Windows 98 / Acrobat 6 appears not vulnerable to JBIG2 buf..

Virus Guy · External Since: Aug 05, 2005 Posts: 452

I've run the POC examples at Milw0rm against win-98 / Acrobat 6 and saw
no problems (acrobat did not crash). Can anyone else confirm that
win-98 and/or acrobat 6 is (or is not) vulnerable to this exploit?

VirusTotal identifies the POC examples variously as:

- Expoit.PDF.JBIG2Decode
- Exploit.PDF-29
- Exploit.Win32.Pidief
- PDF/Shellcode
- Exploit.PDF-JS.Gen.C07
- Exploit:JS/IframeBOShell

Do all those ID's map to essentially the same PDF exploit (JBIG2 buffer
overflow) ?

Also, there were reports back in November of a PDF spam that was a faked
to look like it came from a US Federal Reserve Bank:

http://www.pc1news.com/news/0369/is-federal-reserve-delivering-pdf-exploit.html

What PDF exploit was used in that situation?

Or was it a javascript exploit contained within a PDF file?

VanguardLH · External Since: Feb 12, 2009 Posts: 48

Virus Guy wrote:

> I've run the POC examples at Milw0rm against win-98 / Acrobat 6 and saw
> no problems (acrobat did not crash). Can anyone else confirm that
> win-98 and/or acrobat 6 is (or is not) vulnerable to this exploit?
>
> VirusTotal identifies the POC examples variously as:
>
> - Expoit.PDF.JBIG2Decode
> - Exploit.PDF-29
> - Exploit.Win32.Pidief
> - PDF/Shellcode
> - Exploit.PDF-JS.Gen.C07
> - Exploit:JS/IframeBOShell
>
> Do all those ID's map to essentially the same PDF exploit (JBIG2 buffer
> overflow) ?
>
> Also, there were reports back in November of a PDF spam that was a faked
> to look like it came from a US Federal Reserve Bank:
>
> http://www.pc1news.com/news/0369/is-federal-reserve-delivering-pdf-exploit.html
>
> What PDF exploit was used in that situation?
>
> Or was it a javascript exploit contained within a PDF file?

A side question: How many times over many years have you ever
encountered a legitimate PDF file that contains Javascript and which is
required to view that PDF?

Tis easy 'nuff to just disable Javascript within Acrobat Reader if you
rarely or never encounter any valid PDF files that use it. I've had
Javascript disabled in Acrobat Reader (and later in PDF-Xchange as a
replacement to Acrobat Reader) for as long as I've had it installed and
haven't yet encountered a PDF that needed it enabled.

ASCII · External Since: Mar 01, 2009 Posts: 35

This message is not archived

VanguardLH · External Since: Feb 12, 2009 Posts: 48

ASCII wrote:

> How do you like PDF-Xchange?

Loads fast. Haven't had the crashes from its add-on in IE7. Can
annotate/edit the PDF file. I haven't qualitatively measure the
performance but searches feel much quicker than in Acrobat Reader. Disk
footprint is 17MB and memory footprint for viewer app is 15.5MB. I
haven't felt any urge to go back to Adobe Reader.

I do remember trialing Foxit Reader maybe 2 years ago and decided not to
stick with it but has been way too long for me to remember why.
Whatever I didn't like about it then might not be true today. As I
recall, Foxit Reader's printing stuck in some "evaluation" water mark
(which pretty much meant that I would never print from that
application). I don't like crippleware or nagware.

ASCII · External Since: Mar 01, 2009 Posts: 35

This message is not archived

Virus Guy · External Since: Aug 05, 2005 Posts: 452

VanguardLH wrote:

> A side question: How many times over many years have you ever
> encountered a legitimate PDF file that contains Javascript and
> which is required to view that PDF?

I don't know enough about the history of development or internal
structure of PDF files to know what they should have vs what they do
have vs what drives Adobe's product development or revenue generation
needs.

Adobe has the same corporate motto as Microsoft:

If it works, it's not complicated enough.

> Tis easy 'nuff to just disable Javascript within Acrobat Reader
> if you rarely or never encounter any valid PDF files that use
> it.

In case you're not fully up to speed on this, the current pdf issue
(jbig2) is not dependent on javascript and the exploit can be triggered
by pdf files that do not utilize java script.

To bring this thread back on track -

Can anyone else confirm that win-98 and/or acrobat 6 is (or is not)
vulnerable to this exploit?

What PDF exploit was making the rounds back last November?

