Vulnerabilities
Two months ago Google announced that Google Code was slowly dying: no new projects can be created, it will be read only soon and in January 2016 the project will close definitely. peepdf was hosted there so it was time to move to another platform. The code is currently hosted at GitHub, way more active than Google Code:
https://github.com/jesparza/peepdf
If you are using peepdf you must update the tool because it is pointing to Google Code now. After executing “peepdf.py -u” the tool will point to GitHub and it will be able to be up to date with the latest commits. The peepdf Google Code page will also point to GitHub soon.
Another important announcement is that Rohit Dua will be the student who will work with peepdf this summer in the Google Summer of Code (GSoC). I initially presented three ideas to improve peepdf through The Honeynet Project:
Submitted by jesparza on Tue, 2015/05/05 - 21:34
Some months ago I analyzed some PDF exploits that I received via SPAM mails. They contained the vulnerability CVE-2013-2729 leading to a ZeuS-P2P / Gameover sample. Back in June I received more PDF exploits, containing the same vulnerability, but in these cases it was a bit more difficult to extract the shellcode because the code was obfuscated. This is what we can see taking a look at the file account_doc~9345845757.pdf (9cd2118e1a61faf68c37b2fa89fb970c) with peepdf:
It seems that they used the same PDF exploit and they just added the obfuscation, because if we compare the peepdf output for the previous exploits we can see the same number of objects, same number of streams, same object ids, same id for the catalog, etc. After extracting the suspicious object (1) you can spot the shellcode easily, but some modifications are needed:
PPDF> object 1 > object1_output.txt
We can see two “images” encoded with Base64:
Submitted by jesparza on Thu, 2014/10/16 - 03:53
After some time without releasing any new version here is peepdf v0.3. It is not that I was not working in the project, but since the option to update the tool from the command line was released creating new versions became a secondary task. Besides this, since January 2014 Google removed the option to upload new downloads to the Google Code projects, so I had to figure out how to do it. From now on, all new releases will be hosted at eternal-todo.com, in the releases section.
The differences with version 0.2 are noticeable: new commands and features have been added, some libraries have been updated, detection for more vulnerabilities have been added, a lot of bug fixes, etc. This is the list of the most important changes (full changelog here):
Submitted by jesparza on Mon, 2014/06/16 - 19:38
I am used to receive SPAM emails containing zips and exes, even "PDF files" with double extension (.pdf.exe), but some days ago I received an email with a PDF file attached, without any .exe extension and it didn't look like a Viagra advertisement. Weird. I didn't have time to take a look at it, but the next day I received another one, with a different subject. The subject of the first email was “Invoice 454889 April” from Sue Mockridge (motherlandjjw949 at gmail.com) attaching “April invoice 819953.pdf” (eae0827f3801faa2a58b57850f8da9f5), and the second one “Image has been sent jesparza” from Evernote Service (message at evernote.com, but really protectoratesl9 at gmail.com) attaching “Agreemnet-81220097.pdf” (2a03ac24042fc35caa92c847638ca7c2).
At this point I was really curious so I took a look at them with peepdf.
Submitted by jesparza on Tue, 2014/05/20 - 23:51
I was already missing these SPAM emails with some advice about my sexual life: “Your woman wants you to be the best lover”, “The greatest technique to gratify your lady”, etc. I was getting upset about this, I needed some help...;p
So finally I am receiving a lot of these again. After visiting the link (hxxp://goozix.com/its.html) we can see a redirection to a page to buy Viagra and other “medicines”. But also there is some malicious Javascript code hidden there. The result of the deobfuscation contains code to create a cookie (“visited_uq=55”) and also an iframe to load the URL hxxp://gylaqim.com/exit.php. This domain, created on the 21st of September, resolves each time to a different IP and has a history of more than 400 IPs. It has 6 authoritative DNS servers, ns*.gylaqim.com, also resolving to multiple IPs.
Depending on the server which is responding after visiting hxxp://gylaqim.com/exit.php we will be redirected to another initial page - with another redirection to a Viagra site plus malicious Javascript code - or to the actual exploit kit.
The initial pages seen until the moment are the following:
hxxp://178.170.104.124/destruction.html hxxp://178.170.104.124/seed.html hxxp://actes-lyon.org/true.html hxxp://aybabtu.ru/express.html hxxp://brave.net.nz/ocean.html hxxp://goozix.com/its.html hxxp://moniwild.sakura.ne.jp/average.html hxxp://rodinr.511.com1.ru/angle.html hxxp://southeasterntrains-fail.com/somewhere.html hxxp://toys-store.net/dawn.html
Submitted by jesparza on Tue, 2013/10/08 - 00:11
Just some hours after the bombings during the Boston Marathon we already had several spam campaigns using that subject to infect users. It seems that cybercriminals don't respect anything, did we really expect something different? :p
On the past Wednesday I received four emails talking about the Boston incident. They were really suspicious, just a URL in the body, the URLs had just an IP instead of a good domain...I think someone was in a rush trying to profit from this as soon as possible, while it was still on the news...
The subjects were:
BREAKING - Boston Marathon Explosion Explosion at the Boston Marathon Aftermath to explosion at Boston Marathon Explosions at the Boston Marathon
And the URLs I saw:
hxxp://94.28.49 .130/boston.html hxxp://78.90.133 .133/boston.html hxxp://118.141.37 .122/news.html hxxp://110.92.80 .47/news.html
These URLs leaded to a simple webpage with six iframes. Five of them pointed to real videos about the tragedy and the other one redirected to a RedKit exploit kit which was trying to exploit a CVE-2012-1723 Java vulnerability (take a look at the vulnerability explanation). Also, a Meta Refresh Tag was leading to this URL:
Submitted by jesparza on Sun, 2013/04/21 - 21:50
After lunch it was Sergey Bratus and Travis Goodspeed's turn to speak about the security of USB ports, telling how it is possible to compromise the whole system via a unattended USB port. This was a really interesting talk that one can explore by himself taking a look at some good documentation on Travis' blog.
