Boutique
|
Contacter Norman
|
À propos de Norman
|
Sélectionner un emplacement
Corporate
Norge
France
Deutschland
Sverige
Danmark
Suomi
Nederland
Schweiz
España
United States
United Kingdom
Italia
Sécurité Proactive
Usage domestique & Bureau à domicile Petites et moyennes entreprises Entreprises et Organisations Notre technologie Centre de sécurité Norman comme partenaire Support   Web partenaire
Accueil
>
Centre de sécurité
>
Articles consacrés à la sécurité – archives
>
2010
>
Use-after-free vulnerability in Adobe
Norman SandBox center
Soumettre un fichier pour une analyse SandBox [EN]
Recherche dans la base de données d’analyse des nuisances [EN]
Voir les dernières analyses de SandBox [EN]
Statistiques des nuisances[EN]
Descriptions de virus [EN]
Articles consacrés à la sécurité – archives
Types de nuisances
Niveau de menace
Menaces virales actuelles
Blog sur la sécurité [EN]
Statistiques de courrier[EN]
Livres, dossiers d’information généraux, etc.

Use-after-free vulnerability in Adobe

2010-02-02 [Exploit analysis]

General information

Recently a new vulnerability has been discovered in Adobe Reader and Acrobat 9.2 and earlier versions (CVE-2009-4324). The vulnerability resides in Doc.media.newPlayer method. It’s a use-after-free vulnerability which can allow an attacker to execute arbitrary code.

Use-after-free

Use-after-free or premature free occurs when memory is deallocated, but is later accessed, like shown in the example below:

Fig1 Use-after-free

 

Static analysis

After uncompressing the malicious PDF with pdftk.exe we can get the complete JavaScript embedded code.

Fig2 vulnerable function

 

The code marked in the red box is the vulnerable function so it is clear that this malicious PDF document is taking advantage of CVE 2009-4324.

After arranging the shellcode bytes in proper order we will get the following shellcode

Fig3 Shellcode

 

Shellcode is only 38 bytes long. It starts searching for "0x58905090" from memory address "0x2020300" and a jump to “0x58905090” after it is found. "0x58905090" is opcodes for POP EAX, NOP, PUSH EAX.

So it is clear from the code that it searches for the second part of shellcode and then jump to that (jmp edx). The second part of shell code must be embedded in any of the object in the PDF document and we can find it in object 3 as shown in the fig below-

Fig4 Shellcode 2 - FlateDecode

 

Object 3 is marked as color object and filter is FlateDecode. The bytes marked in the red box are the starting point of the second part of shellcode. The Object 3 is corrupted object but Adobe Reader will even map it into memory.

Disassembly of the second part of shellcode is shown below.

Fig5 Shellcode disassembly

 

The code has a XOR loop that decrypt 0x4A6 bytes and jump to decrypted code.

Payload

It drops two files in the %TEMP% folder. These both files are embedded in the PDF document itself. It executes the SUCHOST.exe and open the baby.pdf.

[File System Changes]
* %TMP%\SUCHOST.EXE
*%TMP%\baby.pdf

Reference:

http://extraexploit.blogspot.com/search/label/CVE-2009-4324 
http://blog.bkis.com/new-javascript-processing-vulnerability-in-adobe-reader-and-adobe-acrobat/
http://acm.mst.edu/reversing/?p=41


 

Articles connexes sur la sécurité

Reflections on the PDF vulnerability [en]
Scary technique utilizing functionality in the PDF specification [en]
Aurora Attack - Zero day exploit in IE6 [en]
RSS FEEDS
Latest Security articles
Latest Blog items
Latest News
Latest Support issues
Current Virus treats
Politique de confidentialité
|
Contrat de licence
|
Trademarks
|
Plan du site
FacebookTwitterYouTubeLinkedIn