Skip to main content


Showing posts from November, 2010

More PDF Decryption Enhancements for PDF Examiner

Got rid of a unsigned int issue when calculating the permissions value for some types of encrypted PDFs, if you had any issues with decrypting malware PDFs, try resubmitting to the PDF Examiner. Second update was to handle owner password string literals in octal.

Apparently to get an 4 byte hex of a PHP int you can't just go dechex($permissions), you'll need to go dechex( pow(2, 32)- pow(2, 32)+$permissions) to get the larger unsigned int range. Fun workarounds, but it's at least closer to C than Python ;).

Unconfirmed Adobe PDF zeroday with this.printSeps

Reports on twitter are circulating that a new adobe PDF zero day PoC was posted to Full Disclosure (Nov 3rd, 2010). The file xpl_pdf.bin (MD5 d000e74163e34fc65914676674776284) contains a small JavaScript heap spray and call to this.printSeps which in tests does crash Adobe, it's not clear if this is further vulnerable to exploitation or what version of OS and Acrobat are affected. The exploit itself requires an Adobe version between 8 and 10.

A blog post from earlier this year (April 9th 2010) from a russian blog details the memory access error of using this.printSeps(), which is described as a denial of service bug. Interesting that this bug didn't pop up to a wider audience over the 7 months it was public.

Added initial detection for this potential exploit to PDF Examiner. You can analyze the file in PDF Examiner here. Bad JavaScript is available here.

Adobe PSIRT has reported they are investigating the issue. Mitigation advice has been posted here (such as disable JavaScript i…