Discussion in 'other security issues & news' started by ronjor, Feb 20, 2009.
Zero day hole in Adobe Reader and Acrobat
A couple of analyses:
Nice flow chart here:
Pretty typical exploit where trojan executables attempt to download/run. The PDF file just acts as the triggering mechanism, as does a Flash file or autorun.inf file.
Note that this exploit does not target a browser.
Note also this coment:
Data Execution Prevention was introduced with WinXP SP2. Many other solutions exist including Software Restriction Policies which prevent unauthorized executables from running.
I do not know what is IE (Internet Extermination?), and since 2006 that i take some focus in PDF threats, i do not use Adobe anymore (more a soft is "mass used" and more it is widely attacked or targeted).
BO are highly difficult to prevent, even with MST DEP feature.
And the problem becomes a little bit more complicated when the editor is known for its slow patching reactivity...
I give here just some advice concluded from my personal research.
For those who still use AAReader: Harden the policy of Adobe.
As Postscript language is rich (isn't Rmus? ), it`s suited to limit the possibilities.
Disabling Java Script in Adobe Reader can also be done from the registry
And as a malware can use an anti-policy routine by reenabling it, paranoid users should protect the key.
The less plugins and addons we install in the browser and the less malwares/exploits "career opportunities" we give to attackers.
I personally download the pdf and use an alternative reader that open the file as text:
I have a sample of the GhostRat, and like any malware writing to disk, it can be catched by any serious HIPS.
And virtualization/sandbox based HIPSs that isolate the browser from the rest of the system are currently the most armored to prevent drive by download infections, exploit based or not.
But much more difficult to detect are the malwares embedded in pdf files...
Long time no see!
Ah, yes, plug-ins can certainly be blamed for a lot of things. One reason they are popular for exploitation is that they are not browser specific. And potentially can work on other Operating Systems:
With Acrobat Reader the problem is compounded with plug-ins for the plug-in!.
And your solution avoids the problem altogether. Also earlier today Foxit Reader users were asking at their forum if that Reader is vulnerable.
Do you mean block? Then why more difficult? They are just binaries like in any other exploit. In the current one, according to Trend Micro, 2 EXE and 1 DLL files identified as Ghost Backdoor trojans are dropped.
Several here have shown how SRP easily blocks EXE from unauthorized locations, and Lucy today showed SRP blocking the loading of a DLL. Coupled with running as a Limited User, this exploit has no chance.
Anyway, people with Readers vulnerable to this exploit need to do something now because as ronjor noted above, you will get no help from Adobe for several weeks:
For information purpose and only information, the Snort vulnerability team has released a kind of patch for Adobe:
But as usual, it's not recommended to accept any other patch than original editor's one.
The previous advices are already enough (more radical: uninstall Adobe and-until the official patch-read pdf with text based reader).
Yes Rmus, long time,and as you have taken time in the past to answer to my question about "European looks like cities" like Berkeley, i ll do the same for answering to your dilemma about the choice of an antimalware sufficiently efficient to counter this kind of remote execution (but more specifically on PM )
In fact the choice must not be based on a specific threat.
It's a multicriteria game: tell me what kind of user you are, i tell you what anti malware you need!
Im agree about system hardening and locking (least privileges, SRP, ACL etc); but we can't expect from the average user to apply a strategy that even some sysadmins do not apply (Conflicker worm can easily be prevented by OS lockdown).
More over SRP and default-deny strategy can be defeated (that's why i suggest to lock the related policies keys), even under user account (i have experimented it with or without some public PoC).So it appears that an HIPS on an hardened (power/advanced/expert users) or non hardened (average users) system is the easiest way to counter known and unknown malwares.
Regarding remote execution, it is possible to block any pe executable that occurs via exploits (pdf, flash iframe etc), but it's not always possible to block the execution of the exploit (shellcode) itself. More over, there is some stealth by design attack and malwares that limit their impact on the system: client/server side threats mostly interact with the client application which can be the IM tool but mostly the browser.
Recent examples are browser malwares ( http://www.gnucitizen.org/blog/browser-rootkits/ ) like ChromeInject ( http://www.bitdefender.com/VIRUS-1000451-en--Trojan.PWS.ChromeInject.B.html ) and mem jaching attacks wich tries to modify the client application directly in memory.
