Sunday, June 24, 2012

Tiff Buffer Overflow in PDF

So teaching the MFIRE class last week in lovely Johannesburg-- a student asked me about the PDF containing the following vulnerability: CVE-2010-0188. This is a buffer overflow using TIF images. To be honest I never encountered one of these in the course of my work-- so off to the research cave I went. Along for the ride I dragged Hidden Illusion-- who is well versed in the PDF exploit jungle. He actually did a write up based on the work as well, you can see it here at his blog. He beat me in the race condition on posting :-)

Information about the PDF as gathered from peepdf
We were actually lucky and found someon else had already written a posting on the exact PDF here. However it did not exactly state how they got to the TIF file... I could see it sitting in stream 122, but when I tried extracting the TIF files I got nothing-- which was starting to anger me. Regardless  I was barking up the wrong tree. Lets take a look at the stream with the TIF.


NOP Sleds Have been removed for brevity
So, when I -first- looked at this I thought BASE64... however my mind was so dead set on trying to extract TIF files I dismissed this entirely. Glenn brought me on track and said 'Nope its base64'.
Mild fail for me :( Lesson Learned: Go With Gut.

I decided to save off the Object to a file so I could easily manipulate the stream.I did this by setting output within peepdf to a file ('set output file ') and then viewing the object again. Don't forget to reset the output to stdout again!  I was trying to use the modify command within peepdf but could not get it to work (so if anyone can explain how to do so would be awesome). Another method I could of used as pdfextract, another tool from Origami in remnux which pulls all streams, js, images, and whatnot from a PDF file.

 So after modifying the stream slightly in a text editor so all that was left was the BASE64 code (so the file starts with 'SU' and ends with the '=') all it took were two more commands:
base64 -d stream122_modified.dmp > decodedStream.bin
xxd decodedStream.bin

Excerpt of Shellcode after decoding

Hooray I was able to see the same thing as was seen in the BugiX blog!

Other interesting streams in the PDF:

Snippet of Object 3
  • Obj 144: JS trying to determine the version of Adobe
  • Obj 199: References to the shellcode... you can see the the filenames of the files the pdf drops
  • Obj 122: The TIF exploit itself
  • Obj 3: Calls the TIF exploit


I checked what other objects reference 3 again using peepdf. I wanted to see how this was starting execution, as generally there is an openaction or something along those lines.

Checking to See What Other Objects Reference Object 3
So this document utilizes XFA, which is a open standard for electronic form management. What this is saying is to use XFA and call Object 3 as the template for the form... which just so happens to call our 'exploit.tif'. Groovy.

The more and more I use Remnux, the more and more kick ass I feel it is. I really love PDFStreamDumper too-- its a wonderous Windows land PDF analysis tool. Its just that sometimes its nice being able to inherently do things like base64 decode and view a hex dump with your OS.

And of course thanks Mila for Contagio-- the one stop shop for malware :o) You can grab the specific PDF I analysed above at her site here.

And again thanks Glenn-- this is for you.
Posted by at Sunday, June 24, 2012
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)