SlideShare a Scribd company logo

Leveraging Adobe JavaScript Virtual Machine

Z Chen
Z Chen

The document discusses exploiting vulnerabilities in Adobe JavaScript and PDF files. It describes several exploits that take advantage of bugs in built-in functions/methods to trigger errors like stack overflows or memory corruption. Examples of exploited functions include customDictionaryOpen(), GetAnnots(), and getIcon(). Links are provided to exploits that can achieve code execution on vulnerable Adobe Reader versions.

1 of 22
Download to read offline
Adobe JS Z Chen About Adobe Javascript Exploits . . Overview Leveraging Adobe JavaScript Virtual Machine Try It Out! . .. . . Samples In the Wild Zhijie Chen1 1 Engeineering Research Center of Information Security,ICST,PKU May 15, 2009 JoYAN . . . . . .
Contents Adobe JS Z Chen About Adobe Javascript . Exploits . . About Adobe Javascript 1 Overview Try It Out! . Samples In the Wild . . Exploits Overview 2 . . . Try It Out! 3 . . . Samples In the Wild 4 JoYAN 2
Contents Adobe JS Z Chen . About Adobe Javascript . . About Adobe Javascript 1 Exploits Overview Try It Out! . Samples In the . . Exploits Overview 2 Wild . . . Try It Out! 3 . . . Samples In the Wild 4 JoYAN 3
What can it do? Adobe JS Z Chen . Adobe Javascript . About Adobe .. Javascript Adobe JavaScripts can be created for batch processing of multi- Exploits ple documents, processing within a single document, processing Overview for a given page, and processing for a single form field... Try It Out! Samples In the Customize the behavior of a particular PDF document. Wild Customize Acrobat itself. Implement security policies. Interact with databases and web services. Dynamically alter the appearance of a PDF document Capture user-entered data from form fields. Submit those data through SOAP-based Web Services. . Surpport for online team review. .. . JoYAN . 4
Adobe JS Objects Adobe JS Z Chen . Acrobat JavaScript defines several objects that allow your code. About Adobe Javascript to interact with Acrobat, a PDF document, or form fields within Exploits a . PDF document. .. . . Overview Try It Out! . Object Purpose Object Purpose . Samples In the Wild app Acrobat doc PDF document dbg JavaScript debugger console JavaScript console global Persistent and cross- util JavaScript utility document information methods dialog Adobe Dialog Man- security Encryption and digital ager (ADM) signatures SOAP Web Services search Searching and index- ing ADBC Database connections event JavaScript events and queries . JoYAN .. . . 5
Adobe JS Z Chen About Adobe Javascript Exploits Overview . Tools I use for manipulating pdf files . Try It Out! .. Samples In the pdftk: PDF toolkit. “If PDF is electronic paper, then pdftk Wild is an electronic staple-remover, hole-punch, binder, secret- decoder-ring, and X-Ray-glasses. ” . Scribus: Open Source Desktop Publishing. .. . . JoYAN 6
Contents Adobe JS Z Chen . About Adobe Javascript . . About Adobe Javascript 1 Exploits Overview Try It Out! . Samples In the . . Exploits Overview 2 Wild . . . Try It Out! 3 . . . Samples In the Wild 4 JoYAN 7
Adobe PDF Exploit List Adobe JS Z Chen . Exlpoits List from Milw0rm . About Adobe Javascript .. Adobe Acrobat Reader 8.1.2 – 9.0 getIcon() Memory Corruption Ex- Exploits Overview ploit Try It Out! Adobe 8.1.4/9.1 customDictionaryOpen() Code Execution Exploit Samples In the Adobe Reader 8.1.4/9.1 GetAnnots() Remote Code Execution Exploit Wild Adobe Acrobat Reader JBIG2 Universal Exploit Bind Shell port 5500 Adobe Reader util.printf() JavaScript Function Stack Overflow Exploit Adobe Acrobat 9 ActiveX Remote Denial of Service Exploit Adobe Acrobat Reader <= 8.1.2 Malformed PDF Remote DOS PoC Adobe Reader plug-in AcroPDF.dll 8.0.0.0 Resource Consumption Adobe Acrobat Reader Plugin <= 7.0.x (acroreader) XSS Vulnerability . Adobe Reader 7.0.8.0 AcroPDF.dll Internet Explorer Denial of Service .. . . JoYAN 8
Leveragine Type I Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! Samples In the Play with the bugs when invoking a built-in function/method Wild within the Javascript context. Easy to trigger and exploit. JoYAN 9
