• AV Bypass for Malicious PDFs Using XDP

    by  • June 15, 2012 • Uncategorized

    Update – 06/19/2012

    alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:”FILE-PDF Adobe PDF XDF encoded download attempt”; flow:to_client,established; flowbits:isset,file.xml; file_data; content:”JVBERi”; fast_pattern:only; content:”<xdp:xdp”; nocase; content:”<pdf”; distance:0; nocase; content:”<document”; distance:0; nocase; content:”<chunk”; distance:0; nocase; content:”JVBERi”; within:500; nocase; metadata:service http, service imap, service pop3; reference:url,blog.9bplus.com/av-bypass-for-malicious-pdfs-using-xdp; reference:url,partners.adobe.com/public/developer/en/xml/xdp_2.0.pdf; classtype:misc-activity; sid:23166; rev:1;)

    Update – 06/17/2012

    I went and removed the little flamewar that was brewing to avoid any issues and also removed the comments that seemed to cause it all. If you have issues about responsible disclosure or have gripes with the post then email me. Comments that attempt to start problems will be removed. 

    Below in the comments of this posting is another link that describes this same issue, but it is dated back at the start of 2011. It’s unfortunate that this problem A) still exists and B) still has the same results with no detection by Anti-virus companies. 

    Here is code I used for testing. 

    https://gist.github.com/2942799

    Also, thanks to Abhijeet Hatekar for providing a snort signature to detect these files over the network:

    alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:”XDF encoded PDF file transfer.”; flow:established, to_client;content:”<xdp:xdp xmlns:xdp=”;nocase;fast_pattern; content:”<pdf xmlns=”; nocase; content:”<chunk>JVBERi0″;nocase; reference:url,blog.9bplus.com/av-bypass-for-malicious-pdfs-using-xdp; classtype:misc-attack; sid:100045;rev:1;)

    Original

    Earlier today I was passed an interesting PDF sample that wasn’t a proper PDF, but instead an XDP. Running the file resulted in Adobe Reader starting up and successfully exploiting my machine. The dropped files were really nothing interesting, but the method in which the file was created was due to the limited detection. 

    I did some reading and stumbled upon the XDP specification. XDP is essentially a wrapper for PDF files so that they can be passed around as 100% XML files. Doing this ensures that web services or other programs can pull in PDF files in a structured way. Since XML can’t handle binary data, one must encode the PDF as a base64 stream. 

    The sample I came across this morning was great, but it was detected by one lone anti-virus. I figured I could take the heavy pint library and make something completely undetected. Using the drop news module I was able to quickly generate an encrypted PDF file using the old 2009-4324 media.newplayer exploit with null shellcode. Uploading the file to virus total resulted 0/42 detection

    The exploit is old. The JS is not encoded. This shoud be fixed. If you are wondering how to combat against this on your network or in your inbox, then look for XDP files. Of course, one could simply change the extension and still trick the user, but only awareness can fix that. For those with DPI, look for the Adobe XDP namespace and base64 code to identify the PDF embedded inside. 

    About