Monday, January 11, 2010

Jan 11 CVE-2009-0927 CVE-2008-2992 China and Human Rights from 2010.01.12 06:24:41 (UTC)

Download ChinaHR.pdf as (password protected, please contact me for the password)

Details: AAF477AF8CFB73C6BD9945C5BE403FE9 - ChinaHR.pdf

From: Jennifer Lewis []
Sent: Monday, January 11, 2010 10:32 PM
Subject: China and Human Rights

China's lack of political freedoms
Opinion towards China brings mixed agendas
China's poor attempt to deflect attention
Resentment of Chinese economic policy not benefiting locals
Lack of international unity, despite statements by media and world leaders
China's actions fuels the very thing it says it tries to fight
China and Africa; concerns over rights and exploitation
More information...
File ChinaHR.pdf received on 2010.01.12 06:24:41 (UTC)
The message sender was
The message originating IP was The message recipients were
The message was titled China and Human Rights The message date was Mon, 11 Jan 2010 19:31:56 -0800 (PST) The message identifier was <>
attach/5963841_3X_PM5_EMS_MA-PDF__ChinaHR.pdf: Infected: Exploit.Win32.Pidief.bxf [AVP]


Result: 13/40 (32.5%)
AntiVir    2010.01.11    HTML/Silly.Gen
Antiy-AVL    2010.01.11    Exploit/Win32.Pidief
Authentium    2010.01.12    PDF/UtlPtf.B!Camelot
Avast    4.8.1351.0    2010.01.11    JS:Pdfka-ME
BitDefender    7.2    2010.01.12    Exploit.PDF-JS.Gen
eSafe    2010.01.11    PDF.Exploit
F-Secure    9.0.15370.0    2010.01.12    Exploit.PDF-JS.Gen
GData    19    2010.01.12    Exploit.PDF-JS.Gen
Kaspersky    2010.01.12    Exploit.Win32.Pidief.bxf
McAfee-GW-Edition    6.8.5    2010.01.12    Script.Silly.Gen
Sophos    4.49.0    2010.01.12    Troj/PDFJS-BX
Sunbelt    3.2.1858.2    2010.01.12    Exploit.PDF.Pidief (v)
VirusBuster    2010.01.11    JS.BOFExploit.Gen
Additional information
File size: 119239 bytes
MD5...: aaf477af8cfb73c6bd9945c5be403fe9

Adobe getIconStack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab objectCVE-2009-0927

Update January 18, 2010 
Even better results were produced and submitted by Blake (thank you, Blake) using his  jsunpack tool - see  Utilprintf CVE-2008-2992 was detected in addition to CollabgetIcon CVE-2009-0927.
jsunpack-n$ ./ ChinaHR.pdf -V
check line 1371
Processing ChinaHR.pdf
[malicious:10] [PDF] ChinaHR.pdf
       info: [decodingLevel=0] found JavaScript
       info: [decodingLevel=0] decoded 6269 bytes (./files/decoding_
       malicious: Utilprintf CVE-2008-2992 detected
       malicious: CollabgetIcon CVE-2009-0927 detected
       info: [decodingLevel=1] found JavaScript
       info: saved original parsed JavaScript to ./files/veryverbose_
       info: Decoding option app.viewerVersion=8.0,    4012 bytes
       info: Decoding option app.viewerVersion= and app.viewerVersion=9.1,     0 bytes
       info: [decodingLevel=1] decoded 4012 bytes (./files/decoding_
       suspicious: Warning detected //warning CVE-NO-MATCH Shellcode NOP len 9999 //warning CVE-NO-MATCH Shellcode NOP len 506 //warning CVE-NO-MATCH Shellcode NOP len 297 //warning CVE-NO-MATCH Shellcode NOP len 261833
       malicious: shellcode of length 565/295 (./files/shellcode_
       malicious: shellcode of length 551/277 (./files/shellcode_
       info: [2] no JavaScript
       info: [file] saved ChinaHR.pdf to (./files/original_

[file] created ./files/decoding_
257729096ea832ff72e7365e34062d183d69f2fe from ChinaHR.pdf
[file] created ./files/veryverbose_
257729096ea832ff72e7365e34062d183d69f2fe from ChinaHR.pdf
[file] created ./files/decoding_
93aa0a7dc84a9b7ef6fe87912af5481a0d6a9f4d from ChinaHR.pdf
[file] created ./files/shellcode_
2b5537e1a69fa16a8c625e0087023c9506002d7e from ChinaHR.pdf
[file] created ./files/shellcode_
e9f9df40fb0abdc9c6b119423800ca9d0583411c from ChinaHR.pdf
[file] created ./files/original_
074517645ec0b7e50bc788910dda51c0e9dcd889 from ChinaHR.pdf

No comments:

Post a Comment