Archived Blog

Exploit Action with PDF OpenAction

10.12.2008 - 1:15 PM

We have noticed that the latest PDF exploit is becoming a hot topic and more people are talking about it. When users open an maliciously crafted PDF document, the payload automatically executes and downloads another malicious file from Internet, which is then executed. Actually, the payload is not triggered by a vulnerability used in the exploit directly but a tag in PDF called OpenAction which can specify an action to be performed when the document is opened. 



In this case, the javascipt function VMNoZ7dbNsRz9 will automatically run when the PDF document is opened. At first glance, we couldn't find the function body of VMNoZ7dbNsRz9 in the whole file, but we soon discovered that the reason is because the function was compressed with zlib 

 

We can decompress it with following Perl code: 

 

The results are still encoded: 

 

After several rounds of decoding, we discovered that the payload triggers the download of another PDF or binary file for execution depending on different variants.

 

Investigating deeper, we found that the exploit is related to a buffer overflow in Collab.collectEmailInfo() which is not a new discovery. 

 

There exists a few variants of this exploit by now, and we believe that more variants will surface since all the evidence we have collected show that these samples were created by some kind of toolkit. 

 

So far, we have only seen samples in the wild using the OpenAction tag to trigger the payload, but according to the PDF specification, there are many other ways to accomplish the same task. For example, with the Launch tag we can designate an application to be lauched when the document is opened or printed. As another example, there also exists a way to abuse the mailto scheme in the URI tag.

Security Researcher: Tim Xia

References
Bookmark This Post: