Handwritten Text Recognition for manuscripts and early printed texts
Leveraging Adobe JavaScript Virtual Machine
1. Adobe JS
Z Chen
About Adobe
Javascript
Exploits
.
.
Overview
Leveraging Adobe JavaScript Virtual Machine
Try It Out! .
.. .
.
Samples In the
Wild
Zhijie Chen1
1 Engeineering Research Center of Information Security,ICST,PKU
May 15, 2009
JoYAN . . . . . .
2. Contents
Adobe JS
Z Chen
About Adobe
Javascript
.
Exploits . . About Adobe Javascript
1
Overview
Try It Out!
.
Samples In the
Wild . . Exploits Overview
2
.
. . Try It Out!
3
.
. . Samples In the Wild
4
JoYAN 2
3. Contents
Adobe JS
Z Chen
.
About Adobe
Javascript . . About Adobe Javascript
1
Exploits
Overview
Try It Out! .
Samples In the
. . Exploits Overview
2
Wild
.
. . Try It Out!
3
.
. . Samples In the Wild
4
JoYAN 3
4. What can it do?
Adobe JS
Z Chen .
Adobe Javascript .
About Adobe ..
Javascript Adobe JavaScripts can be created for batch processing of multi-
Exploits ple documents, processing within a single document, processing
Overview
for a given page, and processing for a single form field...
Try It Out!
Samples In the Customize the behavior of a particular PDF document.
Wild
Customize Acrobat itself.
Implement security policies.
Interact with databases and web services.
Dynamically alter the appearance of a PDF document
Capture user-entered data from form fields.
Submit those data through SOAP-based Web Services.
. Surpport for online team review.
.. .
JoYAN
.
4
5. Adobe JS Objects
Adobe JS
Z Chen
.
Acrobat JavaScript defines several objects that allow your code.
About Adobe
Javascript
to interact with Acrobat, a PDF document, or form fields within
Exploits
a
. PDF document.
.. .
.
Overview
Try It Out!
.
Object Purpose Object Purpose .
Samples In the
Wild app Acrobat doc PDF document
dbg JavaScript debugger console JavaScript console
global Persistent and cross- util JavaScript utility
document information methods
dialog Adobe Dialog Man- security Encryption and digital
ager (ADM) signatures
SOAP Web Services search Searching and index-
ing
ADBC Database connections event JavaScript events
and queries
.
JoYAN
.. .
.
5
6. Adobe JS
Z Chen
About Adobe
Javascript
Exploits
Overview .
Tools I use for manipulating pdf files .
Try It Out! ..
Samples In the pdftk: PDF toolkit. “If PDF is electronic paper, then pdftk
Wild
is an electronic staple-remover, hole-punch, binder, secret-
decoder-ring, and X-Ray-glasses. ”
. Scribus: Open Source Desktop Publishing.
.. .
.
JoYAN 6
7. Contents
Adobe JS
Z Chen
.
About Adobe
Javascript . . About Adobe Javascript
1
Exploits
Overview
Try It Out! .
Samples In the
. . Exploits Overview
2
Wild
.
. . Try It Out!
3
.
. . Samples In the Wild
4
JoYAN 7
8. Adobe PDF Exploit List
Adobe JS
Z Chen
.
Exlpoits List from Milw0rm .
About Adobe
Javascript
..
Adobe Acrobat Reader 8.1.2 – 9.0 getIcon() Memory Corruption Ex-
Exploits
Overview ploit
Try It Out! Adobe 8.1.4/9.1 customDictionaryOpen() Code Execution Exploit
Samples In the Adobe Reader 8.1.4/9.1 GetAnnots() Remote Code Execution Exploit
Wild
Adobe Acrobat Reader JBIG2 Universal Exploit Bind Shell port 5500
Adobe Reader util.printf() JavaScript Function Stack Overflow Exploit
Adobe Acrobat 9 ActiveX Remote Denial of Service Exploit
Adobe Acrobat Reader <= 8.1.2 Malformed PDF Remote DOS PoC
Adobe Reader plug-in AcroPDF.dll 8.0.0.0 Resource Consumption
Adobe Acrobat Reader Plugin <= 7.0.x (acroreader) XSS Vulnerability
. Adobe Reader 7.0.8.0 AcroPDF.dll Internet Explorer Denial of Service
.. .
.
JoYAN 8
9. Leveragine Type I
Adobe JS
Z Chen
About Adobe
Javascript
Exploits
Overview
Try It Out!
Samples In the Play with the bugs when invoking a built-in function/method
Wild
within the Javascript context.
Easy to trigger and exploit.
JoYAN 9
10. Adobe 8.1.4/9.1 customDictionaryOpen() Code Execution Exploit
Adobe JS
Z Chen
About Adobe
Javascript
Exploits
Overview
Try It Out!
