Ministry of Science,

Technology & Innovation

LibTAPAU:The Danger of LibTIFF +

Adobe PDF
Crowne Plaza|| KL || .MY || 2010-10-13

MAHMUD AB RAHMAN
(MyCERT, CyberSecurity Malaysia)

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia
 Ministry of Science,

MYSELF
Technology & Innovation

  Mahmud Ab Rahman
  MyCERT, CyberSecurity Malaysia
  Lebahnet(honeynet), Botnet, Malware

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia 2
 Ministry of Science,

Agenda
Technology & Innovation

  Intro
  PDF + LibTIFF Attacks
  Analyzing malicious PDF + LibTIFF
  Issues
  Reducing/Mitigation The Problem?
  Outro/Conclusion

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia 3
 Ministry of Science,
Technology & Innovation

INTRO

1)Intro 3)Analyzing 5)Mitigation

2)PDF attacks 4)Issues 6)Conclusion

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia
 Ministry of Science,

INTRO : PDF 101

Technology & Innovation

  PDF: Portable Destructive File : )

  Portable Document Format
  Open Standard (2008) by Adobe (previously
proprietary)
  Mainly for independent format instead of
*.doc, .odp, *.xls, *.ppt, *.etc, *.etc
  PDF Reader Applications (Adobe Reader, Foxit
Reader, SumatraPDF,etc,etc)

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia 5
 Ministry of Science,

INTRO : PDF Format

Technology & Innovation

  Has its own language

  Normally just ASCII characters.(/Filters /
application elements are using binary data
(stream)
  ASCII – Readable (any text editors will do)
  Start with header (%PDF-[version])
  End with eof element (%%EOF)

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia 6
 Ministry of Science,

INTRO : PDF Format (diagram)

Technology & Innovation

%PDF-1.1
PDF Start (version)
1 0 obj
<< PDF Object (obj … endobj)
/Type /Catalog
/Outlines 2 0 R
/Pages 3 0 R
-stream element contains
>>
endobj
data (“ hello w00t!”). End
….
5 0 obj with endstream
<< /Length 67 >>
stream - Normally needs to decode
BT
/F1 24 Tf
100 700 Td
the data inside stream
(Hello w00t!)Tj
ET
element
endstream
endobj - JavaScript object starts
xref
with /JS
08
0000000000 65535 f - Main subject to be abuse
0000000012 00000 n
0000000089 00000 n

trailer
<< Cross Reference
/Size 8
/Root 1 0 R
>>
startxref
Trailer
642

%%EOF End of File

Securing Our Cyberspace
Copyright © 2009 CyberSecurity Malaysia 7
 Ministry of Science,

INTRO : PDF Format

Technology & Innovation

  view inside PDF readers

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia 8
 Ministry of Science,

INTRO : TIFF 101

Technology & Innovation

  Tagged Image File Format (abbreviated TIFF)

  file format for storing images
  it is under the control of Adobe Systems (2009)
  widely supported by image-manipulation
application

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia 9
 Ministry of Science,

INTRO : TIFF 101

Technology & Innovation

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia 10
 Ministry of Science,

INTRO : Why attacking PDF + LibTIFF?

Technology & Innovation

  Just another attacking vector

  Widely used (popular)
o Wider target
  Main player application have bugs
o Again, wider target
o Generate more interest (more bugs after the 1st
one (almost 3 years now))
  The emerge of client-side attack (PDF plugin on
web browser- create more ways to target)

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia 11
 Ministry of Science,
Technology & Innovation

PDF ATTACKS

1)Intro 3)Analyzing 5)Mitigation

2)PDF attacks 4)Issues 6)Conclusion

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia
 Ministry of Science,

PDF Attacks: How it works

Technology & Innovation

Forward the pdf file by any means [spam, weblink,web

2
upload,usb,p2p share..etc..etc]

1
User open the file with
Crafting malicious pdf
vulnerable pdf reader

4
Bug triggered, payload executed

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia 13
 Ministry of Science,

PDF Attacks: How it works

Technology & Innovation

Forward the pdf file by any means [spam, weblink,web

2
upload,usb,p2p share..etc..etc]

