d1-sigint - mahmud ab rahman - libtapau
TRANSCRIPT
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
1/47
Securing Our CyberspaceCopyright 2009 CyberSecurity Malaysia
Ministry of Science,
Technology & Innovation
Crowne Plaza|| KL || .MY || 2010-10-13
MAHMUD AB RAHMAN
(MyCERT, CyberSecurity Malaysia)
LibTAPAU:The Danger of LibTIFF +
Adobe PDF
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
2/47
Copyright 2009 CyberSecurity Malaysia 2
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
MYSELF
Mahmud Ab Rahman MyCERT, CyberSecurity Malaysia Lebahnet(honeynet), Botnet, Malware
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
3/47
Copyright 2009 CyberSecurity Malaysia 3
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
Agenda
Intro PDF + LibTIFF Attacks Analyzing malicious PDF + LibTIFF Issues Reducing/Mitigation The Problem? Outro/Conclusion
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
4/47
Securing Our CyberspaceCopyright 2009 CyberSecurity Malaysia
Ministry of Science,
Technology & Innovation
INTRO
1)Intro
2)PDF attacks
3)Analyzing
4)Issues
5)Mitigation
6)Conclusion
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
5/47
Copyright 2009 CyberSecurity Malaysia 5
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
INTRO : PDF 101
PDF: Portable Destructive File : ) Portable Document Format Open Standard (2008) by Adobe (previously
proprietary)
Mainly for independent format instead of*.doc, .odp, *.xls, *.ppt, *.etc, *.etc
PDF Reader Applications (Adobe Reader, FoxitReader, SumatraPDF,etc,etc)
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
6/47
Copyright 2009 CyberSecurity Malaysia 6
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
INTRO : PDF Format
Has its own language Normally just ASCII characters.(/Filters /
application elements are using binary data(stream)
ASCII Readable (any text editors will do) Start with header (%PDF-[version]) End with eof element (%%EOF)
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
7/47
Copyright 2009 CyberSecurity Malaysia 7
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
INTRO : PDF Format (diagram)
%PDF-1.1
1 0 obj
>
endobj.
5 0 obj>
stream
BT/F1 24 Tf
100 700 Td(Hello w00t!)Tj
ET
endstreamendobj
xref
0 80000000000 65535 f
0000000012 00000 n0000000089 00000 n
trailer
>
startxref
642
%%EOF
PDF Start (version)PDF Object (obj endobj)
-stream element containsdata ( hello w00t!). End
with endstream-Normally needs to decode
the data inside streamelement-JavaScript object starts
with /JS-Main subject to be abuse
Cross Reference
Trailer
End of File
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
8/47
Copyright 2009 CyberSecurity Malaysia 8
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
INTRO : PDF Format
view inside PDF readers
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
9/47
Copyright 2009 CyberSecurity Malaysia 9
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
INTRO : TIFF 101
Tagged Image File Format (abbreviated TIFF) file format for storing images it is under the control of Adobe Systems (2009) widely supported by image-manipulation
application
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
10/47
Copyright 2009 CyberSecurity Malaysia 10
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
INTRO : TIFF 101
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
11/47
Copyright 2009 CyberSecurity Malaysia 11
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
INTRO : Why attacking PDF + LibTIFF?
Just another attacking vector Widely used (popular)
o Wider target Main player application have bugs
o Again, wider targeto Generate more interest (more bugs after the 1st
one (almost 3 years now))
The emerge of client-side attack (PDF plugin onweb browser- create more ways to target)
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
12/47
Securing Our CyberspaceCopyright 2009 CyberSecurity Malaysia
Ministry of Science,
Technology & Innovation
PDF ATTACKS
1)Intro
2)PDF attacks
3)Analyzing
4)Issues
5)Mitigation
6)Conclusion
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
13/47
Copyright 2009 CyberSecurity Malaysia 13
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
PDF Attacks: How it works
1
Crafting malicious pdf
3
User open the file withvulnerable pdf reader
2 Forward the pdf file by any means [spam, weblink,webupload,usb,p2p share..etc..etc]
Bug triggered, payload executed
4
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
14/47
Copyright 2009 CyberSecurity Malaysia 14
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
PDF Attacks: How it works
1
Crafting malicious pdf
3
User open the file withvulnerable pdf reader
2 Forward the pdf file by any means [spam, weblink,webupload,usb,p2p share..etc..etc]
Bug triggered, payload executed
4
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
15/47
Copyright 2009 CyberSecurity Malaysia 15
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
LibTIFF Attacks: Recent Bugs
LibTIFFs bugso CVE: 2005-1544o CVE-2006-3459o CVE: 2009-2285 - LZWDecodeCompat()o CVE-2010-0188 Exploitable within PDFo CVE-2010-2067 Stack Overflow
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
16/47
Copyright 2009 CyberSecurity Malaysia 16
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
Villys Python Script Metasploits Module Made-in-China 0day Builder :p
LibTIFF Attacks: Get Your Gun Loaded
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
17/47
Copyright 2009 CyberSecurity Malaysia 17
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
LibTIFF Attacks: Get Your Gun Loaded
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
18/47
Copyright 2009 CyberSecurity Malaysia 18
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
LibTIFF Attacks: Get Your Gun Loaded
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
19/47
Copyright 2009 CyberSecurity Malaysia 19
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
LibTIFF Attacks: Get Your Gun Loaded
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
20/47
Copyright 2009 CyberSecurity Malaysia 20
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
PDF Attacks: DEMO
Breaking the PDF readers
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
21/47
Securing Our CyberspaceCopyright 2009 CyberSecurity Malaysia
Ministry of Science,
Technology & Innovation
Analyzing Malicious PDF + TIFF File
1)Intro
2)PDF attacks
3)Analyzing
4)Issues
5)Mitigation
6)Conclusion
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
22/47
Copyright 2009 CyberSecurity Malaysia 22
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
Analyzing Malicious PDF + TIFF File
Malicious PDF
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
23/47
Copyright 2009 CyberSecurity Malaysia 23
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
Analyzing Malicious PDF + TIFF File
ASCII based characterso Any text editors will do
Some inflators/encoders have been used for datastream
o Analysis becomes more complicatedo Can be deflated/decoded using proper library/
techniques to reveal normal ascii data
Understanding on how PDF language syntax is amust (e.g : object references, JavaScript call,etc,etc)
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
24/47
Copyright 2009 CyberSecurity Malaysia 24
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
Analyzing Malicious PDF + TIFF File
Public Tools
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
25/47
Copyright 2009 CyberSecurity Malaysia 25
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
Analyzing Malicious PDF + TIFF File
Public Tools
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
26/47
Copyright 2009 CyberSecurity Malaysia 26
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
Analyzing Malicious PDF + TIFF File
Public Tools
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
27/47
Copyright 2009 CyberSecurity Malaysia 27
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
Analyzing Malicious PDF + TIFF File
Introducing MyCERT PDF LibTIFF Sploit Analyzero Basic parse for PDF
-For complete PDF Parse (gallus)o Tracing for TIFF Imageo Dumping the image fileo Checking for The Shellcode
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
28/47
Copyright 2009 CyberSecurity Malaysia 28
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
Analyzing Malicious PDF + TIFF File
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
29/47
Copyright 2009 CyberSecurity Malaysia 29
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
Analyzing Malicious PDF + TIFF File
Hey, thats NOT the sample u used for the previous screenshot, l0ser
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
30/47
Copyright 2009 CyberSecurity Malaysia 30
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
Analyzing Malicious PDF + TIFF File
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
31/47
Copyright 2009 CyberSecurity Malaysia 31
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
Analyzing Malicious PDF + TIFF File: DEMO
Analyzing Malicious PDF File
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
32/47
Copyright 2009 CyberSecurity Malaysia 32
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
Analyzing Malicious PDF File: DEMO
Identify the malicious file Extract information Analyze shellcode
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
33/47
Securing Our CyberspaceCopyright 2009 CyberSecurity Malaysia
Ministry of Science,
Technology & Innovation
Issues with Malicious PDF file
1)Intro
2)PDF attacks
3)Analyzing
4)Issues
5)Mitigation
6)Conclusion
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
34/47
Copyright 2009 CyberSecurity Malaysia 34
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
Analyzing Malicious PDF + TIFF File
Challenges:oJavaScript obfuscated
-Same problem with browser due to JavaScript-Annoying[ var=unescape() == var = un+escape(); == var a=un; varb=escape(); var c=a+b ]
-arguments.callee(), getPageNumber(), getAnnotte()-Anything JS can do, will fits here
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
35/47
Copyright 2009 CyberSecurity Malaysia 35
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
Analyzing Malicious PDF + TIFF File
Nice JS eh?