VanguardLH · External Since: Feb 12, 2009 Posts: 48

Virus Guy wrote:

> Adobe has the same corporate motto as Microsoft:
> If it works, it's not complicated enough.

I thought it was "Make it open to everyone unless they start to threaten
our revenue - like when Microsoft decided to add PDF support - and then
threaten to sue to keep our 'open' standard closed to us."

>> Tis easy 'nuff to just disable Javascript within Acrobat Reader
>> if you rarely or never encounter any valid PDF files that use
>> it.
>
> In case you're not fully up to speed on this, the current pdf issue
> (jbig2) is not dependent on javascript and the exploit can be triggered
> by pdf files that do not utilize java script.

http://www.computerworld.com/action/article.do?command=viewArticleBasi...rticleI
"Security experts said that users can mitigate the possibility of
attacks by disabling JavaScript within their Adobe software, but doing
so could break corporate applications that rely on the scripting
software."

Max Wachtel · External Since: Dec 25, 2006 Posts: 8

ASCII wrote:

> Maybe I'll give PDF-Xchange a try ( in a sandbox <g>)

There is also a portable version available.
--
Virus Removal http://max.shplink.com/removal.html
Keep Clean http://max.shplink.com/keepingclean.html
Change nomail.afraid.org to gmail.com to reply by email.
nomail.afraid.org is specifically setup for use in USENET

ASCII · External Since: Mar 01, 2009 Posts: 35

This message is not archived

kurt wismer · External Since: Jul 04, 2003 Posts: 1522

Virus Guy wrote:
> I've run the POC examples at Milw0rm against win-98 / Acrobat 6 and saw
> no problems (acrobat did not crash). Can anyone else confirm that
> win-98 and/or acrobat 6 is (or is not) vulnerable to this exploit?
>
> VirusTotal identifies the POC examples variously as:
>
> - Expoit.PDF.JBIG2Decode
> - Exploit.PDF-29
> - Exploit.Win32.Pidief
> - PDF/Shellcode
> - Exploit.PDF-JS.Gen.C07
> - Exploit:JS/IframeBOShell
>
> Do all those ID's map to essentially the same PDF exploit (JBIG2 buffer
> overflow) ?

possibly... if they were all ID's given to the same sample then
definitely, but i have no idea of the provenance of the samples at
milw0rm...

> Also, there were reports back in November of a PDF spam that was a faked
> to look like it came from a US Federal Reserve Bank:
>
> http://www.pc1news.com/news/0369/is-federal-reserve-delivering-pdf-exploit.html
>
> What PDF exploit was used in that situation?
>
> Or was it a javascript exploit contained within a PDF file?

the latter by the sounds of it...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

kurt wismer · External Since: Jul 04, 2003 Posts: 1522

VanguardLH wrote:
> Virus Guy wrote:
>
>> I've run the POC examples at Milw0rm against win-98 / Acrobat 6 and saw
>> no problems (acrobat did not crash). Can anyone else confirm that
>> win-98 and/or acrobat 6 is (or is not) vulnerable to this exploit?
>>
>> VirusTotal identifies the POC examples variously as:
>>
>> - Expoit.PDF.JBIG2Decode
>> - Exploit.PDF-29
>> - Exploit.Win32.Pidief
>> - PDF/Shellcode
>> - Exploit.PDF-JS.Gen.C07
>> - Exploit:JS/IframeBOShell
>>
>> Do all those ID's map to essentially the same PDF exploit (JBIG2 buffer
>> overflow) ?
>>
>> Also, there were reports back in November of a PDF spam that was a faked
>> to look like it came from a US Federal Reserve Bank:
>>
>> http://www.pc1news.com/news/0369/is-federal-reserve-delivering-pdf-exploit.html
>>
>> What PDF exploit was used in that situation?
>>
>> Or was it a javascript exploit contained within a PDF file?
>
> A side question: How many times over many years have you ever
> encountered a legitimate PDF file that contains Javascript and which is
> required to view that PDF?

pdf's aren't solely for static documents... in fact the pdf format is
capable of providing a remarkable multimedia experience... the pdf files
you're accustomed to are simply the more mundane uses of the pdf format..

