Tag Archives: Reader

Exploitation Demo of Fake Mandiant APT1 Report PDF

As mentioned by Symantec & Seculert, a spear phishing campaign has involved a fake Mandiant APT1 PDF report, a report published by Mandiant earlier this week (APT1: Exposing One of China’s Cyber Espionage Units). This fake PDF was used in targeted attacks against Japanese entities and exploiting code for Adobe Acrobat and Reader Remote Code Execution Vulnerability (CVE-2013-0641).

Despite the analysis of Symantec, I can confirm you that the PDF is dropping malware onto the computer.

PDF file name is “Mandiant.pdf” with 2a42bf17393c3caaa663a6d1dade9c93 hash (23 / 46 on VirusTotal). Once opened an error message is displayed.

pdf-error-message

After ignoring this error message the vulnerability is exploited and drop “AdobeARM.exe” (41915b34fc50ffdd2a6a0969e3f55ff1) in “C:\Documents and Settings\<USER>\Local Settings\Temp” Windows folder. Chinese simplified ressource language is used for this executable.

AdobeARM-properties

AdobeARM.exe” is connecting to domain name “www.shounkaku.co.jp“, a legit website, and to folder “/space/fsjd-ge3234c4d61033.gif“. The file is actually no more existing.

Interesting strings in “AdobeARM.exe” are “Hello from MFC!” (Military Force of China ?).

AdobeARM-strings

Regarding the PDF, the embedded JavaScript seem to be the same as in the original version of 0day (sHOGG, oTHERWISE, and others functions and variables names). So it seem that some guys have successfully weaponize the original version of 0day.

pdf-shogg

Here under a demonstration video of the exploitation.

New Adobe PDF Reader 0day and Acrobat Found Exploited in the Wild

FireEye team has report a new Adobe Reader and Acrobat zero day exploited in the wild. This new 0day allow exploitation of the latest Adobe PDF Reader 9.5.3, 10.1.5, and 11.0.1 with sandbox bypass. In the information’s provided on FireEye blog post, it seem that two DLLs are dropped by the malicious PDF and that fake error message appears.

Adobe has acknowledge a potential vulnerability in his latest PDF Reader through a post on PSIRT (Product Security Incident Response Team) blog.

In the screenshot provided by FireEye, who don’t provide a lot of details, we can see a call to a “/index.php” page, which will potentially mean that the PDF 0day is streamed from the PHP file. Also we can observe that the involved user agent is MSIE 7 (aka Internet Explorer 7) under windows NT 5.1 (aka Windows XP).

According to a post on threatpost.com:

Attackers are using malicious PDFs posing as an application for an international travel visa to exploit a zero-day vulnerability in Adobe Reader and Acrobat.

Happy 0day Hunting

Despite the lack of information’s, after some researches yesterday night, I found the following file “Visaform Turkey.pdf” (f3b9663a01a73c5eca9d6b2a0519049e).

And through other researches, we found at 10pm the supposed C&C server aka “http://bolsilloner.es/index.php“.

Visaform Turkey.pdf” was submitted on VirusTotal the 2013-02-11 and was recognized as “HEUR:Exploit.Script.Generic” at this time. This file was also submitted on malware tracker the 2013-02-12 and you can find some interesting information in this submission. Also the same file was submitted the 2013-02-13 to Wepawet. C&C server was submitted to jsunpack the 2013-02-13 without any associate outputs.

Adobe Security Advisory APSA13-02

Adobe PSIRT has release a security advisory APSA13-02 regarding two vulnerabilities CVE-2013-0640 (base CVSS score of 9.3) and CVE-2013-0641 (base CVSS score of 9.3) in Adobe Reader and Acrobat XI (11.0.01 and earlier), X (10.1.5 and earlier) and 9.5.3 and earlier for Windows and Macintosh. Also this security advisory confirm the exploitation of these vulnerabilities in targeted attacks through spear phishing campaign. Adobe is working on the issue and will provide updated versions asap. Affected softwares are:

  • Adobe Reader XI (11.0.01 and earlier) for Windows and Macintosh
  • Adobe Reader X (10.1.5 and earlier) for Windows and Macintosh
  • Adobe Reader 9.5.3 and earlier 9.x versions for Windows, Macintosh and Linux
  • Adobe Acrobat XI (11.0.01 and earlier) for Windows and Macintosh
  • Adobe Acrobat X (10.1.5 and earlier) for Windows and Macintosh
  • Adobe Acrobat 9.5.3 and earlier 9.x versions for Windows and Macintosh

Regarding Adobe security advisory, the vendor recommend, for users of Adobe Reader XI and Acrobat XI for Windows, as workaround to enable “Protected View“. To enable this setting, choose the “Files from potentially unsafe locations” option under the Edit > Preferences > Security (Enhanced) menu. The problem is that despite “Protected Mode” is activated, and as discussed on Twitter with @artem_i_baranov, and also mentioned by Ars Technica, “Protected View” is off when using the default version.

adobe-reader-protected-view

According to the documentation of “Protected View“:

When Protected View in enabled, PDFs are displayed in a restricted environment called a sandbox.

So it means, that by default sandbox is deactivated during display of PDFs.

Also Mac OS X users, and Linux users are not protected by this workaround who is only available for Windows.

Vendors Informations

FireEye has release new details regarding the payload used by the vulnerabilities. Also they point the fact on the high usage of Italian in the JavaScript embedded in the malicious PDF file.

Sophos has release a screenshot of the “Visaform Turkey.pdf” file and additional informations.

Visaform Turkey.pdf” Sample Analysis

Based on the poor sample we found on malware tracker (please re-enable the download functionality !), we started to analyse it.

First interesting information: It could be that the “Protected Mode” could be bypassed via pdf properties. After some researches it doesn’t seem linked.

trusted-mode-false

Second interesting information: The date in the document appear to be f****ng old !!!! (2012-11-08).

date-of-creation

Third sHOGG function is used to decrypt a bunch of variables in the code.

sHOGG-function

By using this function on certain variables, we can confirm that the following Adobe Readers were targeted:

  • 10.0.1.434
  • 10.1.0.534
  • 10.1.2.45
  • 10.1.3.23
  • 10.1.4.38
  • 10.1.4.38ARA
  • 10.1.5.33
  • 11.0.0.379
  • 11.0.1.36
  • 9.5.0.270
  • 9.5.2.0
  • 9.5.3.305

oTHERWISE-pRENDENDO

Also some special cases, for some specific languages and only with Reader 9.502 or 10.104, are forced.

languages-special-cases

I also can confirm that the code is heavily obfuscated with bunch of variable and functions names in Italian, like “dIAVOLO”, “bENEDETTO”, “sENTIRSI”, “aPPARENZA”, “fISAMENTE”, “pRESUNSI”, “cOCOLLE”, “sCHIUMA”, “pENITENZA”, etc.

esperanza

Regarding different sources, files dropped by the PDF:

  • L2P.T” (3a2547af14b5621f43481a70f32ccef3). Analysis on VirusTotal.
  • LangBar32.dll” (97777F269AE807891DAC4B388C66A952). Analysis on VirusTotal.
  • Visaform Turkey.pdf” (F475A43D374334197099ADA17720EB00). Analysis on VirusTotal.
  • D.T” (CB33E97F46A219804DDB373FF982D694). Analysis on VirusTotal.

As @binjo has released the code of Adobe Javascript, I also release my studies on it.

I will keep you in touch, in this post, if I have any additional information’s.

APSB13-02 – Adobe Reader and Acrobat January 2013 Security Bulletin Review

Adobe has release, the 8 January 2013, during his January Patch Tuesday, one Adobe Reader and Acrobat security bulletin dealing with 27 vulnerabilities. All these security bulletins have a Critical severity rating. 26 of these vulnerabilities have a 10.0 CVSS base score.

APSB13-02 – Security updates available for Adobe Reader and Acrobat

APSB13-02 is concerning :

  • Adobe Reader XI (11.0.0) for Windows and Macintosh
  • Adobe Reader X (10.1.4) and earlier 10.x versions for Windows and Macintosh
  • Adobe Reader 9.5.2 and earlier 9.x versions for Windows and Macintosh
  • Adobe Reader 9.5.1 and earlier 9.x versions for Linux
  • Adobe Acrobat XI (11.0.0) for Windows and Macintosh
  • Adobe Acrobat X (10.1.4) and earlier 10.x versions for Windows and Macintosh
  • Adobe Acrobat 9.5.2 and earlier 9.x versions for Windows and Macintosh

CVE-2012-1530 (10.0 CVSS base score), that could lead to code execution, has been discovered and reported by Nicolas Grégoire through iDefense’s Vulnerability Contributor Program.

CVE-2013-0601 (10.0 CVSS base score), CVE-2013-0602 (10.0 CVSS base score), CVE-2013-0605 (10.0 CVSS base score), CVE-2013-0606 (10.0 CVSS base score), CVE-2013-0607 (10.0 CVSS base score), CVE-2013-0608 (10.0 CVSS base score), CVE-2013-0609 (10.0 CVSS base score), CVE-2013-0610 (10.0 CVSS base score), CVE-2013-0611 (10.0 CVSS base score), CVE-2013-0612 (10.0 CVSS base score), CVE-2013-0613 (10.0 CVSS base score), CVE-2013-0614 (10.0 CVSS base score), CVE-2013-0615 (10.0 CVSS base score), CVE-2013-0616 (10.0 CVSS base score), CVE-2013-0617 (10.0 CVSS base score), CVE-2013-0618 (10.0 CVSS base score), CVE-2013-0619 (10.0 CVSS base score), CVE-2013-0620 (10.0 CVSS base score) and CVE-2013-0621 (10.0 CVSS base score), that could lead to code execution, have been discovered and reported by Mateusz Jurczyk and Gynvael Coldwind of the Google Security Team.

CVE-2013-0603 (10.0 CVSS base score), that could lead to code execution, has been discovered and reported by Tom Gallagher of Microsoft and Microsoft Vulnerability Research (MSVR).

CVE-2013-0604 (10.0 CVSS base score), that could lead to code execution, has been discovered and reported by Alexander Gavrun through iDefense’s Vulnerability Contributor Program.

CVE-2013-0622 (10.0 CVSS base score), that could bypass security, has been discovered and reported by Joel Geraci of Practical:PDF.

CVE-2013-0623 (10.0 CVSS base score), that could lead to code execution, has been discovered and reported by Alexander Gavrun through iDefense’s Vulnerability Contributor Program and by David D. Rude II of iDefense Labs.

CVE-2013-0624 (10.0 CVSS base score), that could bypass security, has been discovered and reported by Billy Rios, Federico Lanusse and Mauro Gentile.

CVE-2013-0626 (10.0 CVSS base score), that could bypass security, has been discovered and reported by an unknown security researcher.

CVE-2013-0627 (7.2 CVSS base score), that could lead to local privilege escalation, has been discovered and reported by Myke Hamada, Joost Bakker, Anand Bhat and Timothy McKenzie.

KaiXin Exploit Kit Evolutions

Beginning August, Kahu Security discovered a new Chinese named KaiXin EK (Exploit Kit). This exploit kit was using, like his brother in blood Gong Da (Gondad) EK, javascript obfuscation “Yszz vip“.

The August version of KaiXin was supporting:

November version of KaiXin has involve by removing support of Oracle Java CVE-2012-0507 and CVE-2012-0754 vulnerabilities, and adding support of Oracle Java CVE-2012-1723 (fixed in Jun 2012 CPU), of Oracle Java CVE-2012-4681 (fixed in End August Oracle Security Alert) and of Oracle Java CVE-2012-5076 (fixed in October 2012 CPU).

Here under a VirusTotal analysis of all involved files:

The following diagram describe you the way November version of KaiXin EK is working.