So teaching the MFIRE class last week in lovely Johannesburg-- a student asked me about the PDF containing the following vulnerability: CVE-2010-0188. This is a buffer overflow using TIF images. To be honest I never encountered one of these in the course of my work-- so off to the research cave I went. Along for the ride I dragged Hidden Illusion-- who is well versed in the PDF exploit jungle. He actually did a write up based on the work as well, you can see it here at his blog. He beat me in the race condition on posting :-)
|Information about the PDF as gathered from peepdf|
|NOP Sleds Have been removed for brevity|
Mild fail for me :( Lesson Learned: Go With Gut.
I decided to save off the Object to a file so I could easily manipulate the stream.I did this by setting output within peepdf to a file ('set output file
So after modifying the stream slightly in a text editor so all that was left was the BASE64 code (so the file starts with 'SU' and ends with the '=') all it took were two more commands:
base64 -d stream122_modified.dmp > decodedStream.bin
|Excerpt of Shellcode after decoding|
Hooray I was able to see the same thing as was seen in the BugiX blog!
Other interesting streams in the PDF:
|Snippet of Object 3|
- Obj 144: JS trying to determine the version of Adobe
- Obj 199: References to the shellcode... you can see the the filenames of the files the pdf drops
- Obj 122: The TIF exploit itself
- Obj 3: Calls the TIF exploit
I checked what other objects reference 3 again using peepdf. I wanted to see how this was starting execution, as generally there is an openaction or something along those lines.
|Checking to See What Other Objects Reference Object 3|
So this document utilizes XFA, which is a open standard for electronic form management. What this is saying is to use XFA and call Object 3 as the template for the form... which just so happens to call our 'exploit.tif'. Groovy.
The more and more I use Remnux, the more and more kick ass I feel it is. I really love PDFStreamDumper too-- its a wonderous Windows land PDF analysis tool. Its just that sometimes its nice being able to inherently do things like base64 decode and view a hex dump with your OS.
And of course thanks Mila for Contagio-- the one stop shop for malware :o) You can grab the specific PDF I analysed above at her site here.
And again thanks Glenn-- this is for you.