Didier Stevens

Monday 2 November 2009

CVE-2009-2979 Or The XML-Bombed PDF

Filed under: PDF,Vulnerabilities — Didier Stevens @ 7:15

The Extensible Metadata Platform is an Adobe standard to represent metadata with XML.

More than a year ago, I added an XML-bomb to XMP-data inside a PDF document:


As this made Adobe Reader 8 & 9 crash, I reported it to Adobe. It has been fixed with the last patch cycle.

Why do I disclose the details of this vulnerability? Because XMP is not only intended to be used in PDF documents, but many other file formats. So be sure to check your software for this vulnerability.


  1. Interesting, although I don’t see how it can be a useful exploit yet besides DOS. Is it possible to have it execute shellcode?

    Also, when (if) will you post your talk from hack.lu?

    Comment by janus — Monday 2 November 2009 @ 11:43

  2. I discovered this bug by accident, and I spent some time reversing but didn’t get EIP control.

    The Hack.lu slides are available on the hack.lu site: http://2009.hack.lu/archive/2009/

    Comment by Didier Stevens — Tuesday 3 November 2009 @ 8:45

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.