August 26, 2010
This is an example use of the opaflib. The script described here use opaflib to get some statistics about the different PDF objects that appear in you file stash. This 2 charts show the appearing frequencies of Filters and Object types in a 10Mbyte small database of a random pdf selection.
So it is better for your fuzzing base that this numbers seem even, otherwise you’ll be testing the same thing over and over.
Keep reading for more exciting details!!! WEEEEEEEEEEEE!
Read the rest of this entry »
August 23, 2010
It’s an Open PDF Analysis Framework!
Keep reading for a test run…
Read the rest of this entry »
August 22, 2010
As discussed in earlier posts the problem with PDF is that we can not apply an out-of-the-box scanner/parser design pattern. It won’t let you scan it properly. The size of a PDF stream is hard to be decided at scanner/lexer time. I’ve suggested the solution of escaping the “endstream” keyword. Also other patches emerged like, forcing the /Length keyword to be direct. Or calculate every object size using XREFs pointers (assuming not garbage between the objs (which in fact is what the spec says)).
Well in any case if you manage to run a lexer and tokenize it here you have the parsing grammar … weeee!!
object : NAME | STRING | HEXSTRING | NUMBER | TRUE | FALSE | NULL | R | dictionary | array dictionary : DOUBLE_LESS_THAN_SIGN dictionary_entry_list DOUBLE_GREATER_THAN_SIGN dictionary_entry_list : NAME object dictionary_entry_list | empty array : LEFT_SQUARE_BRACKET object_list RIGHT_SQUARE_BRACKET object_list : object object_list | empty indirect : indirect_object_stream | indirect_object indirect_object : OBJ object ENDOBJ indirect_object_stream : OBJ dictionary STREAM_DATA ENDOBJ xref : indirect_object_stream | XREF TRAILER dictionary pdf : HEADER pdf_update_list pdf_update_list : pdf_update_list body xref pdf_end | body xref pdf_end body : body indirect_object | body indirect_object_stream | empty pdf_end : STARTXREF EOF
August 14, 2010
(Or why I can’t parse a PDF)
|This post is about the difficulties I ran into when trying to write a PDF parser. It’s my opinion that
PDF specification is broken because it permits the token “endstream” inside a stream!
There are 4 ways of deciding the size of a PDF stream:
[+] Scanning for the “endstream” token
 Scanning for the endstream token
 Get the size from the direct \Length entry
 Get the indirect \Length using the normal xref
 Calculate the size from the starting marks pointed from the Normal cross-reference
What happens in actual PDF implementations if:
[+] Cross-reference is broken?
[+] Cross-reference point to overlapped objects
[+] Streams contains the endstream token
[+] Streams contains some evil endstream/endobj token combination
[+] If all the 4(or more) ways of parsing a PDF stream are present, should they be all consistent?
And finally, is this file PDF compliant? I bet someone may construct an obfuscation method based in this “issues”.
If you still think this is worth reading check out the following details and please comment if you find bug if you have a solution for the problems I stated here.
August 6, 2010
In an attempt to irrevocably declare my insanity I went into the details of making a PDF lexer the most strict to the specification I can. This post is about making a Portable File Format lexer in python using the PLY parser generator. This lexer is based on the ISO 32000-1 standard. Yes! PDF is an ISO standard, see.
In a PDF we have hexstrings and strings, numbers, names, arrays, references and null, booleans, dictionaries, streams and the file structure entities (the header, the trailer dictionary, the eof mark, the startxref mark and the crossreference). We are going to describe in detail all the tokens needed to define the named entities. You’ll probably want to take a look on how a parser is written in PLY at this simple example.
Before we go into the really really really boring stuff, let’s do a quick demonstration of it’s value…
Let’s pick a random PDF out there… hmm.. for example jailbrakeme.pdf. Then grab the already done lexer here and run it like this…
it should output something like this…
It marks the position of every object!!! WOW!!!!!!
June 16, 2010
Let’s see how to run an external Adobe Reader process from a pdf file that’s being displayed in a web browser.
This *technique* is a derivate of the pdf-into-pdf embedding post. It also uses the GotoE action to jump away to an embed pdf. I just discovered that doing this from a browser viewed pdf it runs a different process of the Adobe Reader. The ability of running a new, fresh and separated process has some interesting exploitability implications.
In older Reader version (previous to 9.2.3?) doing this also served as a way to bypass DEP optIn, but by now we have to settle with just this two facts:
[+] Whatever happens in the separate Reader will not crash the browser, potentially enabling other chances to exploit it.
[+] It makes it possible to develop exploits for highly predictable memory layouts.
March 31, 2010
@DidierStevens has released a way to partially “control” the message showed by Adobe Reader when it launches an application from inside a pdf file with the PDFAction “/Launch”. Check it out here
I think it’s about time to start calling the application Launching capability of Adobe (and friends) a VULNERABILITY.
Here you have a python script for PATCHING the affected dll and cripple the Launch Action.
I tested it in W7 / Adobe Reader 9.3 but it should work for every version/OS/Arch mixture. In some OS you may experience some trouble replacing the dll.
(((( An untested improvement… s/Felipe/######/g ))))
February 15, 2010
February 11, 2010
Due to the recent advances in exploitation techniques it became really important to put flash every were we can.
In this post we are going to show how to add a swf(Flash) file to a PDF file using our miniPDF.py lib.
Flash support is relatively new in PDF and come into the scene primary for doing the PDF portable collection thing and such. We’ll follow the steps described in Adobe® Supplement to the ISO 32000 , so you probably need to grab it and keep it close to you. In the case you’ve missed the previous posts here you have a copy of the miniPDF.py so you can take a quick look. We are going to use that lib mainly as we did in earlier posts and start adding PDF objects until… –FLASH!– we end up with a one paged PDF with a running embedded SWF. OK, so lets start…
Read the rest of this entry »
|This post is about hiding an evil PDF into a saint PDF. The objective is to embed a pdf into another pdf, and make the reader parse the embedded one without user intervention. If we manage to do this we’ll be able to ‘filter’ the embedded file and hide it through some pdf encoding filters (flatedecode, crypt, etc), that way making it invisible from the outside. And at last, as we’ll be using miniPDF.py, we’ll pass everything through the (unfinished) obfuscated version of the miniPDF.py lib, here.|