Adobe PDF Javascript Vulnerability (July 18, 2008)


July 18, 2008

The vulnerability is created by a lack of proper boundary checks when processing arguments supplied to several JavaScript functions. Given a large string argument to a vulnerable function it is possible to write arbitrary code past the alloted stack buffer. This results in corruption of local stack variables as well as the return address of the calling function. In effect, exploitation can allow for process diversion to arbitrary code. As the vulnerable application is running within the logged in user security context, the exploitation will be limited to the same. The vulnerability has been assigned CVE-2007-5659.

The method used to store JavaScript in PDF files presents a number of difficulties in terms of detection of malicious files. Firstly, in order to detect a malicious file, the JavaScript code needs to be interpreted to determine its intent. This step requires a JavaScript interpreting engine. Secondly, the JavaScript itself is compressed within the PDF file. Thus, in order to be able to analyze the code, it first has to be decompressed. Lastly, the compressed stream has to be found within the PDF file as it is usually a separate object referred to by an index defined in a previous JavaScript object defenition.

Sonicwall has developed a series of GAV signatures to detect and prevent malicious PDF files from being transfered. These signatures will detect exploits which have been found to be actively used in exploitation attempts in the wild. The signatures detect malicious JavaScript code in its compressed form. There are currently fourteen exploits known to have been used to target this vulnerability. All known exploits are covered by Sonicwall. The following signatures cover this vulnerability:

  • PDF.JavaScript.L
  • PDF.JavaScript.K
  • PDF.JavaScript.J
  • PDF.JavaScript.I
  • PDF.JavaScript.H
  • PDF.JavaScript.G
  • PDF.JavaScript.F
  • PDF.JavaScript.E
  • PDF.JavaScript.D
  • PDF.JavaScript.C
  • PDF.JavaScript.B_2
  • PDF.JavaScript.A
  • PDF.JavaScript.CI.B
  • PDF.JavaScript.CI.A
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.