Adobe Reader/Acrobat Unspecified Buffer Overflow Vulnerability

Discussion in 'other security issues & news' started by ronjor, Feb 20, 2009.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,095
    Location:
    Texas
    Secunia
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,095
    Location:
    Texas
    Zero day hole in Adobe Reader and Acrobat
    Heise
     
  3. Mem

    Mem Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    292
    "...we found that disabling JavaScript would definitely prevent the malware from being installed on the system. However, it would still result in the crash of the application. We would HIGHLY recommend that you DISABLE JAVASCRIPT in your Adobe Acrobat [Reader] products. You have the choice of small loss in functionality and a crash versus your systems being compromised and all your data being stolen. It should be an easy choice.

    Disabling JavaScript is easy. This is how it can be done in Acrobat Reader:

    Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript "

    http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    A couple of analyses:

    TROJ_PIDIEF.IN
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FPIDIEF%2EIN&VSect=T
    Nice flow chart here:

    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FPIDIEF%2EIN&VSect=P


    Trojan.Pidief.E
    http://www.symantec.com/en/th/enterprise/security_response/writeup.jsp?docid=2009-021212-5523-99&tabid=2

    Pretty typical exploit where trojan executables attempt to download/run. The PDF file just acts as the triggering mechanism, as does a Flash file or autorun.inf file.

    Note that this exploit does not target a browser.

    Note also this coment:

    https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/vulnerabilities_exploits/article-id/188
    Data Execution Prevention was introduced with WinXP SP2. Many other solutions exist including Software Restriction Policies which prevent unauthorized executables from running.

    ----
    rich
     
  5. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    I do not know what is IE (Internet Extermination?), and since 2006 that i take some focus in PDF threats, i do not use Adobe anymore (more a soft is "mass used" and more it is widely attacked or targeted).
    BO are highly difficult to prevent, even with MST DEP feature.
    And the problem becomes a little bit more complicated when the editor is known for its slow patching reactivity...
    I give here just some advice concluded from my personal research.

    For those who still use AAReader: Harden the policy of Adobe.
    As Postscript language is rich (isn't Rmus? :) ), it`s suited to limit the possibilities.
    Disabling Java Script in Adobe Reader can also be done from the registry
    http://www.acrobatusers.com/forums/aucbb/viewtopic.php?id=17210
    And as a malware can use an anti-policy routine by reenabling it, paranoid users should protect the key.

    The less plugins and addons we install in the browser and the less malwares/exploits "career opportunities" we give to attackers.
    I personally download the pdf and use an alternative reader that open the file as text:
    http://www.ctdeveloping.com/ctdeveloping/products/pdftextreader_info.asp

    I have a sample of the GhostRat, and like any malware writing to disk, it can be catched by any serious HIPS.
    And virtualization/sandbox based HIPSs that isolate the browser from the rest of the system are currently the most armored to prevent drive by download infections, exploit based or not.
    But much more difficult to detect are the malwares embedded in pdf files...

    rgds
     
    Last edited: Feb 20, 2009
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Hi kareldjag,

    Long time no see!

    Ah, yes, plug-ins can certainly be blamed for a lot of things. One reason they are popular for exploitation is that they are not browser specific. And potentially can work on other Operating Systems:

    http://vrt-sourcefire.blogspot.com/2009/02/have-nice-weekend-pdf-love.html
    With Acrobat Reader the problem is compounded with plug-ins for the plug-in!.

    Fortunately with Acrobat Reader v6 you can remove all but the necessary 3 plug-ins (run, search, print) to make the Reader work as a simple reader. This means of course eliminating the dangerous javascript and URI plugins. Several years ago some PoC PDF files were created to show how easy it is to exploit those two functions. Without the respective plug-ins an error is returned:

    pdf-pluginJS-2.gif

    pdf-pluginURI-2.gif

    So with v.6 (and I think v.7) the user can customize the application to make a safe, fast, simple Reader. Unfortunately in v.8-9 I understand that you cannot remove EScript.api (the javascript plug-in) or it will not work.

    And your solution avoids the problem altogether. Also earlier today Foxit Reader users were asking at their forum if that Reader is vulnerable.

    Do you mean block? Then why more difficult? They are just binaries like in any other exploit. In the current one, according to Trend Micro, 2 EXE and 1 DLL files identified as Ghost Backdoor trojans are dropped.

    Several here have shown how SRP easily blocks EXE from unauthorized locations, and Lucy today showed SRP blocking the loading of a DLL. Coupled with running as a Limited User, this exploit has no chance.

