Comments on: A brief analysis of a malicious PDF file which exploits this week’s Flash 0-day

By: dr charles h heller

dr charles h heller — Fri, 11 Nov 2011 08:52:41 +0000

dr charles h heller…

[...]A brief analysis of a malicious PDF file which exploits this week’s Flash 0-day « blog.zynamics.com[...]…

By: Security PDF-related links in 2010: analyses and tools

Security PDF-related links in 2010: analyses and tools — Tue, 10 May 2011 01:22:14 +0000

[...] 2010-06-08: Analysis of a Zero-day Exploit for Adobe Flash and Reader (CVE-2010-1297) 2010-06-09: A brief analysis of a malicious PDF file which exploits this week’s Flash 0-day (malware, ROP) 2010-06-21: World’s Smallest PDF 2010-07-02: Exploring recent PDF exploits: [...]

By: Dumping shellcode with Pin « blog.zynamics.com

Dumping shellcode with Pin « blog.zynamics.com — Wed, 28 Jul 2010 06:43:07 +0000

[...] shellcode with Pin By Sebastian Porst About six weeks ago, when I blogged about the Adobe Reader/Flash 0-day that was making the rounds back then, I talked about generating automated shellcode dumps with Pin. [...]

By: Windows GPO: Disable Adobe Updater for CS3 and CS4 | MoreCowbell

Windows GPO: Disable Adobe Updater for CS3 and CS4 | MoreCowbell — Wed, 30 Jun 2010 03:18:24 +0000

[...] in PDF documents, Sebastian Porst has a superb write up on dissecting the Adobe/Flash exploit here, if you’ve got 10 minutes grab a coffee and read [...]

By: Jon

Jon — Mon, 21 Jun 2010 16:43:46 +0000

Yea, those 1,200 helped me a lot. There is also a plethora of debugging information available if you look for it which can provide some others.

I finally got around to finishing (it took me FOREVER, this is my first time looking at something of this nature) my analysis of this problem. It appears that you guys were correct.

My original comment was based around a call to toVTable(), however that occurs prior to the block of code which actually redirects to the shellcode occurring. So we get a call from some unknown JIT-produced x86 code to the JIT-produced x86 code for fl.controls::ScrollBar::setStyles(). When the code gets redirected, they don’t strip the trailing 0×1 (which according to Tamarin is type “Object”, vague enough? ) and so there is a pointer calculation error.

What I haven’t been able to figure out is which JIT generated block of code results in the call to setStyles() that triggers the vuln. My best guess is fl.controls::ScrollBar/draw(), but I’ve yet to completely confirm that.

By: Update Fixes Adobe Flash Zero Day; Reader Still Vulnerable « WatchGuard Wire

Fri, 18 Jun 2010 17:14:25 +0000

[...] content. You can read more about this zero day flaw in Adobe’s early warning advisory or in this blog post, which contains deeper technical analysis of the flaw. As mentioned, this Flash update does fix [...]

By: Sebastian Porst

Sebastian Porst — Thu, 17 Jun 2010 11:22:34 +0000

I did not port Tamarin to Flash myself so I might be wrong but I think 1200 sounds like a correct ballpark figure. It’s a bit unfortunate that we only get so few symbols ported with BinDiff but it’s better than nothing.

By: Jon

Jon — Wed, 16 Jun 2010 15:26:57 +0000

Unfortunately I had already reversed a lot of the behavior prior to discovering that Tamarin could have provided symbols It probably would have saved me a little bit of time, but oh well, at least I understand it that much more without relying on symbols

I was only able to get about 10% of the symbols ported over (~1200) using BinDiff 2.0, is that in line with what you guys had or were you able to get better results?

By: Sebastian Porst

Sebastian Porst — Wed, 16 Jun 2010 11:57:57 +0000

You’re right about Tamarin + BinDiff. We are actually planning to post a blog post that shows four different ways to get symbols into Adobe binaries (focusing primarily on Acrobat).

By: Jon

Jon — Wed, 16 Jun 2010 11:49:40 +0000

Maybe so, I’m using 9.3.2. I imagine that given the nature of this, even the slightest variation could cause the bug to redirect to the shellcode in different locations, but that’s just a guess for now.

I also just discovered that Tamarin + BinDiff = most of the symbols I needed