Grey bar Blue bar
Share this:

Thu, 28 Aug 2008

Adobe APSB08-15 Patch Reversing

APSB08-15 is the latest adobe security advisory regarding a memory corruption vulnerabilty in Acrobat Reader versions <8.1.2

As expected, the advisory does not include technical details about the attack vector, So let's try to reverse the related Adobe patch to find more about this vulnerability. I'm going to use IDA 5.2 with patchdiff2 plugin (thanks to kris hint on this plug-in).

The patch is released as a MSI file. I used Greg Duncan's Less MSIèrables tool to examine the content of this patch:

Adobe has just updated the annots.api plugin file, so I should just build the IDA Database files for the old and updated annots.api files and pathdiff them. Eight matched functions in the results:

By getting the Xrefs of the first matched function and backtracing it, we get into the VTABLE setup routine for a method named "collectEmailInfo" of "Collab" object. There was nothing in Adobe JavaScript guide for this method, so by googling and reading the function code I got the below syntax:

doc.Collab.collectEmailInfo({to:"to addr",cc:"cc",bcc:"bcc",subj:"subject",msg:"msg body",...});

msg parameter seems to be a good candidate to overflow. Let's make a PDF file with the below javascript embedded in and test it:

Collab.collectEmailInfo({msg:"aaaaaa.....aaaaa"});    (32K of aaa in my case)

and here is the result:

the place where the access violation occurs was different from machine,os,state , so the chance of the successful exploitation via heap spray is low.

/behrang

Wed, 27 Aug 2008

Education and Things u know u dont know...

A completely non-security related (but totally geek) blog that always makes me smile is [http://indexed.blogspot.com/]. We had just started the week (or ended the last one) with a conversation on how strange it was, that some people manage to remain suprememly confident while talking authoratively on subjects they know precious little about...

From our mouths, to Jessica's pen:

Mon, 25 Aug 2008

BlackHat/DefCon 2008 - Tool Release(s)

Hey guys..

Our BlackHat/Defcon talk this year featured a few tools that we promised to release.. The first tool, or set of tools is reDuh which can be found [here]. reDuh is made up of 2 parts, a local proxy and a server component (which is jsp, php or asp). If you run the local proxy on your machine while pointing it to the server component, you are able to make TCP connections clean through the web-server. This comes in surprisingly helpful (and if nothing else is really cute!). You can read more about reDuh (with pretty pictures) by checking out the [reduh page] or by checking out our [Vegas slides].

[Squeeza] also had some tweaks, and now incorporates some SQL Server OLE goodness. Grab [v0.22 here], and read more about it in the [slides].

Have fun, play responsibly and please post feedback or comments here or to research@sensepost.com

Fri, 22 Aug 2008

pwnies video posted online..

The video of the much publicized pwnie awards has been posted to the interwebs [gvideo link]

Locals (SensePosters) can grab a copy [here] I believe it featured HalVar rapping so it should be worth at least a listen to :>

/mh

PS. i heard the first 3 minutes which included Alex Sotirov mention how >30 equates to over the hill, and humbly sumbit Malcolm Gladwells recent speech in silent 3rd hand rebuttal. [Age before beauty - the difference between young geniuses and old masters]

Tue, 19 Aug 2008

BlackHat / DefCon 2008....

Hey guys..

Most of our BlackHat/Defcon team has arrived back home in one piece.. I landed with a fever and a lost voice (but to be honest i already caught something while in Vegas!)

We will post some post-Vegas thoughts as soon as the dust settles, but i also promised:

  1. The slides from our talk
  2. The tools we released...
A link to the slides is here: [Pushing a Camel through the eye of a Needle]

The final versions of the re-direction tools will be posted here by weekend (after some last minute documentation / cleanup)

(a quick overview of Glenn's reDuh tool is also posted to [the same location]