Adobe util.printd Zero Day
A critical vulnerability was discovered early this week in Adobe Reader and Acrobat versions 9.2 and earlier which could allow attackers to gain control of the affected system, not even a week after Adobe released a critical update for its Flash Player on patch Tuesday last week. The attack uses a weakness in a function called util.printd along with a heap spray implemented in Javascript to attempt to inject shell code.
Adobe published an advisory yesterday confirming the vulnerability and plans to make an update available by January 12, 2010 to resolve the issue. In the meantime, a mitigation step is available by disabling JavaScript in Adobe Reader and Acrobat. Users with Microsoft DEP (“Data Execution Prevention”) enabled reduces the exploit to a denial of service attack.
Some detailed analysis of a malicious PDF reveals the Javascript and shows that a function called util.printd leads to a memory corruption issue. This function is supposed to return a date using a specified format and takes two parameters (plus a third optional parameter not typically used). The first parameter is the format of the date and time (0 for PDF, 1 for Universal, or 2 for Localized string). The second parameter is the date object submitted to format. The code shows the first parameter contains a @ followed by a series of numbers as opposed to the expected input.
JS heap spray and vulnerable function call.
Email Phishing, Malicious PDFs, and Metasploit
A Metasploit exploit module has been released taking advantage of this vulnerability. The integration into Metasploit can accelerate the spread of exploits for this vulnerability in the wild. A video demonstration utilizing this module can be seen here.
Examples of the phishing emails along with examples of the malicious PDF files can be found on the Contagio malware dump site here and here. The following two emails are examples of the phishing methods used to have users open the malicious PDF files:
Email One:
[mailto:chrisanderson58@hotmail.com]
Sent: 2009-11-30 1:56 AM
To: XXX@XXX.XXX
Subject: FW: reference
\----
From: jackr@gilbrooks.edu
To: chrisanderson58@hotmail.com
Subject: reference
Date: Mon, 30 Nov 2009 06:53:52 +0000
Dear All
Please find attached the updated country briefing notes, and staff lists.
Kind regards
Jack
Email Two:
[mailto:fureer.angelica@gmail.com]
Sent: 2009-12-13 12:14 AM
To: XXXXXX
Subject: Interview Request
This is Fureer Angelica, diplomaic broadcaster for CNN in DC.
There's growing concern about the U.S.-North Korea bilateral talks.
So, we're planning an Interview about them.
Attached is the outline of the interview.
p.s. Detailed schedules will be followed soon if you accept the offer.
Workarounds (from a previous post)
Disabling Javascript on Adobe Acrobat
Adobe notes that disabling Javascript mitigates against the specific exploit identified, although it would be possible to create a variant that does not rely on Javascript. To disable Javascript in Adobe Reader or Acrobat, select Edit>Preferences, select the JavaScript option on the left, and uncheck the Enable Acrobat JavaScript option as shown.
Uncheck to disable Acrobat JavaScript
Data Execution Prevention
Also, users with DEP enabled on Windows Vista or Windows 7 reduces the exploit from remote code execution to denial of service. Data Execution Prevention (DEP) performs additional checks on memory to help prevent malicious code from running, designed to prevent buffer overflow attacks. To enable DEP on Windows for all or individual programs, proceed to Control Panel -> System and Maintenance -> System, click on Advanced System Settings, under Performance click Settings, and finally under the Data Execution Prevention tab click Turn on DEP for all programs and services except those I select. If you can not find Acrobat in the list of programs, click Add and browse to the Acrobat executable (.exe) file and click Open. For more information on DEP settings, visit the Microsoft help page.
References
- Adobe PSIRT: New Adobe Reader and Acrobat Vulnerability
- CVE-2009-4324
- New Zero day Adobe Acrobat Reader vulnerability analysis
Related Posts:
- Turning an ATM into a Slot Machine
- Microsoft’s Google Attack Patch?
- Six Bulletins in Last Patch Tuesday of 2009
- The Barack Obama Donations Site was Hacked…err, no it wasn’t.
- Microsoft Video ActiveX Control Vulnerability
Filed Under: Vulnerability
[...] Tweets about this great post on TwittLink.com [...]
Just FYI, this analysis (and the one sourced from) is wrong. It’s a bug in the mediaPlayer(null), not printd.