> Tis easy 'nuff to just disable Javascript within Acrobat Reader if you
> rarely or never encounter any valid PDF files that use it. I've had
> Javascript disabled in Acrobat Reader (and later in PDF-Xchange as a
> replacement to Acrobat Reader) for as long as I've had it installed and
> haven't yet encountered a PDF that needed it enabled.

that's a perfectly reasonable security measure...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Virus Guy · External Since: Aug 05, 2005 Posts: 452

VanguardLH wrote:

> > In case you're not fully up to speed on this, the current pdf
> > issue (jbig2) is not dependent on javascript and the exploit
> > can be triggered by pdf files that do not utilize java script.
>
> "Security experts said that users can mitigate the possibility of
> attacks by disabling JavaScript within their Adobe software,

That was the early advice, given last week during the first few days of
general public awareness.

It's since been posted in various venues that the exploit is not
technically a javascript exploit.

Javascript is used by rogue PDF's (discovered so far) to prepare the
heap (heap spray) in preparation to triggering the exploit. The heap
can be setup using other methods, however. It is widely anticipated
that other PDF files will be (or are already) circulating that do not
use javascript.

Now that we've beaten that to death, the orignal 2 questions remain:

1) Is there confirmation that win-98 / Acrobat 6 is vulnerable, and

2) what pdf exploit was circulating last november?

VanguardLH · External Since: Feb 12, 2009 Posts: 48

kurt wismer wrote:

> VanguardLH wrote:
>>
>> How many times over many years have you ever
>> encountered a legitimate PDF file that contains Javascript and which is
>> required to view that PDF?
>
> pdf's aren't solely for static documents... in fact the pdf format is
> capable of providing a remarkable multimedia experience... the pdf files
> you're accustomed to are simply the more mundane uses of the pdf format..

Multimedia content within PDF documents requires the use of Javascript?

>> Tis easy 'nuff to just disable Javascript within Acrobat Reader if you
>> rarely or never encounter any valid PDF files that use it. I've had
>> Javascript disabled in Acrobat Reader (and later in PDF-Xchange as a
>> replacement to Acrobat Reader) for as long as I've had it installed and
>> haven't yet encountered a PDF that needed it enabled.
>
> that's a perfectly reasonable security measure...

Virus Guy doesn't think so. He mentioned the heap spray scheme to get
unwanted code to execute and I remember reading about that scheme, and
that the code would be pretty tiny so the payload had to be in the
infected doc. I looked at one proof of concept that used a Perl script
to create a test doc that supposedly exhibited the JBig exploit but the
sample created by the Perl script didn't look to have Javascript code
within it but tis hard to tell since some of the sample was hex.

See http://isc.sans.org/diary.html?storyid=5926&rss. This guy says "All
of the current observed samples are still utilizing JavaScript; this
will NOT be the case moving forward!" So while the exploit doesn't
require Javascript, all current exploit samples use it and that's why
disabling Javascript is still be recommended as a temporary fix until
Adobe gets their patch out on March 11. Javascript-less exploit samples
may start showing up but perhaps not before the patch gets released.
There is a link in that article to another article that announces
"Disabling JavaScript does not prevent exploitation". Okay, but if all
current in-the-wild exploit samples are using Javascript then disabling
Javascript is, for now, an effective countermeasure. Proofs of Concept
(POC) to show the exploit are not the same as in-the-wild samples. So
Virus Guy is technically correct that Javascript isn't needed for the
exploit but is not valid regarding the currently known exploit samples.

See http://secunia.com/advisories/33901/. Well, this seems to indicate
that the code in Adobe's libraries (used by both Acrobat and Reader) is
flawed. That doesn't mean equivalent handler code in other PDF
utilities is similarly flawed (it is doubtful that Adobe is sharing
their product code), so Foxit, PDF-Xchange, and so on probably aren't
susceptible to this array index overrun exploit. Supporting the same
doc or encoding formats does not result in the same code in the program.
So like Linux proselytizers like to comment regarding their OS as a
smaller target, Foxit and PDF-Xchange are also smaller targets and may
not be prone to code deficiencies that lack boundary checking. JBig2 is
a compression standard. It is a specification, not a code programming
guide. Is every PDF utility that supports JBig2 actually sharing the
same codec? If true, the security experts would be pointing their
fingers at that source, not at Adobe. Although Virus Guy doesn't
believe disabling Javascript will kill the exploit (just the exploit and
now how currently implemented with Javascript) then it seems the
recommendation would be to switch away from Adobe Reader to equivalent
or more capable PDF reader utilities.

