Didier Stevens

Monday 2 March 2009

Quickpost: /JBIG2Decode Essentials

Filed under: PDF,Quickpost,Vulnerabilities — Didier Stevens @ 23:11

Today I took a closer look at the PDF code of the /JBIG2Decode vulnerability. It doesn’t have to be an XObject, just a stream object with a /JBIG2Decode filter:

20090302-231859

This indirect object is all I have to include in my basic PDF document to get a PoC PDF document to crash Adobe Acrobat Reader 9:

20090302-135943

20090302-140102

On Virustotal, this PoC PDF document is only detected by ClamAV, but it’s no surprise, as most signatures also look for JavaScript and/or a payload. When I use name or stream obfuscation, ClamAV is also bypassed.

You can download my Python program to generate these PoC PDF documents here, it needs the mPDF module of my PDF-tools. Use it to developed better signatures or to test your defenses.


Quickpost info


3 Comments »

  1. [...] a piece of malware can execute without even opening the file. As this is the case with the /JBIG2Decode vulnerability in PDF documents, I took the time to produce a short video showing 3 ways the vulnerability can trigger without even [...]

    Pingback by Quickpost: /JBIG2Decode Trigger Trio « Didier Stevens — Wednesday 4 March 2009 @ 14:36

  2. [...] a piece of malware can execute without even opening the file. As this is the case with the /JBIG2Decode vulnerability in PDF documents, I took the time to produce a short video showing 3 ways the vulnerability can trigger without even [...]

    Pingback by PDF Vulnerability With No Clicking « NoticFresh Weblog — Friday 6 March 2009 @ 11:57

  3. [...] on the vulnerability: JBIG2Decode Essentials – [...]

    Pingback by Clickless PDF Vulnerability — Friday 6 March 2009 @ 13:35


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 234 other followers

%d bloggers like this: