• Posts Tagged ‘CVE-2011-2462’

    Demystifying zfkeymonitor.exe

    by  • February 2, 2012 • Uncategorized

    Update: Upon further analysis of this and other files that appeared releated, this dropper appears to be a modified version of zxshell. Thanks to Binjo for the translation help and Nick Bloor for assisting with testing and analyzing zfkeymonitor.e...

    Read more →

    AESv3 CVE-2011-2462 Analysis

    by  • December 19, 2011 • Uncategorized

    Update: I added in some comments to the Origami library to show me the password used to encrypt the documents. The user encryption password used for the samples I have was a null password. If you would like the modified library, email me. In one o...

    Read more →

    Analyzing CVE-2011-2462 – Part Three

    by  • December 10, 2011 • Uncategorized

    There is no honor amongst thieves and malicious code writers are no different. Why would anyone go through all the work of writing an exploit from scratch when there is a good amount of boilerplate available? When I first took a look at this 0day ...

    Read more →

    Analyzing CVE-2011-2462 0-Day: Part2

    by  • December 10, 2011 • Uncategorized

    Introduction On December 7th, Brandon provided his analysis of a malicious PDF (MD5: 517fe6ba9417e6c8b4d0a0b3b9c4c9a9) which utilized an Adobe Reader 0day (leveraging a U3D vulnerability). After successful exploitation the PDF drops a windows exec...

    Read more →

    Recycling U3D Object Contents

    by  • December 7, 2011 • Uncategorized

    This is a super short post, but I wanted to put it out there for those attempting to identify the specific bug and trigger for the exploit. My theory is that object 10 (see my earlier post) is the whole show. In other words, as long as you have th...

    Read more →

    Analyzing CVE-2011-2462 – Part One

    by  • December 7, 2011 • Uncategorized

    Before I went to bed last night I took a look at uploaded files to PDF X-RAY in hopes that Christmas would come early (CVE-2011-2462 in my reports) and was surprised when I came across a file with /U3D references. I snatched the file off the serve...

    Read more →