Update - 06/19/2012 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF Adobe PDF XDF encoded download attempt"; flow:to_client,established; flowbits:isset,file.xml; file_data; content:"JVBERi"; fast_pattern:only; content:"
Read more →Introduction On December 7th, Brandon provided his analysis of a malicious PDF (MD5: 517fe6ba9417e6c8b4d0a0b3b9c4c9a9) which utilized an Adobe Reader 0day (leveraging a U3D vulnerability). After successful exploitation the PDF drops a windows exec...
Read more →This is a super short post, but I wanted to put it out there for those attempting to identify the specific bug and trigger for the exploit. My theory is that object 10 (see my earlier post) is the whole show. In other words, as long as you have th...
Read more →Before I went to bed last night I took a look at uploaded files to PDF X-RAY in hopes that Christmas would come early (CVE-2011-2462 in my reports) and was surprised when I came across a file with /U3D references. I snatched the file off the serve...
Read more →In the packing PDFs blog entry I mentioned that I created a tool for creating the documents I later released. At the time I decided that releasing the tool would not be in the best interest of everyone else, but then I thought of metasploit and th...
Read more →A couple weeks ago I came across a PDF file used in a targeted attack. I didn't have too much background information, but it appeared to have came from China and was using CVE2011-0611 to do its dirty work. The first thing that caught my eye about...
Read more →