The PDF Guts All further analysis took place on only the first PDF within the file (the only PDF). Since I wasn't interested in the malware portion of this sample, I only briefly glanced at the DLL and moved on. This could be the indication of some sort of mistake, but we'll likely never know. Further investigation showed that the two PDF files were identical except for the "%SIGNATURE: " portion appended to the second one. The File Itself It appeared to be two PDF files concatenated with a commented 32-bit xor encoded PE. Knowing now just how bad the situation was, I proceeded to do a deeper inspection of the sample. Sure enough, just as *REDACTED* had said, the call was strcat(stack_buf256, user_input). With the sample in hand, I proceeded to set a breakpoint and run Reader 9.3.4 with the sample as input. An hour or so later, I noticed that Mila had responded and emailed the sample over. However, I didn't have much more detail at this point, so I asked Mila for the sample via DM and went back to my previous task (working on opcodedb). Opening CoolType.dll from 9.3.4 up in IDA Pro showed a function where indeed "strcat" was being used. Accorinding to *REDACTED*, it is "vuln func in cooltype.dll 0x0803dcf9 due 2 incorrect parsing of TTF font and heapspray is done in JS with ROP code (bypasses DEP)"įrom this single line, *REDACTED* pretty much laid it all out on the table. Great image! This most definitely piqued my interest.Īs a technical person, I then re-scanned to glean the technical details.
The clearest indicator was the screen shot of the Adobe Reader "About" dialog with dropped files showing. After giving the blog post a once over, it was pretty clear that she had discovered a live sample of a previously unpublished and currently unpatched vulnerability. It all began when HD alerted me to a post on Mila Parkour's "contagio malware dump" blog. I have been analyzing the latest Adobe vulnerability.