1
User open the file with
Crafting malicious pdf
vulnerable pdf reader

4
Bug triggered, payload executed

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia 14
 Ministry of Science,

LibTIFF Attacks: Recent Bugs

Technology & Innovation

  LibTIFF’s bugs
o CVE: 2005-1544
o CVE-2006-3459
o CVE: 2009-2285 - LZWDecodeCompat()
o CVE-2010-0188 – Exploitable within PDF
o CVE-2010-2067 –Stack Overflow

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia 15
 Ministry of Science,

LibTIFF Attacks: Get Your Gun Loaded

Technology & Innovation

  Villy’s Python Script

  Metasploit’s Module
  Made-in-China 0day Builder :p

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia 16
 Ministry of Science,

LibTIFF Attacks: Get Your Gun Loaded

Technology & Innovation

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia 17
 Ministry of Science,

LibTIFF Attacks: Get Your Gun Loaded

Technology & Innovation

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia 18
 Ministry of Science,

LibTIFF Attacks: Get Your Gun Loaded

Technology & Innovation

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia 19
 Ministry of Science,

PDF Attacks: DEMO

Technology & Innovation

Breaking the PDF readers

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia 20
 Ministry of Science,
Technology & Innovation

Analyzing Malicious PDF + TIFF File

1)Intro 3)Analyzing 5)Mitigation

2)PDF attacks 4)Issues 6)Conclusion

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia
 Ministry of Science,

Analyzing Malicious PDF + TIFF File

Technology & Innovation

Malicious PDF

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia 22
 Ministry of Science,

Analyzing Malicious PDF + TIFF File

Technology & Innovation

  ASCII based characters

o Any text editors will do
  Some inflators/encoders have been used for data
stream
o Analysis becomes more complicated
o Can be deflated/decoded using proper library/
techniques to reveal normal ascii data
  Understanding on how PDF language syntax is a
must (e.g : object references, JavaScript call,
etc,etc)

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia 23
 Ministry of Science,

Analyzing Malicious PDF + TIFF File

Technology & Innovation

  Public Tools

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia 24
 Ministry of Science,

Analyzing Malicious PDF + TIFF File

Technology & Innovation

  Public Tools

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia 25
 Ministry of Science,

Analyzing Malicious PDF + TIFF File

Technology & Innovation

  Public Tools

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia 26
 Ministry of Science,

Analyzing Malicious PDF + TIFF File

Technology & Innovation

  Introducing MyCERT PDF LibTIFF Sploit Analyzer

o Basic parse for PDF
- For complete PDF Parse (gallus)
o Tracing for TIFF Image
o Dumping the image file
o Checking for The Shellcode

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia 27
 Ministry of Science,

Analyzing Malicious PDF + TIFF File

Technology & Innovation

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia 28
 Ministry of Science,

Analyzing Malicious PDF + TIFF File

Technology & Innovation

Hey, that’s NOT the sample u used for the previous screenshot, l0ser

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia 29
 Ministry of Science,

Analyzing Malicious PDF + TIFF File

Technology & Innovation

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia 30
 Ministry of Science,

Analyzing Malicious PDF + TIFF File: DEMO

Technology & Innovation

Analyzing Malicious PDF File

Securing Our Cyberspace
Copyright © 2009 CyberSecurity Malaysia 31
 Ministry of Science,

Analyzing Malicious PDF File: DEMO

Technology & Innovation

  Identify the malicious file

  Extract information
  Analyze shellcode

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia 32
 Ministry of Science,
Technology & Innovation

Issues with Malicious PDF file

1)Intro 3)Analyzing 5)Mitigation

2)PDF attacks 4)Issues 6)Conclusion

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia
 Ministry of Science,

Analyzing Malicious PDF + TIFF File

Technology & Innovation

  Challenges:
o JavaScript obfuscated
- Same problem with browser due to JavaScript
- Annoying
[ var=unescape() == var = un+escape(); == var a=un; var
b=escape(); var c=a+b ]
- arguments.callee(), getPageNumber(), getAnnotte()
- Anything JS can do, will fits here

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia 34
 Ministry of Science,

Analyzing Malicious PDF + TIFF File

Technology & Innovation

Nice JS eh?