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
36/47
Copyright 2009 CyberSecurity Malaysia 36
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
Analyzing Malicious PDF + TIFF File
Challenges:o PDF Syntax Coolness
oThis.Title.Info // This.Author.Names // This.What.Evero Difficult for the analyzer to follow the objects reference.o Default JS emulator is not up for this yet
oEncoding/ Compressoro Many of them (FlateDecode/ASCIIHexDecode/JBIG2Decode/
ASCII85Decode/DCTDecode etc..etc)
o Concatenate Filters (/Filter /FlateDecode /ASCIIHexDecode)o Abbreviation Filter (/Filter [/Fl /AHx] ) == (Filter /
FlateDecode /ASCIIHexDecode)
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
37/47
Copyright 2009 CyberSecurity Malaysia 37
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
Analyzing Malicious PDF + TIFF File
Challenges:o Parser Problem
oGreping [objendobj] or [stream..endstream] ?oGreping [EOF] ?oReference loop
o This.Info.Name -> This.Author.Name-> This.Info.Nameo 1 obj 0 /JS 7 0 R -> 7 obj 0 /JS 8 0 R -> 8 obj 0 /JS 10 R
o Embedded malicious PDF inside PDF file.-Manual extracting for the embedded file is difficult.
oPDF file analyzer is not PDF reader-Analyzer needs to understand PDF structure-Analyzer needs to interpret PDF language-Eventually it will become PDF reader by itself : )
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
38/47
Copyright 2009 CyberSecurity Malaysia 38
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
Issues with Malicious PDF + TIFF file
on the fly malicious PDF generatoro Difficult to analyze/ be detected by analysis toolso Have to manually request/download the malicious
pdf file (probably its too late when your browserhave PDF reader plugins)
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
39/47
Copyright 2009 CyberSecurity Malaysia 39
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
Issues with Malicious PDF file
JavaScript obfuscating, period :)o Well, javascript fingerprinting is nothing new : )
oJS checking if ur running inside on the targetedapplication is common.
oApp.version() lack of fully functional pdf analyzers as how PDF
reader works
o Will always be a cat and mouse game
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
40/47
Securing Our CyberspaceCopyright 2009 CyberSecurity Malaysia
Ministry of Science,
Technology & Innovation
Mitigation against Malicious PDF file
1)Intro
2)PDF attacks
3)Analyzing
4)Issues
5)Mitigation
6)Conclusion
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
41/47
Copyright 2009 CyberSecurity Malaysia 41
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
Mitigation
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
42/47
Copyright 2009 CyberSecurity Malaysia 42
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
Mitigation
Update/patch your PDF reader->eliminated bug,you're save
o Not quite true when dealing with 0day Analyze/scan PDF file before opening it Only open PDF attachment from trusted people, atleast with pgp signing :)
o Sign the PDF file?. :).paranoid Disable JavaScript- minimize the risk of reliable
exploitationo Some bugs dont require JavaScript (still will 0Wn1ng
as usual). LIBTIFF..:-)
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
43/47
Securing Our CyberspaceCopyright 2009 CyberSecurity Malaysia
Ministry of Science,
Technology & Innovation
Conclusion
1)Intro
2)PDF attacks
3)Analyzing
4)Issues
5)Mitigation
6)Conclusion
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
44/47
Copyright 2009 CyberSecurity Malaysia 44
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
Conclusion
Awareness on threats against PDF reader stillneeds more works
Analysis on malicious PDF is possible bycombining multiple tools (editor,decoder,js
emulator, shellocde analyzer) A better PDF analyzer is urgently needed
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
45/47
Copyright 2009 CyberSecurity Malaysia 45
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
Conclusion
The complexity of PDF reader will introducemore bugs and vulnerabilities With JavaScript support, exploitation will be more
reliable (why we still need JavaScript inside PDF
file? ) With JavaScript support, more obfuscated
techniques can be implemented
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
46/47
Securing Our CyberspaceCopyright 2009 CyberSecurity Malaysia
Ministry of Science,
Technology & Innovation
Q&A
-
8/7/2019 D1-SIGINT - Mahmud AB Rahman - LibTAPAU
47/47
Securing Our Cyberspace
Ministry of Science,
Technology & Innovation
THANKS
Email: [email protected]
Web: http://www.cybersecurity.myWeb: http://www.mycert.org.my
Web: www.honeynet.org.myBlog: blog.honeynet.org.my
Web: www.cybersafe.myReport Incident: [email protected]