The talk “We Came In Peace – They Don’t: Hackers vs. CyberWar” by FX was next. He gave his opinion about the actual cyberwarfare and the difference between the point of view of Governments and cybersecurity experts about this subject. Some ideas from his talk: avoid the use of 0-days as weapons through Full-Disclosure, learn how to protect you playing CTFs and don't give up.
Submitted by jesparza on Sun, 2013/04/07 - 14:16
Until now I had not had enough time to write about my experience at my first Troopers. Due to some good comments about it I had had in mind going to Troopers since some time ago, but for one reason or another I hadn't been able to do it. Last year I had the opportunity to share table with Enno Rey, Troopers organizer and CEO of ERNW, at BlackHat Europe. That time I saw they were a good team and good people, and this year, living closer to Heidelberg, I had no excuses to go.
I arrived in Heidelberg at 3:30AM after 9 hours on the road due to the bad weather conditions. I was able to rest to be ready for the talks in the next morning. I missed the keynote by Rodrigo Branco, but I heard that it was really good. The first talk I attended was “Paparazzi over IP” by Daniel Mende and Pascal Turbing about hacking a CANON camera, equipped with a wireless adapter and other features. The result was that it was possible to see all the photographs taken, control the device remotely and intercept the images while they were about to be sent to a cloud storage.
Submitted by jesparza on Sun, 2013/04/07 - 13:52
So the main new features, besides the fixed bugs, are the following:
-
Added support for AES in the decryption process: Until now peepdf supported RC4 as a decryption algorithm but AES was a must. Now here it is, so no more worries for decrypted documents. I will be ready for new changes in the decryption process, someone in Vegas told me that the next AES modification for PDF files is coming...
Submitted by jesparza on Sun, 2012/08/05 - 17:06
We can identify two known vulnerabilities and it seems that object 30 contains Javascript code. If we take a look at the filters used in this stream we see that peepdf has been able to decode the /CCITTFaxDecode filter without problems:
Submitted by jesparza on Mon, 2012/04/23 - 00:55
Last week I presented the last version of peepdf in the Black Hat Europe Arsenal. It was a really good experience that I hope I can continue doing in the future ;) Since the very first version, almost one year ago, I had not released any new version but I have been frequently updating the project SVN. Now you can download the new version with some interesting additions (and bugfixes), and take a look at the overview of the tool in the slides. I think it's important to mention that the version included in the Black Hat CD and the one in the Black Hat Arsenal webpage IS NOT the last version, this IS the last version. I've asked the Black Hat stuff to change the version on the site so I hope this can be fixed soon.
Submitted by jesparza on Sat, 2012/03/24 - 14:35
Each of us has his own preferences: some people love Lady Gaga or Justin Bieber, others Rocco Siffredi or Laura Lion. The love for the latter can be dangerous if you are not aware of security problems when you have a non-updated system, and it's possible you end with an infected system asking for money to recover the control of the machine.
This was an interesting situation so I tried to help my friend. In this case, just after the desktop appeared, a full-screen window showed. It was a warning from the Spanish police ("Cuerpo Nacional de Policía") saying that the system had been blocked because it had been used to perpetrate illegal actions like child pornography, terrorism and violence against children: " Fue detectado un caso de actividad ilegal. El sistema operativo fue bloqueado por violación de las leyes de España!". A warning like this can be shocking for a normal user, so social engineering was working here. However, this warning was also asking for 100€ to be paid via Ukash or Paysafecard as a fine for this behaviour and in order to restore the system. This part can be a bit strange and maybe makes the victims call the police very quickly. Once this window appeared no other action was possible, like execute the Task Manager or return to the desktop, just enter a code to pay.
Submitted by jesparza on Mon, 2012/02/06 - 20:13
After the exploit static analysis some things like the function of the shellcode were unclear, so a dynamic analysis could throw some light on it. When we open the exploit without the Javascript code used for heap spraying we obtain an access violation error in rt3d.dll. If we put a breakpoint in the same point when we launch the original exploit we can see this ( better explanation of the vulnerability):
Instead of showing an access violation the CALL function is pointing to a valid address in icucnv36.dll, 0x4A8453C3. This address is not random and it's used in the Javascript code to perform part of the heap spraying:
Submitted by jesparza on Mon, 2012/01/23 - 17:30
CVE-2011-2462 was published more than one month ago. It's a memory corruption vulnerability related to U3D objects in Adobe Reader and it affected all the latest versions from Adobe (<=9.4.6 and <= 10.1.1). It was discovered while it was being actively exploited in the wild, as some analysis say. Adobe released a patch for it 10 days after its publication. I'm going to analyse a PDF file exploiting this vulnerability with peepdf to show some of the new commands and functions in action.
As usual, a first look at the information of the file:
I've highlighted the interesting information of the info command: one error while parsing the document, one object (15) containing Javascript code, one object (4) containing two ways of executing elements (/AcroForm, /OpenAction) and one U3D object (10), suspicious for its known vulnerabilities, apart of the latest one.
So we have several objects to explore, let's start from the /AcroForm element (object 4):
Submitted by jesparza on Mon, 2012/01/16 - 18:22
|