.0 Resource Wild Consumption:http://milw0rm.com/exploits/3430 Adobe Acrobat Reader Plugin <= 7.0.x (acroreader) XSS Vul- nerability:http://milw0rm.com/exploits/3084 Adobe Reader 7.0.8.0 AcroPDF.dll Internet Explorer Denial of Service:http://milw0rm.com/exploits/3040 Adobe Acrobat 9 ActiveX Remote Denial of Service Ex- . ploit:http://milw0rm.com/exploits/6424 .. . . JoYAN 16
  • 17. To be continued... Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! . Those I can’t RE them: . Samples In the .. Wild . .. 1 Adobe Acrobat Reader <= 8.1.2 Reader Remote Denial Of . Service:http://milw0rm.com/exploits/5687, Overflow? .. . . JoYAN 17
  • 18. Contents Adobe JS Z Chen . About Adobe Javascript . . About Adobe Javascript 1 Exploits Overview Try It Out! . Samples In the . . Exploits Overview 2 Wild . . . Try It Out! 3 . . . Samples In the Wild 4 JoYAN 18
  • 19. Try it out! Adobe JS Z Chen About Adobe Javascript Exploits Overview . Try It Out! Adobe Reader util.printf() JavaScript Function Stack Over-. Samples In the Wild flow Exploit .. http://milw0rm.com/exploits/7006 . http://milw0rm.com/exploits/6994 .. . . JoYAN 19
  • 20. Contents Adobe JS Z Chen . About Adobe Javascript . . About Adobe Javascript 1 Exploits Overview Try It Out! . Samples In the . . Exploits Overview 2 Wild . . . Try It Out! 3 . . . Samples In the Wild 4 JoYAN 20
  • 21. Sample in the wild Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! . Samples In the 50.2 . Wild .. hxxp://172.31.25.229/acroPDF.htm . .. . . JoYAN 21
  • 22. Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! . Samples In the Wild .. Thank you ! . .. . . JoYAN 22