Newish web-based PDF attack in the wild (with real exploit code)
At work, a client recently contacted us about some random ads that were popping up on their site - interestingly enough through Adobe Acrobat. While I’m on a mac and didn’t experience the popups firsthand, I did pinpoint the problem to come from a hidden iframe located on the page (The client is a news organization and the iframes were being added to the bottom of each news article – so either they suffered an SQL injection or the attacker got into their platform somehow.) It turns out the code was doing something more malicious then just displaying ads.
The source code for the ads were obfuscated to the max – first pulling out and decrypting a mix of character codes and archaic notations out of a pair of hidden DOM elements, then assembling the exploit code and executing it. The whole process is processor intensive and took several seconds to run. The page even contains randomized ids each time you reload the page in what I can only assume was to confuse prying eyes. A copy of that page here:
Fortunately, there’s no such thing as irreversible encryption in JavaScript. You can throw in all the evals and random variable names you can but it only takes time to unencrypted it – use Firebug and you can skip the undeciphering process and just console.log right after the exploit code is assembled, right before it executes. That code is here (pretty printed courtesy of jsbeautifier) :
The most interesting parts of the code are is in functions pdf, pdf2, and pdf3, which tries to detect whether you have the Adobe Acrobat plugin in your browser and tries to load the payload – a tainted PDF file in your browser, followed by a second. Other bits of the code try to run applications through Chrome.
Viewing the JavaScript-laden source code of the blank (on my machine) PDF document is what made me realize it did more than just ads (if it indeed did any ads at all):
Specifically the code: Collab.collectEmailInfo() which Fortiguard Center indicates is an attempt to exploit a buffer overflow vulnerability in the Adobe PDF reader JavaScript engine. Think rootkits, viruses, etc. .
It’s late and I’m too tired to delve further, but I’m glad I got a copy of all the files (above), as the site in question has removed all traces of them.
I was going to hold off on posting this until I researched it a bit more, but seeing that The Register just posted about it, I figure others may be interested in delving through some real exploit code.
Update: Adobe has released a security bulletin warning users of this new vulnerability which is found in both their Acrobat and Acrobat reader products. This exploit is currently available in the wild.
I was looking at the PDF you have submitted.
It doesnt seem to be the one referenced here. It is using the old exploit collectEmailInfo overflow.
Moreover the pdf is looking for only version 7 and 8 and not 9.
var cdGh1aM = app.viewerVersion.toString();
cdGh1aM = cdGh1aM.replace(/\D/g,”");
var mjZEr = new Array(cdGh1aM.charAt(0),cdGh1aM.charAt(1),cdGh1aM.charAt(2));
if ((mjZEr[0] == 8 && ((mjZEr[1] == 1 && mjZEr[2] < 2) || mjZEr[1] < 1)) || (mjZEr[0] == 7 && mjZEr[1] < 1) || (mjZEr[0] < 7))
Thanks for the info webDevil. If you look through the source in file 02, you’ll see that there’s actually 2 PDF’s involved. I was only able to get the first before the site owner removed all traces of everything.
its old exploits,
1. Acrobat Reader v.8.1.1 Collab.collectEmailInfo() JavаScript Overflow
2. Acrobat Reader v.8.1.2 Util.printf() JavаScript Overflow
Thanks for the heads up!