Adobe 8.1.4/9.1 customDictionaryOpen() Code Execution Exploit Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! Samples In the Wild http://milw0rm.com/exploits/8570 JoYAN 10
Adobe Reader 8.1.4/9.1 GetAnnots() Remote Code Execution Exploit Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! Samples In the Wild http://milw0rm.com/exploits/8569 Not a stack overflow? JoYAN 11
Adobe Reader util.printf() JavaScript Function Stack Overflow Exploit Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! Samples In the Wild http://milw0rm.com/exploits/7006 http://milw0rm.com/exploits/6994 JoYAN 12
Adobe Acrobat Reader 8.1.2 – 9.0 getIcon() Memory Corruption Exploit Adobe JS Z Chen . http://milw0rm.com/exploits/8595 . About Adobe .. Javascript Affected Version : Acrobat Reader 8.1.2 - 9.0 Exploits Overview Tested On : XP SP2 / SP3 Try It Out! Description : This vulnerability allows remote attackers to Samples In the Wild execute arbitrary code on vulnerable installations of Adobe Acrobat and Adobe Reader. User interaction is required in that a user must visit a malicious web site or open a mali- cious file.The specific flaw exists when processing malicious JavaScript contained in a PDF document. When supply- ing a specially crafted argument to the getIcon() method of a Collab object, proper bounds checking is not performed resulting in a stack overflow. . Failed to uncompress it :(. .. . JoYAN . 13
Leveragine Type II Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! Samples In the Wild Play with the bugs when parsering a malformed pdf file. Only use the javascript to perform a heapspray. JoYAN 14
Adobe Acrobat Reader JBIG2 Local Buffer Overflow Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! Samples In the http://vrt-sourcefire.blogspot.com/2009/02/have-nice-weekend-pdf-love.h Wild http://milw0rm.com/exploits/8099 http://milw0rm.com/exploits/8280 JoYAN 15
Leveragine Type III Adobe JS Z Chen . About Adobe Play with the urls. . Javascript Exploits I don’t know whether it works in the browser context or pdf reader Overview context.. Try It Out! Samples In the Adobe PDF Reader plug-in AcroPDF.dll ver. 8.0.0.0 Resource Wild Consumption:http://milw0rm.com/exploits/3430 Adobe Acrobat Reader Plugin <= 7.0.x (acroreader) XSS Vul- nerability:http://milw0rm.com/exploits/3084 Adobe Reader 7.0.8.0 AcroPDF.dll Internet Explorer Denial of Service:http://milw0rm.com/exploits/3040 Adobe Acrobat 9 ActiveX Remote Denial of Service Ex- . ploit:http://milw0rm.com/exploits/6424 .. . . JoYAN 16
To be continued... Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! . Those I can’t RE them: . Samples In the .. Wild . .. 1 Adobe Acrobat Reader <= 8.1.2 Reader Remote Denial Of . Service:http://milw0rm.com/exploits/5687, Overflow? .. . . JoYAN 17
Contents Adobe JS Z Chen . About Adobe Javascript . . About Adobe Javascript 1 Exploits Overview Try It Out! . Samples In the . . Exploits Overview 2 Wild . . . Try It Out! 3 . . . Samples In the Wild 4 JoYAN 18
Try it out! Adobe JS Z Chen About Adobe Javascript Exploits Overview . Try It Out! Adobe Reader util.printf() JavaScript Function Stack Over-. Samples In the Wild flow Exploit .. http://milw0rm.com/exploits/7006 . http://milw0rm.com/exploits/6994 .. . . JoYAN 19
Contents Adobe JS Z Chen . About Adobe Javascript . . About Adobe Javascript 1 Exploits Overview Try It Out! . Samples In the . . Exploits Overview 2 Wild . . . Try It Out! 3 . . . Samples In the Wild 4 JoYAN 20
Sample in the wild Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! . Samples In the 50.2 . Wild .. hxxp://172.31.25.229/acroPDF.htm . .. . . JoYAN 21
Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! . Samples In the Wild .. Thank you ! . .. . . JoYAN 22

Recommended

Location and role centric right management
Location and role centric right managementLocation and role centric right management
Location and role centric right management
Patrick Ostertag
 
Rascal Devnology Code Fest
Rascal Devnology Code FestRascal Devnology Code Fest
Rascal Devnology Code Fest
Devnology
 
