July 18, 2008

The vulnerability is created by a lack of proper boundary checks when processing arguments supplied to several JavaScript functions. Given a large string argument to a vulnerable function it is possible to write arbitrary code past the alloted stack buffer. This results in corruption of local stack variables as well as the return address of the calling function. In effect, exploitation can allow for process diversion to arbitrary code. As the vulnerable application is running within the logged in user security context, the exploitation will be limited to the same. The vulnerability has been assigned CVE-2007-5659.

The method used to store JavaScript in PDF files presents a number of difficulties in terms of detection of malicious files. Firstly, in order to detect a malicious file, the JavaScript code needs to be interpreted to determine its intent. This step requires a JavaScript interpreting engine. Secondly, the JavaScript itself is compressed within the PDF file. Thus, in order to be able to analyze the code, it first has to be decompressed. Lastly, the compressed stream has to be found within the PDF file as it is usually a separate object referred to by an index defined in a previous JavaScript object defenition.

Sonicwall has developed a series of GAV signatures to detect and prevent malicious PDF files from being transfered. These signatures will detect exploits which have been found to be actively used in exploitation attempts in the wild. The signatures detect malicious JavaScript code in its compressed form. There are currently fourteen exploits known to have been used to target this vulnerability. All known exploits are covered by Sonicwall. The following signatures cover this vulnerability:

• PDF.JavaScript.L
• PDF.JavaScript.K
• PDF.JavaScript.J
• PDF.JavaScript.I
• PDF.JavaScript.H
• PDF.JavaScript.G
• PDF.JavaScript.F
• PDF.JavaScript.E
• PDF.JavaScript.D
• PDF.JavaScript.C
• PDF.JavaScript.B_2
• PDF.JavaScript.A
• PDF.JavaScript.CI.B
• PDF.JavaScript.CI.A