Verificando um PDF em busca de exploits

7

Existe alguma maneira de verificar um PDF em busca de exploits? Eu estou no Linux na maioria das vezes, mas às vezes eu tenho que ler PDF no Windows também, então eu tenho que ter certeza que o PDF está limpo. Eu uso o Acrobat Reader no Windows e o Evince no Linux.

    
por sukhbir 21.09.2010 / 13:57

2 respostas

4

O seguinte é o post de um moderador ( Lupin ) de Fóruns de exploração remota que eu achei muito útil.

Here's the method that I use in analysing malicious PDFs:

I use the tools pdfid and pdf-parser from here. In the past I have also used pdftk, but I'm finding that less useful recently.

The process:

  1. Use pdfid to analyse the pdf document. pdfid can tell you if a pdf has Javascript included as well as autorun functionality and how many pages it has. A one page document with Javascript and autorun functionality is suspicious.
  2. If Javascript is present, extract it from the document to determine its purpose. Sometimes the Javascript is included in plain text, in which case you can just use the strings utility to extract it. Otherwise, you can use pdf-parser to extract certain types of encoded Javascript.
  3. Malicious Javascript often contains obfuscation to disguise its true purpose. To remove this obfuscation I modify the script a little to allow easier debugging (e.g. assign the code from eval statements to a variable instead) and use the Rhino Javascript debugger to show me how the code is transformed as it runs.
  4. Many of the Javascript based PDF exploits often involve buffer overflows, and the shellcode is often in unicode format. I have a perl script that I wrote to convert this type of shellcode to a C program (really just C style shellcode with some wrapper code) which can then be compiled to be further analysed using standard binary analysis techniques.

I will note that PDF exploits are possible without Javascript, but in practice most of the ones out in the wild seem to use it. Certainly the ones I have seen have it.

    
por 21.09.2010 / 16:15
1

Você pode instalar e usar ClamAV .

    
por 21.09.2010 / 16:12