A Brief Overview of Virtualization
A Brief Overview of VirtualizationA Brief Overview of Virtualization
A Brief Overview of Virtualization
Z Chen
 
Adobe Flash Player Invalid Pointer Vulnerability
Adobe Flash Player Invalid Pointer VulnerabilityAdobe Flash Player Invalid Pointer Vulnerability
Adobe Flash Player Invalid Pointer VulnerabilityZ Chen
 
MgnlKickstart - Develop Magnolia Websites Faster, Better And Easier
MgnlKickstart - Develop Magnolia Websites Faster, Better And EasierMgnlKickstart - Develop Magnolia Websites Faster, Better And Easier
MgnlKickstart - Develop Magnolia Websites Faster, Better And Easier
Vivian Steller
 
Ruth Catlow
Ruth CatlowRuth Catlow
Ruth Catlow
WAAE
 
Shellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneycShellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneyc
Z Chen
 
Sistema Nervioso
Sistema NerviosoSistema Nervioso
Sistema Nervioso
Ale Jimenez Gomez
 

Recommended

Location and role centric right management
Location and role centric right managementLocation and role centric right management
Location and role centric right management
Patrick Ostertag
 
Rascal Devnology Code Fest
Rascal Devnology Code FestRascal Devnology Code Fest
Rascal Devnology Code Fest
Devnology
 
A Brief Overview of Virtualization
A Brief Overview of VirtualizationA Brief Overview of Virtualization
A Brief Overview of Virtualization
Z Chen
 
Adobe Flash Player Invalid Pointer Vulnerability
Adobe Flash Player Invalid Pointer VulnerabilityAdobe Flash Player Invalid Pointer Vulnerability
Adobe Flash Player Invalid Pointer VulnerabilityZ Chen
 
MgnlKickstart - Develop Magnolia Websites Faster, Better And Easier
MgnlKickstart - Develop Magnolia Websites Faster, Better And EasierMgnlKickstart - Develop Magnolia Websites Faster, Better And Easier
MgnlKickstart - Develop Magnolia Websites Faster, Better And Easier
Vivian Steller
 
Ruth Catlow
Ruth CatlowRuth Catlow
Ruth Catlow
WAAE
 
Shellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneycShellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneyc
Z Chen
 
Sistema Nervioso
Sistema NerviosoSistema Nervioso
Sistema Nervioso
Ale Jimenez Gomez
 
Your java script library
Your java script libraryYour java script library
Your java script library
jasfog
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
Hafez Kamal
 
David Nuescheler: Igniting CQ 5.3: What's New and Roadmap
David Nuescheler: Igniting CQ 5.3: What's New and RoadmapDavid Nuescheler: Igniting CQ 5.3: What's New and Roadmap
David Nuescheler: Igniting CQ 5.3: What's New and Roadmap
Day Software
 
What's new in CQ 5.3? Top 10 features.
What's new in CQ 5.3? Top 10 features.What's new in CQ 5.3? Top 10 features.
What's new in CQ 5.3? Top 10 features.
David Nuescheler
 
Node.JS briefly introduced
Node.JS briefly introducedNode.JS briefly introduced
Node.JS briefly introduced
Alexandre Lachèze
 
Fred Spencer & Blain Hamon: Advanced Titanium for iOS
Fred Spencer & Blain Hamon: Advanced Titanium for iOSFred Spencer & Blain Hamon: Advanced Titanium for iOS
Fred Spencer & Blain Hamon: Advanced Titanium for iOS
Axway Appcelerator
 
RIA
RIARIA
RIA
Mahesh Panchal
 
Great Cup od Java
Great Cup od JavaGreat Cup od Java
Great Cup od Java
CIB Egypt
 
Metaprogramming JavaScript
Metaprogramming JavaScriptMetaprogramming JavaScript
Metaprogramming JavaScript
danwrong
 
Agile JavaScript Testing
Agile JavaScript TestingAgile JavaScript Testing
Agile JavaScript Testing
Scott Becker
 
Evolving web, evolving search
Evolving web, evolving searchEvolving web, evolving search
Evolving web, evolving search
net2-project
 
State Of Ajax Zend Con 08
State Of Ajax Zend Con 08State Of Ajax Zend Con 08
State Of Ajax Zend Con 08
bgalbs
 