However, I doubt by the time that Virus Guy finds an answer to his
specific setup question that it will before the March 11 deadline with
Adobe says it will be publishing a fix for the exploit. According to
Secunia, any code can be executed so that also means any Win32 API calls
could be issued and those would work just as well on Windows 98.
Actually the exploit code would be machine code which means it runs on
any OS where the format of the instruction is valid and the function
within that format is also valid, so it depends on just what is the
exploit code that gets deposited into memory. What I do see for the
Adobe Reader 9 download is that it lists the system requirements at:

http://www.adobe.com/products/reader/systemreqs/#90win

Since Windows 98 is not listed as a support platform for version 9 of
Adobe Reader, does v9 allow itself to install on Windows 98? When I
click the link to choose a different OS (than the one their web page
detects for my OS) so I can pick a version that supports Windows 98,
they don't have Windows 98 in the list. The oldest version that I could
select was "Windows NT SP6". That brought up Adobe Reader 7.6. My
recollection is that v5.1 of Adobe Acrobat Reader (which was before they
dropped Acrobat from the product name) was the latest that supported a
9x-based version of Windows.

Anyone know in which version of their [Acrobat] Reader product that
Adobe added JBig2 support? The final *draft* for JBig2 wasn't until
July 1999 (http://www.jpeg.org/public/fcd14492.pdf), so availability
would've been after that.

David H. Lipman · External Since: Jul 04, 2003 Posts: 2245

From: "Virus Guy"

| 2) what pdf exploit was circulating last november?

They had to do with the Print() and CollabEmail() { not actual function names, I forget
their formal names } in Adobe Javascript.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Virus Guy · External Since: Aug 05, 2005 Posts: 452

"David H. Lipman" wrote:

> | 2) what pdf exploit was circulating last november?
>
> They had to do with the Print() and CollabEmail() { not actual
> function names, I forget their formal names } in Adobe Javascript.

So - did that requre a Java JRE patch (supplied by Sun) or a patch to
acrobat (supplied by Adobe) ?

David H. Lipman · External Since: Jul 04, 2003 Posts: 2245

From: "Virus Guy"

| "David H. Lipman" wrote:

>> | 2) what pdf exploit was circulating last november?

>> They had to do with the Print() and CollabEmail() { not actual
>> function names, I forget their formal names } in Adobe Javascript.

| So - did that requre a Java JRE patch (supplied by Sun) or a patch to
| acrobat (supplied by Adobe) ?

No. That had nothing to do with SUN JRE.
It required updating the version of Acrobat/Reader.

BTW: One was; Collab.collectEmailInfo()
True function name.

Snippet example (not fully functioning)

function RYiFEs8K()
{
var XrCU20If = app.viewerVersion.toString();
XrCU20If = XrCU20If.replace(/\D/g,'');

var TPWRJTZJ = new Array(
XrCU20If.charAt(0),
XrCU20If.charAt(1),
XrCU20If.charAt(2));

if ((TPWRJTZJ[0] == 8 && ((TPWRJTZJ[1] == 1 && TPWRJTZJ[2] < 2) || TPWRJTZJ[1] < 1)) ||
(TPWRJTZJ[0] == 7 && TPWRJTZJ[1] < 1) ||
(TPWRJTZJ[0] < 7)) {
ooyS1YUR();
var nabGR_dc = unescape("%u0c0c%u0c0c");
while(nabGR_dc.length < 44952) nabGR_dc += nabGR_dc;
this.collabStore = Collab.collectEmailInfo({subj: "",msg: nabGR_dc});
}
}

RYiFEs8K();

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Heather · External Since: Mar 02, 2009 Posts: 13

David.....what in heck was in this message. Avast went off
immediately!!!! Good thing I didn't have the sound on.......but at
least I know it works, lol. I now forget what it told me it
was.....started with "kp" I think.

Heather

"David H. Lipman" wrote in message

> avast!: Message body was removed because it contained a virus.
>

ASCII · External Since: Mar 01, 2009 Posts: 35

This message is not archived

Ant · External Since: Jan 31, 2004 Posts: 263

"Virus Guy" wrote:

> "David H. Lipman" wrote:
>> | 2) what pdf exploit was circulating last november?
>>
>> They had to do with the Print() and CollabEmail() { not actual
>> function names, I forget their formal names } in Adobe Javascript.
>
> So - did that requre a Java JRE patch (supplied by Sun) or a patch to
> acrobat (supplied by Adobe) ?

Javascript has nothing to do with Java or the JRE. Adobe has to patch
their reader and/or Javascript implementation.

The only exploits I've seen in PDFs over the last few months use
'Collab.collectEmailInfo()' and 'util.printf()'. I think util.printf
only works on versions greater than 8. These are Adobe functions
called from the script after it has filled memory with shellcode.

ASCII · External Since: Mar 01, 2009 Posts: 35

This message is not archived