Jan 11 CVE-2009-0927 CVE-2008-2992 China and Human Rights from jnfrlews@yahoo.com 2010.01.12 06:24:41 (UTC)

• CVE-2009-0927  Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a crafted argument to the getIcon method of a Collab object, a different vulnerability than CVE-2009-0658.

• CVE-2008-2992 Stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2 and earlier allows remote attackers to execute arbitrary code via a PDF file that calls the util.printf JavaScript function with a crafted format string argument, a related issue to CVE-2008-1104.

Download ChinaHR.pdf as AAF477AF8CFB73C6BD9945C5BE403FE9-ChinaHR.zip (password protected, please contact me for the password)

Details: AAF477AF8CFB73C6BD9945C5BE403FE9 - ChinaHR.pdf

From: Jennifer Lewis [mailto:jnfrlews@yahoo.com]
Sent: Monday, January 11, 2010 10:32 PM
To: XXXXXXXXXXXX
Subject: China and Human Rights

China's lack of political freedoms
Opinion towards China brings mixed agendas
China's poor attempt to deflect attention
Resentment of Chinese economic policy not benefiting locals
Lack of international unity, despite statements by media and world leaders
China's actions fuels the very thing it says it tries to fight
China and Africa; concerns over rights and exploitation
More information...

File ChinaHR.pdf received on 2010.01.12 06:24:41 (UTC)
The message sender was
    jnfrlews@yahoo.com
The message originating IP was 68.142.206.41 The message recipients were
XXXXXXXXXXXXX
The message was titled China and Human Rights The message date was Mon, 11 Jan 2010 19:31:56 -0800 (PST) The message identifier was <54825.40062.qm@web113916.mail.gq1.yahoo.com>
attach/5963841_3X_PM5_EMS_MA-PDF__ChinaHR.pdf: Infected: Exploit.Win32.Pidief.bxf [AVP]

Virustotal
http://www.virustotal.com/analisis/b0c7da5ae8e22caeed88008c7847927a19fec7dd659746f6a124b08e3f95547b-1263277481

Result: 13/40 (32.5%)
AntiVir    7.9.1.134    2010.01.11    HTML/Silly.Gen
Antiy-AVL    2.0.3.7    2010.01.11    Exploit/Win32.Pidief
Authentium    5.2.0.5    2010.01.12    PDF/UtlPtf.B!Camelot
Avast    4.8.1351.0    2010.01.11    JS:Pdfka-ME
BitDefender    7.2    2010.01.12    Exploit.PDF-JS.Gen
eSafe    7.0.17.0    2010.01.11    PDF.Exploit
F-Secure    9.0.15370.0    2010.01.12    Exploit.PDF-JS.Gen
GData    19    2010.01.12    Exploit.PDF-JS.Gen
Kaspersky    7.0.0.125    2010.01.12    Exploit.Win32.Pidief.bxf
McAfee-GW-Edition    6.8.5    2010.01.12    Script.Silly.Gen
Sophos    4.49.0    2010.01.12    Troj/PDFJS-BX
Sunbelt    3.2.1858.2    2010.01.12    Exploit.PDF.Pidief (v)
VirusBuster    5.0.21.0    2010.01.11    JS.BOFExploit.Gen
Additional information
File size: 119239 bytes
MD5...: aaf477af8cfb73c6bd9945c5be403fe9


Wepawet
http://wepawet.cs.ucsb.edu/view.php?hash=aaf477af8cfb73c6bd9945c5be403fe9&type=js

Adobe getIcon

Stack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab object

CVE-2009-0927

Update January 18, 2010 

jsunpack

Even better results were produced and submitted by Blake (thank you, Blake) using his  jsunpack tool - see  http://jsunpack.blogspot.com.  Utilprintf CVE-2008-2992 was detected in addition to CollabgetIcon CVE-2009-0927.

jsunpack-n$ ./jsunpack-n.py ChinaHR.pdf -V
check line 1371
Processing ChinaHR.pdf
[malicious:10] [PDF] ChinaHR.pdf
       info: [decodingLevel=0] found JavaScript
       info: [decodingLevel=0] decoded 6269 bytes (./files/decoding_

257729096ea832ff72e7365e34062d183d69f2fe)
       malicious: Utilprintf CVE-2008-2992 detected
       malicious: CollabgetIcon CVE-2009-0927 detected
       info: [decodingLevel=1] found JavaScript
       info: saved original parsed JavaScript to ./files/veryverbose_257729096ea832ff72e7365e34062d183d69f2fe
       info: Decoding option app.viewerVersion=8.0,    4012 bytes
       info: Decoding option app.viewerVersion= and app.viewerVersion=9.1,     0 bytes
       info: [decodingLevel=1] decoded 4012 bytes (./files/decoding_93aa0a7dc84a9b7ef6fe87912af5481a0d6a9f4d)
       suspicious: Warning detected //warning CVE-NO-MATCH Shellcode NOP len 9999 //warning CVE-NO-MATCH Shellcode NOP len 506 //warning CVE-NO-MATCH Shellcode NOP len 297 //warning CVE-NO-MATCH Shellcode NOP len 261833
       malicious: shellcode of length 565/295 (./files/shellcode_2b5537e1a69fa16a8c625e0087023c9506002d7e)
       malicious: shellcode of length 551/277 (./files/shellcode_e9f9df40fb0abdc9c6b119423800ca9d0583411c)
       info: [2] no JavaScript
       info: [file] saved ChinaHR.pdf to (./files/original_074517645ec0b7e50bc788910dda51c0e9dcd889)

[file] created ./files/decoding_257729096ea832ff72e7365e34062d183d69f2fe from ChinaHR.pdf
[file] created ./files/veryverbose_257729096ea832ff72e7365e34062d183d69f2fe from ChinaHR.pdf
[file] created ./files/decoding_93aa0a7dc84a9b7ef6fe87912af5481a0d6a9f4d from ChinaHR.pdf
[file] created ./files/shellcode_2b5537e1a69fa16a8c625e0087023c9506002d7e from ChinaHR.pdf
[file] created ./files/shellcode_e9f9df40fb0abdc9c6b119423800ca9d0583411c from ChinaHR.pdf
[file] created ./files/original_074517645ec0b7e50bc788910dda51c0e9dcd889 from ChinaHR.pdf