Websense.com / Security Labs / Blogs / Adobe PDF Exploit Code Analysis

Archived Blog

Adobe PDF Exploit Code Analysis

02.25.2009 - 8:00 AM

Websense® Security Labs™ ThreatSeeker™ Network has been monitoring [ 1 2 3 ] the malicious use of the now widely known zero-day vulnerability (CVE-2009-0658) affecting Adobe Reader 8.x and 9.x since last week. Adobe has released a security bulletin APSA09-01 describing the vulnerability and has stated that it will have a fix out by March 11th. We have categorized the sites that we have found to be hosting this exploit.

This vulnerability is different than the one found at the end of last year (Exploit Action with PDF OpenAction) in Adobe PDF reader. This vulnerability allows the attacker to overwrite memory with executable shell code that uses "Heap Spray" technology in Javascript when parsing a specially crafted JBIG2Decode image object.

Embedded JBIG2 image stream in PDF file:


Adobe PDF reader (version 9.0.0) loaded the JBIG2 image stream by the following assembly in AcroRd32.dll:

The code below is decrypted source code in the embedded Javascript object of the PDF file. This Javascript code added a heap spray and loaded shell code in memory.

The thread then jumped to an address in EAX. As shown in picture below, the EAX was overwritten and filled with the hexadecimal number, "069d155c," as generated by the embedded Javascript.

The shell code loaded as shown below:

Upon analysis, we determined that the shell code was used to download a back door from a remote Web site. 

The decompiled shell code is shown below:

 

Websense Messaging and Websense Web Security customers are protected against this attack. Websense will continue to keep an eye on the threat.

Security Researcher: Hermes (Lei) Li

Bookmark This Post: