Ministry of Science, Technology & Innovation

LibTAPAU:The Danger of LibTIFF + Adobe PDF
Crowne Plaza|| KL || .MY || 2010-10-13
MAHMUD AB RAHMAN (MyCERT, CyberSecurity Malaysia)

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia

MYSELF

Ministry of Science, Technology & Innovation

  Mahmud Ab Rahman   MyCERT, CyberSecurity Malaysia   Lebahnet(honeynet), Botnet, Malware

Securing Our Cyberspace
Copyright © 2009 CyberSecurity Malaysia

2

Agenda

Ministry of Science, Technology & Innovation

  Intro   PDF + LibTIFF Attacks   Analyzing malicious PDF + LibTIFF   Issues   Reducing/Mitigation The Problem?   Outro/Conclusion

Securing Our Cyberspace
Copyright © 2009 CyberSecurity Malaysia

3

Ministry of Science, Technology & Innovation

INTRO

1)Intro

3)Analyzing

5)Mitigation

2)PDF attacks
Securing Our Cyberspace

4)Issues

6)Conclusion

Copyright © 2009 CyberSecurity Malaysia

odp. *. *. Foxit Reader.xls. SumatraPDF. . *.etc.INTRO : PDF 101 Ministry of Science. *. Technology & Innovation   PDF: Portable Destructive File : )   Portable Document Format   Open Standard (2008) by Adobe (previously proprietary)   Mainly for independent format instead of *.etc) Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia 5 .ppt.doc.etc   PDF Reader Applications (Adobe Reader.etc.

Technology & Innovation   Has its own language   Normally just ASCII characters.(/Filters / application elements are using binary data (stream)   ASCII – Readable (any text editors will do)   Start with header (%PDF-[version])   End with eof element (%%EOF) Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia 6 .INTRO : PDF Format Ministry of Science.

5 0 obj << /Length 67 >> stream BT /F1 24 Tf 100 700 Td (Hello w00t!)Tj ET endstream endobj xref 08 0000000000 65535 f 0000000012 00000 n 0000000089 00000 n trailer << /Size 8 /Root 1 0 R >> startxref 642 %%EOF End of File Copyright © 2009 CyberSecurity Malaysia Securing Our Cyberspace 7 . End with endstream -  ormally needs to decode N the data inside stream element -  avaScript object starts J with /JS -  ain subject to be abuse M Cross Reference Trailer 1 0 obj << /Type /Catalog /Outlines 2 0 R /Pages 3 0 R >> endobj …. Technology & Innovation PDF Start (version) PDF Object (obj … endobj) -stream element contains data (“ hello w00t!”).INTRO : PDF Format (diagram) %PDF-1.1 Ministry of Science.

INTRO : PDF Format Ministry of Science. Technology & Innovation   view inside PDF readers Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia 8 .

INTRO : TIFF 101 Ministry of Science. Technology & Innovation   Tagged Image File Format (abbreviated TIFF)   file format for storing images   it is under the control of Adobe Systems (2009)   widely supported by image-manipulation application Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia 9 .

INTRO : TIFF 101 Ministry of Science. Technology & Innovation Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia 10 .

wider target o Generate more interest (more bugs after the 1st one (almost 3 years now))   The emerge of client-side attack (PDF plugin on web browser.create more ways to target) Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia 11 . Technology & Innovation   Just another attacking vector   Widely used (popular) o Wider target   Main player application have bugs o Again.INTRO : Why attacking PDF + LibTIFF? Ministry of Science.

Ministry of Science. Technology & Innovation PDF ATTACKS 1)Intro 3)Analyzing 5)Mitigation 2)PDF attacks Securing Our Cyberspace 4)Issues 6)Conclusion Copyright © 2009 CyberSecurity Malaysia .

.PDF Attacks: How it works 2 Forward the pdf file by any means [spam.usb.etc] Ministry of Science. payload executed Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia 13 .web upload. weblink.p2p share.etc. Technology & Innovation 3 1 Crafting malicious pdf User open the file with vulnerable pdf reader 4 Bug triggered..

Technology & Innovation 3 1 Crafting malicious pdf User open the file with vulnerable pdf reader 4 Bug triggered..etc.web upload.usb.etc] Ministry of Science.p2p share. weblink.. payload executed Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia 14 .PDF Attacks: How it works 2 Forward the pdf file by any means [spam.

Technology & Innovation   LibTIFF’s bugs o CVE: 2005-1544 o CVE-2006-3459 o CVE: 2009-2285 .LibTIFF Attacks: Recent Bugs Ministry of Science.LZWDecodeCompat() o CVE-2010-0188 – Exploitable within PDF o CVE-2010-2067 –Stack Overflow Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia 15 .

Technology & Innovation   Villy’s Python Script   Metasploit’s Module   Made-in-China 0day Builder :p Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia 16 .LibTIFF Attacks: Get Your Gun Loaded Ministry of Science.

Technology & Innovation Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia 17 .LibTIFF Attacks: Get Your Gun Loaded Ministry of Science.

LibTIFF Attacks: Get Your Gun Loaded Ministry of Science. Technology & Innovation Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia 18 .

Technology & Innovation Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia 19 .LibTIFF Attacks: Get Your Gun Loaded Ministry of Science.

PDF Attacks: DEMO Ministry of Science. Technology & Innovation Breaking the PDF readers Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia 20 .

Technology & Innovation Analyzing Malicious PDF + TIFF File 1)Intro 3)Analyzing 5)Mitigation 2)PDF attacks Securing Our Cyberspace 4)Issues 6)Conclusion Copyright © 2009 CyberSecurity Malaysia .Ministry of Science.

Analyzing Malicious PDF + TIFF File Ministry of Science. Technology & Innovation Malicious PDF Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia 22 .

etc) Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia 23 . etc. Technology & Innovation   ASCII based characters o Any text editors will do   Some inflators/encoders have been used for data stream o Analysis becomes more complicated o Can be deflated/decoded using proper library/ techniques to reveal normal ascii data   Understanding on how PDF language syntax is a must (e.g : object references. JavaScript call.Analyzing Malicious PDF + TIFF File Ministry of Science.

Technology & Innovation   Public Tools Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia 24 .Analyzing Malicious PDF + TIFF File Ministry of Science.

Technology & Innovation   Public Tools Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia 25 .Analyzing Malicious PDF + TIFF File Ministry of Science.

Analyzing Malicious PDF + TIFF File Ministry of Science. Technology & Innovation   Public Tools Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia 26 .

Analyzing Malicious PDF + TIFF File Ministry of Science. Technology & Innovation   Introducing MyCERT PDF LibTIFF Sploit Analyzer o Basic parse for PDF - For complete PDF Parse (gallus) o Tracing for TIFF Image o Dumping the image file o Checking for The Shellcode Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia 27 .

Technology & Innovation Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia 28 .Analyzing Malicious PDF + TIFF File Ministry of Science.

Technology & Innovation Hey. that’s NOT the sample u used for the previous screenshot.Analyzing Malicious PDF + TIFF File Ministry of Science. l0ser Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia 29 .

Technology & Innovation Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia 30 .Analyzing Malicious PDF + TIFF File Ministry of Science.

Technology & Innovation Analyzing Malicious PDF File Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia 31 .Analyzing Malicious PDF + TIFF File: DEMO Ministry of Science.

Analyzing Malicious PDF File: DEMO Ministry of Science. Technology & Innovation   Identify the malicious file   Extract information   Analyze shellcode Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia 32 .

Ministry of Science. Technology & Innovation Issues with Malicious PDF file 1)Intro 3)Analyzing 5)Mitigation 2)PDF attacks Securing Our Cyberspace 4)Issues 6)Conclusion Copyright © 2009 CyberSecurity Malaysia .

Technology & Innovation   Challenges: o JavaScript obfuscated - Same problem with browser due to JavaScript - Annoying [ var=unescape() == var = un+escape(). == var a=un. getAnnotte() - Anything JS can do.Analyzing Malicious PDF + TIFF File Ministry of Science. getPageNumber().callee(). var b=escape(). var c=a+b ] - arguments. will fits here Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia 34 .

Technology & Innovation Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia 35 .Analyzing Malicious PDF + TIFF File Nice JS eh? Ministry of Science.

