Comments on: Newish web-based PDF attack in the wild (with real exploit code) http://insecureweb.com/javascript/newish-web-based-pdf-attack-in-the-wild-with-real-exploit-code/ Insight into web application security Wed, 16 Dec 2009 01:02:49 -0800 http://wordpress.org/?v=2.8.5 hourly 1 By: Mauvis http://insecureweb.com/javascript/newish-web-based-pdf-attack-in-the-wild-with-real-exploit-code/comment-page-1/#comment-20 Mauvis Fri, 27 Feb 2009 20:10:14 +0000 http://insecureweb.com/?p=71#comment-20 Thanks for the heads up! Thanks for the heads up!

]]> By: russian http://insecureweb.com/javascript/newish-web-based-pdf-attack-in-the-wild-with-real-exploit-code/comment-page-1/#comment-16 russian Wed, 25 Feb 2009 02:08:45 +0000 http://insecureweb.com/?p=71#comment-16 its old exploits, 1. Acrobat Reader v.8.1.1 Collab.collectEmailInfo() JavаScript Overflow 2. Acrobat Reader v.8.1.2 Util.printf() JavаScript Overflow its old exploits,

1. Acrobat Reader v.8.1.1 Collab.collectEmailInfo() JavаScript Overflow
2. Acrobat Reader v.8.1.2 Util.printf() JavаScript Overflow

]]> By: Mauvis Ledford http://insecureweb.com/javascript/newish-web-based-pdf-attack-in-the-wild-with-real-exploit-code/comment-page-1/#comment-11 Mauvis Ledford Sun, 22 Feb 2009 00:17:49 +0000 http://insecureweb.com/?p=71#comment-11 Thanks for the info webDevil. If you look through the source in file 02, you'll see that there's actually 2 PDF's involved. I was only able to get the first before the site owner removed all traces of everything. Thanks for the info webDevil. If you look through the source in file 02, you’ll see that there’s actually 2 PDF’s involved. I was only able to get the first before the site owner removed all traces of everything.

]]> By: PDF: Поддержка UTF-8 в fpdf / zavackiy.info http://insecureweb.com/javascript/newish-web-based-pdf-attack-in-the-wild-with-real-exploit-code/comment-page-1/#comment-10 PDF: Поддержка UTF-8 в fpdf / zavackiy.info Sat, 21 Feb 2009 23:53:16 +0000 http://insecureweb.com/?p=71#comment-10 [...] Newish web-based PDF attack in the wild (with real exploit code … [...] [...] Newish web-based PDF attack in the wild (with real exploit code … [...]

]]> By: (webbased) PDF Aanvallen! « Lost in the Noise http://insecureweb.com/javascript/newish-web-based-pdf-attack-in-the-wild-with-real-exploit-code/comment-page-1/#comment-8 (webbased) PDF Aanvallen! « Lost in the Noise Sat, 21 Feb 2009 16:36:32 +0000 http://insecureweb.com/?p=71#comment-8 [...] Meer informatie is te vinden op DEZE WEBSITE [...] [...] Meer informatie is te vinden op DEZE WEBSITE [...]

]]> By: webDEViL http://insecureweb.com/javascript/newish-web-based-pdf-attack-in-the-wild-with-real-exploit-code/comment-page-1/#comment-7 webDEViL Sat, 21 Feb 2009 09:02:51 +0000 http://insecureweb.com/?p=71#comment-7 I was looking at the PDF you have submitted. It doesnt seem to be the one referenced here. It is using the old exploit collectEmailInfo overflow. Moreover the pdf is looking for only version 7 and 8 and not 9. var cdGh1aM = app.viewerVersion.toString(); cdGh1aM = cdGh1aM.replace(/\D/g,""); var mjZEr = new Array(cdGh1aM.charAt(0),cdGh1aM.charAt(1),cdGh1aM.charAt(2)); if ((mjZEr[0] == 8 && ((mjZEr[1] == 1 && mjZEr[2] < 2) || mjZEr[1] < 1)) || (mjZEr[0] == 7 && mjZEr[1] < 1) || (mjZEr[0] < 7)) I was looking at the PDF you have submitted.
It doesnt seem to be the one referenced here. It is using the old exploit collectEmailInfo overflow.
Moreover the pdf is looking for only version 7 and 8 and not 9.

var cdGh1aM = app.viewerVersion.toString();
cdGh1aM = cdGh1aM.replace(/\D/g,”");
var mjZEr = new Array(cdGh1aM.charAt(0),cdGh1aM.charAt(1),cdGh1aM.charAt(2));
if ((mjZEr[0] == 8 && ((mjZEr[1] == 1 && mjZEr[2] < 2) || mjZEr[1] < 1)) || (mjZEr[0] == 7 && mjZEr[1] < 1) || (mjZEr[0] < 7))

]]>