Xanda's Blog !~!

Yara Rule for CVE-2010-1297

Jun
11
rule FlashNewfunction: decodedPDF
{
   meta:  
      ref = "CVE-2010-1297"
      hide = true
      impact = 5 
   strings:
      $unescape = "unescape" fullword nocase
      $shellcode = /%u[A-Fa-f0-9]{4}/
      $shellcode5 = /(%u[A-Fa-f0-9]{4}){5}/
      $cve20101297 = /\/Subtype ?\/Flash/
   condition:
      ($unescape and $shellcode and $cve20101297) or ($shellcode5 and $cve20101297)
}

PDF Obfuscation : Using Hexadecimal in Defining Filter

Nov
29

I was reading my RSS feed and suddenly I’ve found this PDF sample. We’ve found PDF-JS Obfuscation with this.info.title last week and this time comes another trick. Using hexadecimal in defining filter..

The following line was found in one of the stream

</Length 0000000/Filter/#41#53#43#49#49#38#35#44#65#63#6f#64#65>>

once converted from hex to ascii, here is what i’ve found

</Length 0000000/Filter/ASCII85Decode>>

Yeah.. nothing much, but yes the sample will be passed to Azizan for enhancement of Analyz3r

Yet Another Adobe Bug

Oct
09

Nothing much but YES to agree with Didier Stevens with his statement:

PDF + JS = OMG

Yerp.. there is another vulnerability (CVE-2009-3459) in Adobe Reader and Acrobat today (GMT +8) and so far it is still 0 day..

*panic panic* What to do?

  1. Disable JavaScript support in Adobe Reader and Acrobat
  2. Enable DEP (for Windows)
  3. Use NoScript
  4. Use alternative PDF reader like Foxit, Gnome Document Viewer, yada yada..
  5. Don’t be a lame by opening unknown PDF attachment