Ever o  Difficult for the analyzer to follow the objects reference.Analyzing Malicious PDF + TIFF File Ministry of Science..What.etc) o  Concatenate Filters (/Filter /FlateDecode /ASCIIHexDecode) o  Abbreviation Filter (/Filter [/Fl /AHx] ) == (Filter / FlateDecode /ASCIIHexDecode) Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia 36 . o  Default JS emulator is not up for this yet o Encoding/ Compressor o  Many of them (FlateDecode/ASCIIHexDecode/JBIG2Decode/ ASCII85Decode/DCTDecode etc. Technology & Innovation   Challenges: o PDF Syntax Coolness o This.Names // This.Author.Info // This.Title.

Technology & Innovation   Challenges: o Parser Problem o Grep’ing [obj…endobj] or [stream.Author.endstream] ? o Grep’ing [EOF] ? o Reference loop o  This.Name o  1 obj 0 /JS 7 0 R -> 7 obj 0 /JS 8 0 R -> 8 obj 0 /JS 10 R o Embedded malicious PDF inside PDF file.Analyzing Malicious PDF + TIFF File Ministry of Science. o PDF file analyzer is not PDF reader - Analyzer needs to understand PDF structure - Analyzer needs to interpret PDF language - Eventually it will become PDF reader by itself : ) Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia 37 .Name-> This. - Manual extracting for the embedded file is difficult..Name -> This.Info.Info.

Issues with Malicious PDF + TIFF file Ministry of Science. Technology & Innovation   on the fly malicious PDF generator o Difficult to analyze/ be detected by analysis tools o Have to manually request/download the malicious pdf file (probably its too late when your browser have PDF reader plugins) Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia 38 .

Technology & Innovation   JavaScript obfuscating. period :) o Well.Issues with Malicious PDF file Ministry of Science.version()   lack of fully functional pdf analyzers as how PDF reader works o Will always be a cat and mouse game Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia 39 . o App. javascript fingerprinting is nothing new : ) o JS checking if u’r running inside on the targeted application is common.

Ministry of Science. Technology & Innovation Mitigation against Malicious PDF file 1)Intro 3)Analyzing 5)Mitigation 2)PDF attacks Securing Our Cyberspace 4)Issues 6)Conclusion Copyright © 2009 CyberSecurity Malaysia .

Mitigation Ministry of Science. Technology & Innovation Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia 41 .

LIBTIFF.. at least with pgp signing :) o Sign the PDF file?. :).minimize the risk of reliable exploitation o Some bugs don’t require JavaScript (still will 0Wn1ng as usual).:-) Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia 42 .paranoid   Disable JavaScript. o Not quite true when dealing with 0day   Analyze/scan PDF file before opening it   Only open PDF attachment from trusted people. Technology & Innovation   Update/patch your PDF reader->eliminated bug.Mitigation you're save Ministry of Science.

Technology & Innovation Conclusion 1)Intro 3)Analyzing 5)Mitigation 2)PDF attacks Securing Our Cyberspace 4)Issues 6)Conclusion Copyright © 2009 CyberSecurity Malaysia .Ministry of Science.

Conclusion Ministry of Science. shellocde analyzer)   A better PDF analyzer is urgently needed Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia 44 .js emulator.decoder. Technology & Innovation   Awareness on threats against PDF reader still needs more works   Analysis on malicious PDF is possible by combining multiple tools (editor.

Technology & Innovation   The complexity of PDF reader will introduce more bugs and vulnerabilities   With JavaScript support. exploitation will be more reliable (why we still need JavaScript inside PDF file? )   With JavaScript support.Conclusion Ministry of Science. more obfuscated techniques can be implemented Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia 45 .

Ministry of Science. Technology & Innovation Q&A Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia .

Technology & Innovation THANKS Email: mahmud@cybersecurity.org.org.my Report Incident: mycert@mycert.org.honeynet.my Web: www.org.my Blog: blog.my Securing Our Cyberspace Copyright © 2009 CyberSecurity Malaysia .cybersecurity.mycert.my Web: http://www.my Web: http://www.Ministry of Science.cybersafe.honeynet.my Web: www.

Sign up to vote on this title
UsefulNot useful