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia 35
 Ministry of Science,

Analyzing Malicious PDF + TIFF File

Technology & Innovation

  Challenges:
o PDF Syntax Coolness
o This.Title.Info // This.Author.Names // This.What.Ever
o  Difficult for the analyzer to follow the objects reference.
o  Default JS emulator is not up for this yet
o Encoding/ Compressor
o  Many of them (FlateDecode/ASCIIHexDecode/JBIG2Decode/
ASCII85Decode/DCTDecode etc..etc)
o  Concatenate Filters (/Filter /FlateDecode /ASCIIHexDecode)
o  Abbreviation Filter (/Filter [/Fl /AHx] ) == (Filter /
FlateDecode /ASCIIHexDecode)

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia 36
 Ministry of Science,

Analyzing Malicious PDF + TIFF File

Technology & Innovation

  Challenges:
o Parser Problem
o Grep’ing [obj…endobj] or [stream..endstream] ?
o Grep’ing [EOF] ?
o Reference loop
o  This.Info.Name -> This.Author.Name-> This.Info.Name
o  1 obj 0 /JS 7 0 R -> 7 obj 0 /JS 8 0 R -> 8 obj 0 /JS 10 R
o Embedded malicious PDF inside PDF file.
- Manual extracting for the embedded file is difficult.
o PDF file analyzer is not PDF reader
- Analyzer needs to understand PDF structure
- Analyzer needs to interpret PDF language
- Eventually it will become PDF reader by itself : )
Securing Our Cyberspace
Copyright © 2009 CyberSecurity Malaysia 37
 Ministry of Science,

Issues with Malicious PDF + TIFF file

Technology & Innovation

  on the fly malicious PDF generator

o Difficult to analyze/ be detected by analysis tools
o Have to manually request/download the malicious
pdf file (probably its too late when your browser
have PDF reader plugins)

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia 38
 Ministry of Science,

Issues with Malicious PDF file

Technology & Innovation

  JavaScript obfuscating, period :)

o Well, javascript fingerprinting is nothing new : )
o JS checking if u’r running inside on the targeted
application is common.
o App.version()

  lack of fully functional pdf analyzers as how PDF

reader works
o Will always be a cat and mouse game

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia 39
 Ministry of Science,
Technology & Innovation

Mitigation against Malicious PDF file

1)Intro 3)Analyzing 5)Mitigation

2)PDF attacks 4)Issues 6)Conclusion

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia
 Ministry of Science,

Mitigation
Technology & Innovation

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia 41
 Ministry of Science,

Mitigation
Technology & Innovation

  Update/patch your PDF reader->eliminated bug,

you're save
o Not quite true when dealing with 0day
  Analyze/scan PDF file before opening it
  Only open PDF attachment from trusted people, at
least with pgp signing :)
o Sign the PDF file?. :).paranoid
  Disable JavaScript- minimize the risk of reliable
exploitation
o Some bugs don’t require JavaScript (still will 0Wn1ng
as usual). LIBTIFF..:-)
Securing Our Cyberspace
Copyright © 2009 CyberSecurity Malaysia 42
 Ministry of Science,
Technology & Innovation

Conclusion

1)Intro 3)Analyzing 5)Mitigation

2)PDF attacks 4)Issues 6)Conclusion

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia
 Ministry of Science,

Conclusion
Technology & Innovation

  Awareness on threats against PDF reader still

needs more works
  Analysis on malicious PDF is possible by
combining multiple tools (editor,decoder,js
emulator, shellocde analyzer)
  A better PDF analyzer is urgently needed

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia 44
 Ministry of Science,

Conclusion
Technology & Innovation

  The complexity of PDF reader will introduce

more bugs and vulnerabilities
  With JavaScript support, exploitation will be more
reliable (why we still need JavaScript inside PDF
file? )
  With JavaScript support, more obfuscated
techniques can be implemented

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia 45
 Ministry of Science,
Technology & Innovation

Q&A

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia
 Ministry of Science,
Technology & Innovation

THANKS

Email: mahmud@cybersecurity.my
Web: http://www.cybersecurity.my
Web: http://www.mycert.org.my
Web: www.honeynet.org.my
Blog: blog.honeynet.org.my
Web: www.cybersafe.my
Report Incident: mycert@mycert.org.my

Securing Our Cyberspace

Copyright © 2009 CyberSecurity Malaysia