If this kind of malwares can be prevented (read only permission, HIPS), it's more difficult for the attack (and there's more, see Trusteer site).
In the same way an executable (malware.exe) dropped/binded in a doc format file (pdf, docx etc) can be both detected when executing and prevented from executing (let's forget AV).
But a malware can be malicious by using scripting language (.js for instance) and it would be more difficult to detect with an AV or HIPS as i have experimented it with some PoC and as suggested by the SANS
As a white list partisan myself i guess that the most interesting white list HIPS is unfortunately for corporate use http://www.savantprotection.com/
And finally the more i study INsecurity, the less i believe in Security.
In fact the Security is never secure, mostly because it is impossible to control totally the process.
And if softwares have bugs and users, flaws, the Insecurity is a non predictable variable.
We can t know when, where, what and how!
Regarding my dilemma, it's been solved. It wasn't with me, but with a couple of friends thinking of getting new computers and worried that they were limited to Vista, meaning that Anti-Executable v.2 wouldn't work. It turns out that they can stay with XP after all.
I agree with your comment about Shell Code - it can do almost anything. This came up several years ago in the WMF exploit. Over in another forum where several showed blocking of the binary executable payload using various products, including SRP, someone compiled a WMF file where Shell Code launched the Windows Calculator, and said, "You see!"
Great! Yet to my knowledge, no WMF exploit ever surfaced that didn't download an executable. If malware authors can get a trojan onto the victim's computer and make it part of a botnet, that is where the money is, it seems. The current PDF exploit also downloads an executable.
The browser rootkit article you link to concludes,
That was 1 1/2 years ago. We'll wait and see! I don't ignore hypotheticals, but I don't lose sleep over them either. If they appear in live exploits, the cat and mouse game will just proceed to another level and life will go on.
I haven't followed the Firefox extension exploits (ChromeInject) you mention since I don't use Firefox.
I can't speak to your theories about bypassing SRP. I've not used them and in following the threads here, I don't think they are practical for the average home user. (Lucy and Tlu are experienced users). Perhaps that is why Microsoft did not make SRP available in the Home editions.
From my viewpoit, the more I study INsecurity -- or lack of security -- the more optimistic I am about my own security and those whom I help, and how others who are knowlegeable can help those around them. This is doing something, at least.
Security meaning more than just software, of course. I find myself emphasizing procedures and behavior with people rather than just products. Give them a Firewall, Opera, and teach them not to open Valentine Cards from email and the internet and you've closed a huge hole right there. Anything else they might need depends on their own situation, and there is no forumula. It's not difficult to have a safe computing experience, as I've found over the years.
Conficker needs nothing except a firewall -- and of course, the patch -- for the MS08-067 RPC variant, and procedures about USB take care of the other variant. No lockdown of the OS necessary, from my point of view. Just because there are millions of victims of conficker doesn't mean that I or others I help have to fear it, much less become a victim of it. There is nothing new about the two attack vectors that conficker uses. Remember the Sasser/Blaster worm, also RPC exploit (protected by Firewall); or the Switchblade USB exploits (protected by firm policies about USB use)? Those who understand this can make their family/friends aware, resulting in fewer victims. Why sit around and accept INsecurity as inevitable? Nothing changes that way.
PDF exploits as this current one, are nothing new. If the vendor can't patch, and if the user can't create a work around with the version he has, then get Foxit or your text reader. Those who understand this can make their family/friends aware, resulting in fewer victims. Again, Why sit around and accept INsecurity as inevitable? Nothing changes that way.
While my sympathy goes out to the millions of victims of malware infections, I've concluded that I can be responsible only for myself and those I help. Because I see more people with knowledge reaching out to their friends to advise, I am optimistic about security, in spite of what seems to be going on in the mainstream.
What do you mean? They belong to HKLM, owned by administrators group, with no modification right to users... So, how to securely lock?
Furthermore, how to restrict registry access to the user group in Vista home premium (without GPEdit)?
It seems that recommendations given on Wilders are more serious and efficient than those provided by some sites.
PDF threats are highly studied in France since it has been said that some European Gov. agencies have been compromised by doc. format trojans.
