New PDF exploits: "Old wine in a new bottle!"

We came across some samples and some vendors claims that the these samples were exploiting the new PDF vulnerability CVE-2008-2641.

We took a look at this issue and found that this is not the case, it’s still exploiting the old vulnerability CVE-2007-5659, which is a buffer overflow vulnerability in JavaScript function Collab.collectEmailInfo in Adobe PDF Reader’s own JavaScript Engine.

The JavaScript itself was compressed in the PDF file. After decompressing the content, it showed up an obfuscated JavaScript code. After digging through the obfuscated code, the real exploit was found encrypted in a long string. There is a function which decrypts the string into real exploit code and then pass it to the eval() function.

It’s interesting that the function uses the function code itself (arguments.callee) as part of the key to decrypt the real exploit code, so it won’t work if you simply replace eval() with “alert” or “document.write” to get the real exploit as eval() itself is also part of the key. It’s an interesting way to obfuscate the exploit code to prevent security researchers to reach the real exploit, almost like creating a ‘self-checksum’ mechanism.

After we figured out the way to get the real JavaScript exploit code we found that it exploits CVE-2007-5659 reliably with heap spray technology.

Some vendors claim that the exploit works on lower versions but crashes 8.1.2, this is not the case because it’s possible that it might be taking some time for the heap spray to fill the memory. So during that period, we observed that the adobe reader lost response, but it’s not a crash. After a couple minutes, its back to normal, and pop ups a dialog box “Send by Email for review”. So, in short Adobe reader 8.1.2 seems to be immune to this exploit as Adobe already patched this vulnerability.