Aug 25 CVE-2009-4324 PDF CMSI_Sixth_Annual_Conference_25_Aug_2010 fom kjamesryu754@gmail.com

This post to be continued..

CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009.

CVE-2006-6456 Unspecified vulnerability in Microsoft Word 2000, 2002, and 2003 and Word Viewer 2003 allows remote attackers to execute code via unspecified vectors related to malformed data structures that trigger memory corruption, a different vulnerability than CVE-2006-5994.

Download CVE-2006-6456_DOC_2010-08-25_ 3888E7A3BD896A9010121E9244E16A75_CMSIconf as a password protected archive (contact me if you need the password)

 Download CVE-2009-4324_PDF_2010-08-25_02BFE34BEA55E327CFDEAD9CFF215F33_CMSIconf as a password protected archive (contact me if you need the password)

 CVE-2009-4324_PDF_2010-08-25_02BFE34BEA55E327CFDEAD9CFF215F33_CMSIconf is interesting, check out object 16.1, containing some 948 pages on 333s. Also,  according to Giuseppe Bonfa, it has xref malformation  jump obj 25.0 -> 34.0.
The purpose of 333s in  obj 16.1 not clear because this file will probably crash crash every version of Adobe reader

Word document - again, according to Giuseppe, there is a layer of XOR encryption w key 0x95 and an embedded exec. http://nopaste.info/805a6694c1.html

have fun,
M