The document discusses various client-side exploits that can be carried out using PDF files. It describes how launch actions, AcroJS (Adobe JavaScript), and embedded executables can be used to exploit vulnerabilities in PDF readers. Specific vulnerabilities and a proof-of-concept example using a hex-encoded executable embedded in comments are presented. The document also covers obfuscation techniques used to evade detection, such as modifying the PDF format and using JavaScript obfuscation.
24. Launch Action Vulnerability Confidential Data!! If You are Authorized Click on 'Open'. Check 'Do Not Show This Message Again' to avoid this dialog next time
48. Distorting format Normal Code Obfuscated Code function execute(data, time) { Timelag=5000; if (time > Timelag) { // some code } } function overflow(hex, loop) { for (i=0;i<loop;i++) { hex = hex + hex; } } function overflow(hex, loop){for (i=0;i<loop;i++){hex = hex + hex;}} function overflow(hex, loop) {for i=0;i<loop;i++){hex = hex + hex;} }
49. Obfuscating Identifiers Normal Code Obfuscated Code function execute(data, time) { Timelag=5000; if (time > Timelag) { // some code } } function overflow(hex, loop) { for (i=0;i<loop;i++) { hex = hex + hex; } } function aeiou(lIlIIlI, O0OOOO0OO000OO) { WWMWMMWMWMWMW=5000; if (O0OOOO0OO000OO > WWMWMWMWMWMW) { // some code } } function aimpq(xxwmnnx, pqrtxw) { for (dqweaa=0; dqweaa < pqrtxw; dqweaa ++) { xxwmnnx = xxwmnnx + xxwmnnx;; } }
50. Obfuscating Identifiers – Even Worse Differentiating with number of underscore characters function _____(____,__________) { ______________=5000; if (__________>______________) { // some code } } function ___(_______, ______) { for(________________=0; ________________<______; ________________ ++) { _______ = _______ + _______; } }
51. Obfuscating Identifiers – Even Worse Differentiating with number of underscore characters function _____(____,__________){______________=5000;if (__________>______________){// some code}}function ___(_______, ______){for(________________=0; ________________<______; ________________ ++){_______ = _______ + _______;}}
52. Chain of Eval Normal Code Obfuscated code app.alert(“c0c0n”) func="eval"; one='app.alert("c0c0n")'; two=eval(one); three=eval(two); eval(func(three));
54. Callee Trick Function accesses its own source and uses it as a key to decrypt code or data function decrypt(cypher) { var key = arguments.callee.toString(); for (var i = 0; i < cypher.length; i++) { plain = key.charCodeAt(i) ^ cypher.charCodeAt(i); } ... }
THE ADOBE PORTABLE DOCUMENT FORMAT (PDF) is a file format for rep- resenting documents in a manner independent of the application software, hard- ware, and operating system used to create them and of the output device on which they are to be displayed or printed. A document’s pages (and other visual elements) may contain any combination of text, graphics, and images. A page’s appearance is described by a PDF content stream, which contains a sequence of graphics objects to be painted on the page. This appearance is fully specified; all layout and formatting decisions have al- ready been made by the application generating the content stream. In addition to describing the static appearance of pages, a PDF document may contain interactive elements that are possible only in an electronic representa- tion. PDF supports annotations of many kinds for such things as text notes, hypertext links, markup, file attachments, sounds, and movies. A document can define its own user interface; keyboard and mouse input can trigger actions that are specified by PDF objects. The document can contain interactive form fields to be filled in by the user, and can export the values of these fields to or import them from other applications.
Distorting format – Removing newlines and spaces - Not much of pain to deobfuscate (ex-jsbeautifier.org)
Name obfuscation – variable name and function name are renamed Most common obfuscation techniques
JavaScript code can execute JavaScript code in strings through eval • Often used to hide later code stages which are decrypted on the fly • Common way to extract argument: replace eval with a printing function
Not specific to Adobe Reader • Frequently used by JavaScript code in other contexts • Function accesses its own source and uses it as a key to decrypt code or data • Add a single whitespace and decryption fails
Online decoders available to decode them….
We can not hit the pdf file link directly,So we chose WGET to download that file contents
Javascript Found on object 11 0.. Encoded with ascii85Encoding.. First obfuscation – filters…
Second Obfucation – Distorted formatting.
Third Obfuscation – Obfuscated identifiers and unnecessary comments