MongoDB for Java Developers with Spring Data
MongoDB for Java Developers with Spring DataMongoDB for Java Developers with Spring Data
MongoDB for Java Developers with Spring Data
Chris Richardson
 
Creative Coders March 2013 - Introducing Starling Framework
Creative Coders March 2013 - Introducing Starling FrameworkCreative Coders March 2013 - Introducing Starling Framework
Creative Coders March 2013 - Introducing Starling Framework
Huijie Wu
 
Jopenmeraverse introduction
Jopenmeraverse introductionJopenmeraverse introduction
Jopenmeraverse introduction
Jitendra Chauhan
 
Django On Jython (for Portland and Boulder Python user groups presentations)
Django On Jython (for Portland and Boulder Python user groups presentations)Django On Jython (for Portland and Boulder Python user groups presentations)
Django On Jython (for Portland and Boulder Python user groups presentations)
Leonardo Soto
 
Javaland 2017: "You´ll do microservices now". Now what?
Javaland 2017: "You´ll do microservices now". Now what?Javaland 2017: "You´ll do microservices now". Now what?
Javaland 2017: "You´ll do microservices now". Now what?
André Goliath
 
Android Internals (This is not the droid you’re loking for...)
Android Internals (This is not the droid you’re loking for...)Android Internals (This is not the droid you’re loking for...)
Android Internals (This is not the droid you’re loking for...)
Giacomo Bergami
 
仕様決定、部品化、ディレクションがなぜ重要か
仕様決定、部品化、ディレクションがなぜ重要か仕様決定、部品化、ディレクションがなぜ重要か
仕様決定、部品化、ディレクションがなぜ重要か
Kohei Otsuka
 
2010 06-24 karlsruher entwicklertag
2010 06-24 karlsruher entwicklertag2010 06-24 karlsruher entwicklertag
2010 06-24 karlsruher entwicklertag
Marcel Bruch
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 

More Related Content

Similar to Leveraging Adobe JavaScript Virtual Machine

Your java script library
Your java script libraryYour java script library
Your java script library
jasfog
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
Hafez Kamal
 
David Nuescheler: Igniting CQ 5.3: What's New and Roadmap
David Nuescheler: Igniting CQ 5.3: What's New and RoadmapDavid Nuescheler: Igniting CQ 5.3: What's New and Roadmap
David Nuescheler: Igniting CQ 5.3: What's New and Roadmap
Day Software
 
What's new in CQ 5.3? Top 10 features.
What's new in CQ 5.3? Top 10 features.What's new in CQ 5.3? Top 10 features.
What's new in CQ 5.3? Top 10 features.
David Nuescheler
 
Node.JS briefly introduced
Node.JS briefly introducedNode.JS briefly introduced
Node.JS briefly introduced
Alexandre Lachèze
 
Fred Spencer & Blain Hamon: Advanced Titanium for iOS
Fred Spencer & Blain Hamon: Advanced Titanium for iOSFred Spencer & Blain Hamon: Advanced Titanium for iOS
Fred Spencer & Blain Hamon: Advanced Titanium for iOS
Axway Appcelerator
 
RIA
RIARIA
RIA
Mahesh Panchal
 
Great Cup od Java
Great Cup od JavaGreat Cup od Java
Great Cup od Java
CIB Egypt
 
Metaprogramming JavaScript
Metaprogramming JavaScriptMetaprogramming JavaScript
Metaprogramming JavaScript
danwrong
 
Agile JavaScript Testing
Agile JavaScript TestingAgile JavaScript Testing
Agile JavaScript Testing
Scott Becker
 
Evolving web, evolving search
Evolving web, evolving searchEvolving web, evolving search
Evolving web, evolving search
net2-project
 
State Of Ajax Zend Con 08
State Of Ajax Zend Con 08State Of Ajax Zend Con 08
State Of Ajax Zend Con 08
bgalbs
 
MongoDB for Java Developers with Spring Data
MongoDB for Java Developers with Spring DataMongoDB for Java Developers with Spring Data
MongoDB for Java Developers with Spring Data
Chris Richardson
 
Creative Coders March 2013 - Introducing Starling Framework
Creative Coders March 2013 - Introducing Starling FrameworkCreative Coders March 2013 - Introducing Starling Framework
Creative Coders March 2013 - Introducing Starling Framework
Huijie Wu
 
Jopenmeraverse introduction
Jopenmeraverse introductionJopenmeraverse introduction
Jopenmeraverse introduction
Jitendra Chauhan
 