Samples In the
Wild http://milw0rm.com/exploits/8570
JoYAN 10
11. Adobe Reader 8.1.4/9.1 GetAnnots() Remote Code Execution Exploit
Adobe JS
Z Chen
About Adobe
Javascript
Exploits
Overview
Try It Out!
Samples In the
Wild
http://milw0rm.com/exploits/8569
Not a stack overflow?
JoYAN 11
12. Adobe Reader util.printf() JavaScript Function Stack Overflow Exploit
Adobe JS
Z Chen
About Adobe
Javascript
Exploits
Overview
Try It Out!
Samples In the
Wild
http://milw0rm.com/exploits/7006
http://milw0rm.com/exploits/6994
JoYAN 12
13. Adobe Acrobat Reader 8.1.2 – 9.0 getIcon() Memory Corruption Exploit
Adobe JS
Z Chen .
http://milw0rm.com/exploits/8595 .
About Adobe ..
Javascript Affected Version : Acrobat Reader 8.1.2 - 9.0
Exploits
Overview Tested On : XP SP2 / SP3
Try It Out! Description : This vulnerability allows remote attackers to
Samples In the
Wild
execute arbitrary code on vulnerable installations of Adobe
Acrobat and Adobe Reader. User interaction is required in
that a user must visit a malicious web site or open a mali-
cious file.The specific flaw exists when processing malicious
JavaScript contained in a PDF document. When supply-
ing a specially crafted argument to the getIcon() method of
a Collab object, proper bounds checking is not performed
resulting in a stack overflow.
. Failed to uncompress it :(.
.. .
JoYAN
.
13
14. Leveragine Type II
Adobe JS
Z Chen
About Adobe
Javascript
Exploits
Overview
Try It Out!
Samples In the
Wild
Play with the bugs when parsering a malformed pdf file.
Only use the javascript to perform a heapspray.
JoYAN 14
15. Adobe Acrobat Reader JBIG2 Local Buffer Overflow
Adobe JS
Z Chen
About Adobe
Javascript
Exploits
Overview
Try It Out!
Samples In the
http://vrt-sourcefire.blogspot.com/2009/02/have-nice-weekend-pdf-love.h
Wild
http://milw0rm.com/exploits/8099
http://milw0rm.com/exploits/8280
JoYAN 15
16. Leveragine Type III
Adobe JS
Z Chen
.
About Adobe Play with the urls. .
Javascript
Exploits I don’t know whether it works in the browser context or pdf reader
Overview
context..
Try It Out!
Samples In the Adobe PDF Reader plug-in AcroPDF.dll ver. 8.0.0.0 Resource
Wild
Consumption:http://milw0rm.com/exploits/3430
Adobe Acrobat Reader Plugin <= 7.0.x (acroreader) XSS Vul-
nerability:http://milw0rm.com/exploits/3084
Adobe Reader 7.0.8.0 AcroPDF.dll Internet Explorer Denial of
Service:http://milw0rm.com/exploits/3040
Adobe Acrobat 9 ActiveX Remote Denial of Service Ex-
. ploit:http://milw0rm.com/exploits/6424
.. .
.
JoYAN 16
17. To be continued...
Adobe JS
Z Chen
About Adobe
Javascript
Exploits
Overview
Try It Out! .
Those I can’t RE them: .
Samples In the ..
Wild
. ..
1 Adobe Acrobat Reader <= 8.1.2 Reader Remote Denial Of
. Service:http://milw0rm.com/exploits/5687, Overflow?
.. .
.
JoYAN 17
18. Contents
Adobe JS
Z Chen
.
About Adobe
Javascript . . About Adobe Javascript
1
Exploits
Overview
Try It Out! .
Samples In the
. . Exploits Overview
2
Wild
.
. . Try It Out!
3
.
. . Samples In the Wild
4
JoYAN 18
19. Try it out!
Adobe JS
Z Chen
About Adobe
Javascript
Exploits
Overview
.
Try It Out! Adobe Reader util.printf() JavaScript Function Stack Over-.
Samples In the
Wild
flow Exploit
..
http://milw0rm.com/exploits/7006
. http://milw0rm.com/exploits/6994
.. .
.
JoYAN 19
20. Contents
Adobe JS
Z Chen
.
About Adobe
Javascript . . About Adobe Javascript
1
Exploits
Overview
Try It Out! .
Samples In the
. . Exploits Overview
2
Wild
.
. . Try It Out!
3
.
. . Samples In the Wild
4
JoYAN 20
21. Sample in the wild
Adobe JS
Z Chen
About Adobe
Javascript
Exploits
Overview
Try It Out!
.
Samples In the 50.2 .
Wild ..
hxxp://172.31.25.229/acroPDF.htm
.
.. .
.
JoYAN 21
22. Adobe JS
Z Chen
About Adobe
Javascript
Exploits
Overview
Try It Out!
.
Samples In the
Wild
..
Thank you ! .
.. .
.
JoYAN 22