    Anyway, people with Readers vulnerable to this exploit need to do something now because as ronjor noted above, you will get no help from Adobe for several weeks:

    http://www.adobe.com/support/security/advisories/apsa09-01.html
    regards,

    rich
     
  7. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi

    For information purpose and only information, the Snort vulnerability team has released a kind of patch for Adobe:
    http://vrt-sourcefire.blogspot.com/2009/02/homebrew-patch-for-adobe-acroreader-9.html

    But as usual, it's not recommended to accept any other patch than original editor's one.
    The previous advices are already enough (more radical: uninstall Adobe and-until the official patch-read pdf with text based reader).

    Yes Rmus, long time,and as you have taken time in the past to answer to my question about "European looks like cities" like Berkeley, i ll do the same for answering to your dilemma about the choice of an antimalware sufficiently efficient to counter this kind of remote execution (but more specifically on PM )
    In fact the choice must not be based on a specific threat.
    It's a multicriteria game: tell me what kind of user you are, i tell you what anti malware you need!
    Im agree about system hardening and locking (least privileges, SRP, ACL etc); but we can't expect from the average user to apply a strategy that even some sysadmins do not apply (Conflicker worm can easily be prevented by OS lockdown).
    More over SRP and default-deny strategy can be defeated (that's why i suggest to lock the related policies keys), even under user account (i have experimented it with or without some public PoC).So it appears that an HIPS on an hardened (power/advanced/expert users) or non hardened (average users) system is the easiest way to counter known and unknown malwares.
    Regarding remote execution, it is possible to block any pe executable that occurs via exploits (pdf, flash iframe etc), but it's not always possible to block the execution of the exploit (shellcode) itself. More over, there is some stealth by design attack and malwares that limit their impact on the system: client/server side threats mostly interact with the client application which can be the IM tool but mostly the browser.
    Recent examples are browser malwares ( http://www.gnucitizen.org/blog/browser-rootkits/ ) like ChromeInject ( http://www.bitdefender.com/VIRUS-1000451-en--Trojan.PWS.ChromeInject.B.html ) and mem jaching attacks wich tries to modify the client application directly in memory.
    If this kind of malwares can be prevented (read only permission, HIPS), it's more difficult for the attack (and there's more, see Trusteer site).
    In the same way an executable (malware.exe) dropped/binded in a doc format file (pdf, docx etc) can be both detected when executing and prevented from executing (let's forget AV).
    But a malware can be malicious by using scripting language (.js for instance) and it would be more difficult to detect with an AV or HIPS as i have experimented it with some PoC and as suggested by the SANS
    http://isc.sans.org/diary.html?storyid=4726

    As a white list partisan myself i guess that the most interesting white list HIPS is unfortunately for corporate use http://www.savantprotection.com/

    And finally the more i study INsecurity, the less i believe in Security.
    In fact the Security is never secure, mostly because it is impossible to control totally the process.
    And if softwares have bugs and users, flaws, the Insecurity is a non predictable variable.
    We can t know when, where, what and how!

    Rgds
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    HI kareldjag,

    Regarding my dilemma, it's been solved. It wasn't with me, but with a couple of friends thinking of getting new computers and worried that they were limited to Vista, meaning that Anti-Executable v.2 wouldn't work. It turns out that they can stay with XP after all.

    I agree with your comment about Shell Code - it can do almost anything. This came up several years ago in the WMF exploit. Over in another forum where several showed blocking of the binary executable payload using various products, including SRP, someone compiled a WMF file where Shell Code launched the Windows Calculator, and said, "You see!"

    Great! Yet to my knowledge, no WMF exploit ever surfaced that didn't download an executable. If malware authors can get a trojan onto the victim's computer and make it part of a botnet, that is where the money is, it seems. The current PDF exploit also downloads an executable.

    The browser rootkit article you link to concludes,

    That was 1 1/2 years ago. We'll wait and see! I don't ignore hypotheticals, but I don't lose sleep over them either. If they appear in live exploits, the cat and mouse game will just proceed to another level and life will go on.

    I haven't followed the Firefox extension exploits (ChromeInject) you mention since I don't use Firefox.

    I can't speak to your theories about bypassing SRP. I've not used them and in following the threads here, I don't think they are practical for the average home user. (Lucy and Tlu are experienced users). Perhaps that is why Microsoft did not make SRP available in the Home editions.

    Finally,

    From my viewpoit, the more I study INsecurity -- or lack of security -- the more optimistic I am about my own security and those whom I help, and how others who are knowlegeable can help those around them. This is doing something, at least.