Django On Jython (for Portland and Boulder Python user groups presentations)
Django On Jython (for Portland and Boulder Python user groups presentations)Django On Jython (for Portland and Boulder Python user groups presentations)
Django On Jython (for Portland and Boulder Python user groups presentations)
Leonardo Soto
 
Javaland 2017: "You´ll do microservices now". Now what?
Javaland 2017: "You´ll do microservices now". Now what?Javaland 2017: "You´ll do microservices now". Now what?
Javaland 2017: "You´ll do microservices now". Now what?
André Goliath
 
Android Internals (This is not the droid you’re loking for...)
Android Internals (This is not the droid you’re loking for...)Android Internals (This is not the droid you’re loking for...)
Android Internals (This is not the droid you’re loking for...)
Giacomo Bergami
 
仕様決定、部品化、ディレクションがなぜ重要か
仕様決定、部品化、ディレクションがなぜ重要か仕様決定、部品化、ディレクションがなぜ重要か
仕様決定、部品化、ディレクションがなぜ重要か
Kohei Otsuka
 
2010 06-24 karlsruher entwicklertag
2010 06-24 karlsruher entwicklertag2010 06-24 karlsruher entwicklertag
2010 06-24 karlsruher entwicklertag
Marcel Bruch
 

Similar to Leveraging Adobe JavaScript Virtual Machine (20)

Your java script library
Your java script libraryYour java script library
Your java script library
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
 
David Nuescheler: Igniting CQ 5.3: What's New and Roadmap
David Nuescheler: Igniting CQ 5.3: What's New and RoadmapDavid Nuescheler: Igniting CQ 5.3: What's New and Roadmap
David Nuescheler: Igniting CQ 5.3: What's New and Roadmap
 
What's new in CQ 5.3? Top 10 features.
What's new in CQ 5.3? Top 10 features.What's new in CQ 5.3? Top 10 features.
What's new in CQ 5.3? Top 10 features.
 
Node.JS briefly introduced
Node.JS briefly introducedNode.JS briefly introduced
Node.JS briefly introduced
 
Fred Spencer & Blain Hamon: Advanced Titanium for iOS
Fred Spencer & Blain Hamon: Advanced Titanium for iOSFred Spencer & Blain Hamon: Advanced Titanium for iOS
Fred Spencer & Blain Hamon: Advanced Titanium for iOS
 
RIA
RIARIA
RIA
 
Great Cup od Java
Great Cup od JavaGreat Cup od Java
Great Cup od Java
 
Metaprogramming JavaScript
Metaprogramming JavaScriptMetaprogramming JavaScript
Metaprogramming JavaScript
 
Agile JavaScript Testing
Agile JavaScript TestingAgile JavaScript Testing
Agile JavaScript Testing
 
Evolving web, evolving search
Evolving web, evolving searchEvolving web, evolving search
Evolving web, evolving search
 
State Of Ajax Zend Con 08
State Of Ajax Zend Con 08State Of Ajax Zend Con 08
State Of Ajax Zend Con 08
 
MongoDB for Java Developers with Spring Data
MongoDB for Java Developers with Spring DataMongoDB for Java Developers with Spring Data
MongoDB for Java Developers with Spring Data
 
Creative Coders March 2013 - Introducing Starling Framework
Creative Coders March 2013 - Introducing Starling FrameworkCreative Coders March 2013 - Introducing Starling Framework
Creative Coders March 2013 - Introducing Starling Framework
 
Jopenmeraverse introduction
Jopenmeraverse introductionJopenmeraverse introduction
Jopenmeraverse introduction
 
Django On Jython (for Portland and Boulder Python user groups presentations)
Django On Jython (for Portland and Boulder Python user groups presentations)Django On Jython (for Portland and Boulder Python user groups presentations)
Django On Jython (for Portland and Boulder Python user groups presentations)
 
Javaland 2017: "You´ll do microservices now". Now what?
Javaland 2017: "You´ll do microservices now". Now what?Javaland 2017: "You´ll do microservices now". Now what?
Javaland 2017: "You´ll do microservices now". Now what?
 
Android Internals (This is not the droid you’re loking for...)
Android Internals (This is not the droid you’re loking for...)Android Internals (This is not the droid you’re loking for...)
Android Internals (This is not the droid you’re loking for...)
 
