Feb. 3 CVE-2009-4324 Maritime Disputes in East Asia from wozniak@yahoo.com 03 Feb 2010 05:19:02 PST

• CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2, and possibly earlier versions, allows remote attackers to execute arbitrary code using ZLib compressed streams, as exploited in the wild in December 2009. 

Download 1f2cc9238129512c6f118ffdfec79189 - East China Sea 2010-1.pdf as a password protected archive (please contact me if you need the password)

Details: 1f2cc9238129512c6f118ffdfec79189 -  East China Sea 2010-1.pdf

From: Natalie S. Wozniak [mailto:natalies.wozniak@yahoo.com]

Sent: Wednesday, February 03, 2010 8:56 AM
Subject: Maritime Disputes in East Asia

Colleague,

I was able to secure permission to forward you the attached CRS report on Maritime Disputes in East Asia; just came out today. They intentionally kept it short report, in hopes that it would increase its readership. 

Please share with your colleagues. Also, please share their comments, observations and questions.

Best,

Natalie

Headers

Message-ID: <242520.45817.qm@web114111.mail.gq1.yahoo.com>

 ....
Received: from [69.197.151.114] by web114111.mail.gq1.yahoo.com via HTTP; Wed, 03 Feb 2010 05:19:02 PST

X-Mailer: YahooMailRC/272.7 YahooMailWebService/0.8.100.260964

Date: Wed, 3 Feb 2010 05:19:02 -0800 (PST)

From: "Natalie S. Wozniak"
Subject: Maritime Disputes in East Asia
To: XXXXXXXXXXXXX
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-410636181-1265203142=:45817"
  

Lookup IP Address: 69.197.151.114

General Information
Hostname: server.gvd.tw
ISP: WholeSale Internet
Organization: Max Dmitry
Country: United States  
State/Region: MO
City: Kansas City

Jan 28 CVE-2009-4324 台美軍售最新情況.pdf The latest U.S. arms sales to Taiwan from shi9927@yahoo.com.tw Jan 28, 2010 10:45 PM

•  CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009.

1. Download 台美軍售最新情況.pdf as 401b4f707b8063b0c4b087c41716746b  -The latest U.S. arms sales to Taiwan.zip (password protected, please contact me if you need it)
2. Download uncompressed (with pdf-parser.py) as 401b4f707b8063b0c4b087c41716746b-The latest U.S. arms sales to Taiwan.txt

• Details: 401b4f707b8063b0c4b087c41716746b  -The latest U.S. arms sales to Taiwan

Attachment name 

台美軍售最新情況.pdf

----- Original Message -----
From: shi9927@yahoo.com.tw
To: XXXXXXXXXX
Sent: Thursday, January 28, 2010 10:45 PM
Subject: 台美軍售最新情況

___________________________________________________
您的生活即時通 － 溝通、娛樂、生活、工作一次搞定！
http://messenger.yahoo.com.tw/

Headers
No headers info available for this post, unfortunately


Virustotal
http://www.virustotal.com/analisis/36e94022b007648137404500a2c3be69db93ebf64dfbb4986f48316d231b3ed0-1264781712
File ________________________.pdf received on 2010.01.29 16:15:12 (UTC)
Microsoft 1.5406 2010.01.29 Exploit:Win32/Pdfjsc.CW
nProtect 2009.1.8.0 2010.01.29 Exploit.PDF-JS.Gen.C02
Sunbelt 3.2.1858.2 2010.01.29 Exploit.PDF-JS.Gen (v)
Additional information
File size: 62182 bytes
MD5...: 401b4f707b8063b0c4b087c41716746b 

Wepawet
http://wepawet.iseclab.org/view.php?hash=401b4f707b8063b0c4b087c41716746b&type=js
Analysis report for �美�售最新情�.pdf
File �美�售最新情�.pdf
MD5 401b4f707b8063b0c4b087c41716746b
Analysis Started 2010-01-29 08:15:37
Report Generated 2010-01-29 08:15:38
Jsand 1.03.02 benign 




ViCheck.ca
 https://www.vicheck.ca/md5query.php?hash=401b4f707b8063b0c4b087c41716746b
Encrypted embedded executable with a key of 1024 bytes.
Exploit method detected as pdfexploit - PDF Exploit call to media.newPlayer CVE-2009-4324.


Here is a part of the java script (uncompressed with pdf-parser.py)