    Security meaning more than just software, of course. I find myself emphasizing procedures and behavior with people rather than just products. Give them a Firewall, Opera, and teach them not to open Valentine Cards from email and the internet and you've closed a huge hole right there. Anything else they might need depends on their own situation, and there is no forumula. It's not difficult to have a safe computing experience, as I've found over the years.

    Conficker needs nothing except a firewall -- and of course, the patch -- for the MS08-067 RPC variant, and procedures about USB take care of the other variant. No lockdown of the OS necessary, from my point of view. Just because there are millions of victims of conficker doesn't mean that I or others I help have to fear it, much less become a victim of it. There is nothing new about the two attack vectors that conficker uses. Remember the Sasser/Blaster worm, also RPC exploit (protected by Firewall); or the Switchblade USB exploits (protected by firm policies about USB use)? Those who understand this can make their family/friends aware, resulting in fewer victims. Why sit around and accept INsecurity as inevitable? Nothing changes that way.

    PDF exploits as this current one, are nothing new. If the vendor can't patch, and if the user can't create a work around with the version he has, then get Foxit or your text reader. Those who understand this can make their family/friends aware, resulting in fewer victims. Again, Why sit around and accept INsecurity as inevitable? Nothing changes that way.

    While my sympathy goes out to the millions of victims of malware infections, I've concluded that I can be responsible only for myself and those I help. Because I see more people with knowledge reaching out to their friends to advise, I am optimistic about security, in spite of what seems to be going on in the mainstream.

    regards,

    rich
     
  9. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    404
    Location:
    France
    Kareldjag,

    What do you mean? They belong to HKLM, owned by administrators group, with no modification right to users... So, how to securely lock?

    Furthermore, how to restrict registry access to the user group in Vista home premium (without GPEdit)?
     
  10. tlu

    tlu Guest

    Disabling JavaScript does not prevent exploitation
     
  11. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,454
    Location:
    U.S.A.
    tlu, thank you for that link! Didn't think disabling JavaScript was the end-all. IMO, the integration of Adobe Air into Reader 9.0, with its connections to acrobat.com, and the capabilities of viewing SWF and FLV files inside PDFs, has opened a new can of worms for Adobe. I've been looking into Sumatra PDF as a lightweight alternative and so far, very pleased.
     
  12. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,


    It seems that recommendations given on Wilders are more serious and efficient than those provided by some sites.
    PDF threats are highly studied in France since it has been said that some European Gov. agencies have been compromised by doc. format trojans.
    And one of the most interesting study available in English (excellent other one but in fremch only) has been presented by Eric Filiol at BlackHat 2008 (ah ah take care! with more than 220 objects, the pdf might be infected :))

    http://www.blackhat.com/presentations/bh-europe-08/Filiol/Presentation/bh-eu-08-filiol.pdf


    Any good HIPS will for instance detect an attempt on Acrobat files modification, but as pointed out by Eric Filiol, it is suited to set up permissions files protection.

    As usual Rmus post is full of common sense, but sorry, average users or not anyone is responsible of his machine and security, and there is no particular sympathy to have for those infected via this exploit vector or any other way: public libraries are access free in most countries and anyone can find the required information.
    Human factor is a part/variable of the security process, and users ignorance is sometimes worse than softwares bugs.

    Lucy, sorry for my circumvolutions (circumlocutions? ), but i do not wish to hijack this thread to another topic, so i will answer later in a more appropriated thread (Maximising Windows XP/Vista security...).
    As a GreyHat mind, i am convinced that we can' t be a good defender if we're not already a good attacker...a mantra that is demonstrated by the Secunia team: elaborate a countermeasure, and then find a way to defeat and bypass it.

    Rgds
     
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Hi kareldjag,

    That BH study on PDF is very informative. It was posted in a discussion elsewhere earlier this year and I was interested in the description of the 'Potentially Dangerous PDF Functions.' The two most commonly used in exploits were javascript and URI. Both of these plug-ins are easily disabled in the Reader up to version 8, as I showed in an above post. This has taken care of exploits up until this current one. Fortunately, it doesn't affect the version I use, so it became a non-issue with me.

    As has been discussed elsewhere, the complex programing features in the newer versions are integrating everything so that the user is less able to configure the Reader as desired. Users have become captive, to a certain degree.

    I've not seen mentioned where these malicious PDF files in the current exploit were found. As far as I know, email has not been used to deliver them. So, how are people getting infected? Or has there not been a great outbreak of this exploit?