仕様決定、部品化、ディレクションがなぜ重要か
仕様決定、部品化、ディレクションがなぜ重要か仕様決定、部品化、ディレクションがなぜ重要か
仕様決定、部品化、ディレクションがなぜ重要か
 
2010 06-24 karlsruher entwicklertag
2010 06-24 karlsruher entwicklertag2010 06-24 karlsruher entwicklertag
2010 06-24 karlsruher entwicklertag
 

Recently uploaded

Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
David Brossard
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
SitimaJohn
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 

Recently uploaded (20)

Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 

Leveraging Adobe JavaScript Virtual Machine

  • 1. Adobe JS Z Chen About Adobe Javascript Exploits . . Overview Leveraging Adobe JavaScript Virtual Machine Try It Out! . .. . . Samples In the Wild Zhijie Chen1 1 Engeineering Research Center of Information Security,ICST,PKU May 15, 2009 JoYAN . . . . . .
  • 2. Contents Adobe JS Z Chen About Adobe Javascript . Exploits . . About Adobe Javascript 1 Overview Try It Out! . Samples In the Wild . . Exploits Overview 2 . . . Try It Out! 3 . . . Samples In the Wild 4 JoYAN 2
  • 3. Contents Adobe JS Z Chen . About Adobe Javascript . . About Adobe Javascript 1 Exploits Overview Try It Out! . Samples In the . . Exploits Overview 2 Wild . . . Try It Out! 3 . . . Samples In the Wild 4 JoYAN 3
  • 4. What can it do? Adobe JS Z Chen . Adobe Javascript . About Adobe .. Javascript Adobe JavaScripts can be created for batch processing of multi- Exploits ple documents, processing within a single document, processing Overview for a given page, and processing for a single form field... Try It Out! Samples In the Customize the behavior of a particular PDF document. Wild Customize Acrobat itself. Implement security policies. Interact with databases and web services. Dynamically alter the appearance of a PDF document Capture user-entered data from form fields. Submit those data through SOAP-based Web Services. . Surpport for online team review. .. . JoYAN . 4
  • 5. Adobe JS Objects Adobe JS Z Chen . Acrobat JavaScript defines several objects that allow your code. About Adobe Javascript to interact with Acrobat, a PDF document, or form fields within Exploits a . PDF document. .. . . Overview Try It Out! . Object Purpose Object Purpose . Samples In the Wild app Acrobat doc PDF document dbg JavaScript debugger console JavaScript console global Persistent and cross- util JavaScript utility document information methods dialog Adobe Dialog Man- security Encryption and digital ager (ADM) signatures SOAP Web Services search Searching and index- ing ADBC Database connections event JavaScript events and queries . JoYAN .. . . 5
  • 6. Adobe JS Z Chen About Adobe Javascript Exploits Overview . Tools I use for manipulating pdf files . Try It Out! .. Samples In the pdftk: PDF toolkit. “If PDF is electronic paper, then pdftk Wild is an electronic staple-remover, hole-punch, binder, secret- decoder-ring, and X-Ray-glasses. ” . Scribus: Open Source Desktop Publishing. .. . . JoYAN 6
  • 7. Contents Adobe JS Z Chen . About Adobe Javascript . . About Adobe Javascript 1 Exploits Overview Try It Out! . Samples In the . . Exploits Overview 2 Wild . . . Try It Out! 3 . . . Samples In the Wild 4 JoYAN 7
  • 8. Adobe PDF Exploit List Adobe JS Z Chen . Exlpoits List from Milw0rm . About Adobe Javascript .. Adobe Acrobat Reader 8.1.2 – 9.0 getIcon() Memory Corruption Ex- Exploits Overview ploit Try It Out! Adobe 8.1.4/9.1 customDictionaryOpen() Code Execution Exploit Samples In the Adobe Reader 8.1.4/9.1 GetAnnots() Remote Code Execution Exploit Wild Adobe Acrobat Reader JBIG2 Universal Exploit Bind Shell port 5500 Adobe Reader util.printf() JavaScript Function Stack Overflow Exploit Adobe Acrobat 9 ActiveX Remote Denial of Service Exploit Adobe Acrobat Reader <= 8.1.2 Malformed PDF Remote DOS PoC Adobe Reader plug-in AcroPDF.dll 8.0.0.0 Resource Consumption Adobe Acrobat Reader Plugin <= 7.0.x (acroreader) XSS Vulnerability . Adobe Reader 7.0.8.0 AcroPDF.dll Internet Explorer Denial of Service .. . . JoYAN 8