And one of the most interesting study available in English (excellent other one but in fremch only) has been presented by Eric Filiol at BlackHat 2008 (ah ah take care! with more than 220 objects, the pdf might be infected )
Any good HIPS will for instance detect an attempt on Acrobat files modification, but as pointed out by Eric Filiol, it is suited to set up permissions files protection.
As usual Rmus post is full of common sense, but sorry, average users or not anyone is responsible of his machine and security, and there is no particular sympathy to have for those infected via this exploit vector or any other way: public libraries are access free in most countries and anyone can find the required information.
Human factor is a part/variable of the security process, and users ignorance is sometimes worse than softwares bugs.
Lucy, sorry for my circumvolutions (circumlocutions? ), but i do not wish to hijack this thread to another topic, so i will answer later in a more appropriated thread (Maximising Windows XP/Vista security...).
As a GreyHat mind, i am convinced that we can' t be a good defender if we're not already a good attacker...a mantra that is demonstrated by the Secunia team: elaborate a countermeasure, and then find a way to defeat and bypass it.
As has been discussed elsewhere, the complex programing features in the newer versions are integrating everything so that the user is less able to configure the Reader as desired. Users have become captive, to a certain degree.
I've not seen mentioned where these malicious PDF files in the current exploit were found. As far as I know, email has not been used to deliver them. So, how are people getting infected? Or has there not been a great outbreak of this exploit?
I understand your feeling about my comments on user responsibility, and sympathy for victims. You are correct in a sense, yet we still can have some effect when we have the opportunity to work with others.
You're asking us to view a pdf hosted on a site called Black Hat....
kriebly, there is nothing wrong with Black Hat - About Us.
Quickpost: /JBIG2Decode Trigger Trio
The only analysis I've seen is Symantec's I referred to earlier:
Has any other analysis surfaced this week to indicate a different payload?
In light of my previous post, those of you who use HIPS may want to review what explorer.exe is allowed to do. If you allow explorer.exe to run any executable without user interaction, then perhaps any executable can be downloaded and run by successfully exploited explorer shell extensions.
It just seems very ironic.
Adobe has been updated to version 9.1 and the security issue has been patched up as of now.
Is there anyone else who's fed up with constantly updating Acrobat Reader ?
It's not as if I'm downloading and opening PDf files wantonly
The official announcement is here from Adobe, with a link to the 9.1 release
I have tested this last version remotely (pdf in browser) and locally (double click on pdf file) and the application does not crash anymore, but there is a pop alert that inform about "insufficient data for an image'.
It’s important to remember that Java script deactivation does not prevent the exploit, this countermeasure will only mitigate risks of remote code execution and drive by download infection.
By my quick tests, I would suggest to uncheck the box in Edit<preferences<Page display<Show large images: this will prevent the DoS of the application.
Choosing an alternative to Adobe Reader is a very good idea, and Foxit reader is not more secure thant Adobe (remote code execution even with java script disabled, and without any alert).
The most interesting alternative is PDFX Viewer
There is also ExpertPdf ( http://www.visagesoft.com/products/pdfreader/ ) and Drumlin reader ( http://www.drumlinsecurity.co.uk/ ), all free for personal use.
As AV are ineffective against exploits (only a few detect this exploit after several days), and as HIPS can only mitigate their impact (the honnest Sandboxie and DeefenseWall do not prevent this exploit for instance, neither the b//tch marketing HIPS PrevX), the main countermeasure is system hardening, cautions, and information (vulnerability sites, official or underground).
There is an online scan platform devoted to web based mawlares that have not been mentioned by security blogs:
I’ve scanned some official PoC and personal files, and like any other scan service, this one does not provide 100% warranty.
2 Scans of Poc related to this exploit, the first one is the scan of the file, and the second one is the scan of the URL (nothing malicious is installed)
Those who know Firefox add ons can also detect infected pdf files and URLs as shown in image.
Ronjor is too nice and do not remove automatically any "100% of toppic blah blah", but i would say a big thanks to kriebly for his ironic and helpful contribution.
In Foxit Reader, the exploit is only viable if the jbig2 plugin is installed.
Without it, Foxit can't display images in that format.
Since long i am searching for a pdf sample that will explot a vulnerability and run some code with (a nd also)n without buffer overflow.
I am curious to test it with some sandboxes and HIPS. If any one has a working smaples, ple PM me.
Separate names with a comma.