    I understand your feeling about my comments on user responsibility, and sympathy for victims. You are correct in a sense, yet we still can have some effect when we have the opportunity to work with others.

    ----
    rich
     
  14. kriebly

    kriebly Registered Member

    Joined:
    Dec 22, 2008
    Posts:
    41
    Location:
    Northern California
  15. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,454
    Location:
    U.S.A.
    kriebly, there is nothing wrong with Black Hat - About Us.
     
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Quickpost: /JBIG2Decode Trigger Trio

     
  17. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    The only analysis I've seen is Symantec's I referred to earlier:

    http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-021212-5523-99
    Has any other analysis surfaced this week to indicate a different payload?
     
  18. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    In light of my previous post, those of you who use HIPS may want to review what explorer.exe is allowed to do. If you allow explorer.exe to run any executable without user interaction, then perhaps any executable can be downloaded and run by successfully exploited explorer shell extensions.
     
  19. kriebly

    kriebly Registered Member

    Joined:
    Dec 22, 2008
    Posts:
    41
    Location:
    Northern California
    It just seems very ironic. :)
     
  20. Arup

    Arup Guest

  21. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,201
    Is there anyone else who's fed up with constantly updating Acrobat Reader ? :doubt:

    I think I'm at 8.1.something, javascript disabled. I find it really annoying to update/fix Acrobat Reader that often. I think I've given up. One more reason for not installing the latest version is what happens when you install a program like this (in the past: a startup link (detected by using Hijackthis) ActiveX (plural) that are installed but not needed, etc.)

    It's not as if I'm downloading and opening PDf files wantonly :ninja:
     
  22. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    To add to the pain it doesn't seem to be available via auto update. So first I've been through computers disabling javascript on all of them, and now I need to manually install 9.1 oh the joys of life.
     
  23. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    The official announcement is here from Adobe, with a link to the 9.1 release
    http://blogs.adobe.com/psirt/2009/03/_adobe_reader_and_acrobat_91_u.html

    I have tested this last version remotely (pdf in browser) and locally (double click on pdf file) and the application does not crash anymore, but there is a pop alert that inform about "insufficient data for an image'.
    It’s important to remember that Java script deactivation does not prevent the exploit, this countermeasure will only mitigate risks of remote code execution and drive by download infection.
    By my quick tests, I would suggest to uncheck the box in Edit<preferences<Page display<Show large images: this will prevent the DoS of the application.

    Choosing an alternative to Adobe Reader is a very good idea, and Foxit reader is not more secure thant Adobe (remote code execution even with java script disabled, and without any alert).
    The most interesting alternative is PDFX Viewer
    http://www.docu-track.com/home/prod_user/PDF-XChange_Tools/pdfx_viewer
    There is also ExpertPdf ( http://www.visagesoft.com/products/pdfreader/ ) and Drumlin reader ( http://www.drumlinsecurity.co.uk/ ), all free for personal use.
    As AV are ineffective against exploits (only a few detect this exploit after several days), and as HIPS can only mitigate their impact (the honnest Sandboxie and DeefenseWall do not prevent this exploit for instance, neither the b//tch marketing HIPS PrevX), the main countermeasure is system hardening, cautions, and information (vulnerability sites, official or underground).

    There is an online scan platform devoted to web based mawlares that have not been mentioned by security blogs:
    http://wepawet.iseclab.org/index.php
    I’ve scanned some official PoC and personal files, and like any other scan service, this one does not provide 100% warranty.
    2 Scans of Poc related to this exploit, the first one is the scan of the file, and the second one is the scan of the URL (nothing malicious is installed)
    http://wepawet.iseclab.org/view.php?hash=e74ecf86b06829942cafa5b661af04f8&type=js

    http://wepawet.iseclab.org/view.php?hash=0142cfe328258dbcdfbd037ae8e35f6b&t=1236195945&type=js

    Those who know Firefox add ons can also detect infected pdf files and URLs as shown in image.

    Ronjor is too nice and do not remove automatically any "100% of toppic blah blah", but i would say a big thanks to kriebly for his ironic and helpful contribution.

    Rgds
     

    Attached Files:

  24. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,215
    In Foxit Reader, the exploit is only viable if the jbig2 plugin is installed.
    Without it, Foxit can't display images in that format.

    Mrk
     
  25. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Since long i am searching for a pdf sample that will explot a vulnerability and run some code with (a nd also)n without buffer overflow.

    I am curious to test it with some sandboxes and HIPS. If any one has a working smaples, ple PM me.

    Many thanks!
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.