  • 9. Leveragine Type I Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! Samples In the Play with the bugs when invoking a built-in function/method Wild within the Javascript context. Easy to trigger and exploit. JoYAN 9
  • 10. Adobe 8.1.4/9.1 customDictionaryOpen() Code Execution Exploit Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! Samples In the Wild http://milw0rm.com/exploits/8570 JoYAN 10
  • 11. Adobe Reader 8.1.4/9.1 GetAnnots() Remote Code Execution Exploit Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! Samples In the Wild http://milw0rm.com/exploits/8569 Not a stack overflow? JoYAN 11
  • 12. Adobe Reader util.printf() JavaScript Function Stack Overflow Exploit Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! Samples In the Wild http://milw0rm.com/exploits/7006 http://milw0rm.com/exploits/6994 JoYAN 12
  • 13. Adobe Acrobat Reader 8.1.2 – 9.0 getIcon() Memory Corruption Exploit Adobe JS Z Chen . http://milw0rm.com/exploits/8595 . About Adobe .. Javascript Affected Version : Acrobat Reader 8.1.2 - 9.0 Exploits Overview Tested On : XP SP2 / SP3 Try It Out! Description : This vulnerability allows remote attackers to Samples In the Wild execute arbitrary code on vulnerable installations of Adobe Acrobat and Adobe Reader. User interaction is required in that a user must visit a malicious web site or open a mali- cious file.The specific flaw exists when processing malicious JavaScript contained in a PDF document. When supply- ing a specially crafted argument to the getIcon() method of a Collab object, proper bounds checking is not performed resulting in a stack overflow. . Failed to uncompress it :(. .. . JoYAN . 13
  • 14. Leveragine Type II Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! Samples In the Wild Play with the bugs when parsering a malformed pdf file. Only use the javascript to perform a heapspray. JoYAN 14
  • 15. Adobe Acrobat Reader JBIG2 Local Buffer Overflow Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! Samples In the http://vrt-sourcefire.blogspot.com/2009/02/have-nice-weekend-pdf-love.h Wild http://milw0rm.com/exploits/8099 http://milw0rm.com/exploits/8280 JoYAN 15
  • 16. Leveragine Type III Adobe JS Z Chen . About Adobe Play with the urls. . Javascript Exploits I don’t know whether it works in the browser context or pdf reader Overview context.. Try It Out! Samples In the Adobe PDF Reader plug-in AcroPDF.dll ver. 8.0.0.0 Resource Wild Consumption:http://milw0rm.com/exploits/3430 Adobe Acrobat Reader Plugin <= 7.0.x (acroreader) XSS Vul- nerability:http://milw0rm.com/exploits/3084 Adobe Reader 7.0.8.0 AcroPDF.dll Internet Explorer Denial of Service:http://milw0rm.com/exploits/3040 Adobe Acrobat 9 ActiveX Remote Denial of Service Ex- . ploit:http://milw0rm.com/exploits/6424 .. . . JoYAN 16
  • 17. To be continued... Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! . Those I can’t RE them: . Samples In the .. Wild . .. 1 Adobe Acrobat Reader <= 8.1.2 Reader Remote Denial Of . Service:http://milw0rm.com/exploits/5687, Overflow? .. . . JoYAN 17
  • 18. Contents Adobe JS Z Chen . About Adobe Javascript . . About Adobe Javascript 1 Exploits Overview Try It Out! . Samples In the . . Exploits Overview 2 Wild . . . Try It Out! 3 . . . Samples In the Wild 4 JoYAN 18
  • 19. Try it out! Adobe JS Z Chen About Adobe Javascript Exploits Overview . Try It Out! Adobe Reader util.printf() JavaScript Function Stack Over-. Samples In the Wild flow Exploit .. http://milw0rm.com/exploits/7006 . http://milw0rm.com/exploits/6994 .. . . JoYAN 19
  • 20. Contents Adobe JS Z Chen . About Adobe Javascript . . About Adobe Javascript 1 Exploits Overview Try It Out! . Samples In the . . Exploits Overview 2 Wild . . . Try It Out! 3 . . . Samples In the Wild 4 JoYAN 20
  • 21. Sample in the wild Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! . Samples In the 50.2 . Wild .. hxxp://172.31.25.229/acroPDF.htm . .. . . JoYAN 21
  • 22. Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! . Samples In the Wild .. Thank you ! . .. . . JoYAN 22