Today I took a closer look at the PDF code of the /JBIG2Decode vulnerability. It doesn’t have to be an XObject, just a stream object with a /JBIG2Decode filter:
This indirect object is all I have to include in my basic PDF document to get a PoC PDF document to crash Adobe Acrobat Reader 9:
On Virustotal, this PoC PDF document is only detected by ClamAV, but it’s no surprise, as most signatures also look for JavaScript and/or a payload. When I use name or stream obfuscation, ClamAV is also bypassed.
You can download my Python program to generate these PoC PDF documents here, it needs the mPDF module of my PDF-tools. Use it to developed better signatures or to test your defenses.
Didier Stevens 
[…] a piece of malware can execute without even opening the file. As this is the case with the /JBIG2Decode vulnerability in PDF documents, I took the time to produce a short video showing 3 ways the vulnerability can trigger without even […]
Pingback by Quickpost: /JBIG2Decode Trigger Trio « Didier Stevens — Wednesday 4 March 2009 @ 14:36
[…] a piece of malware can execute without even opening the file. As this is the case with the /JBIG2Decode vulnerability in PDF documents, I took the time to produce a short video showing 3 ways the vulnerability can trigger without even […]
Pingback by PDF Vulnerability With No Clicking « NoticFresh Weblog — Friday 6 March 2009 @ 11:57
[…] on the vulnerability: JBIG2Decode Essentials – […]
Pingback by Clickless PDF Vulnerability — Friday 6 March 2009 @ 13:35