SLIDE 1
Didier@DidierStevens.com
Didier@DidierStevens.com
Penetration Document Format Didier@DidierStevens.com - - PowerPoint PPT Presentation
Penetration Document Format Didier@DidierStevens.com - - PowerPoint PPT Presentation
Penetration Document Format Didier@DidierStevens.com Didier@DidierStevens.com Didier@DidierStevens.com Identification and Analysis Didier@DidierStevens.com Didier@DidierStevens.com PDFiD PDFiD 0.0.9 hello-world.pdf PDF Header: %PDF-1.1 obj
SLIDE 2
SLIDE 3
Didier@DidierStevens.com
SLIDE 4
Didier@DidierStevens.com
Identification and Analysis
SLIDE 5
Didier@DidierStevens.com
SLIDE 6
Didier@DidierStevens.com
PDFiD 0.0.9 hello-world.pdf PDF Header: %PDF-1.1
- bj 7
endobj 7 stream 1 endstream 1 xref 1 trailer 1 startxref 1 /Page 1 /Encrypt 0 /ObjStm 0 /JS 0 /JavaScript 0 /AA 0 /OpenAction 0 /AcroForm 0 /JBIG2Decode 0 /RichMedia 0 /Colors > 2^24 0
PDFiD
SLIDE 7
Didier@DidierStevens.com
/Name Obfuscation
SLIDE 8
Didier@DidierStevens.com
PDFiD Demo
SLIDE 9
Didier@DidierStevens.com
http://www.Virustotal.com
SLIDE 10
Didier@DidierStevens.com
SLIDE 11
Didier@DidierStevens.com
http://blog.rootshell.be
SLIDE 12
Didier@DidierStevens.com
In-The-Wild PDF
SLIDE 13
Didier@DidierStevens.com
PoC Pure ASCII PDF
SLIDE 14
Didier@DidierStevens.com
pdf-parser Demo
SLIDE 15
Didier@DidierStevens.com
Protection
SLIDE 16
Didier@DidierStevens.com
Foxit Reader
SLIDE 17
Didier@DidierStevens.com
Sumatra PDF
SLIDE 18
Didier@DidierStevens.com
Know Your Enemy ...
SLIDE 19
Didier@DidierStevens.com
Disable JavaScript?
SLIDE 20
Didier@DidierStevens.com
… Find His Achilles Heel
SLIDE 21
Didier@DidierStevens.com
Access Tokens
SLIDE 22
Didier@DidierStevens.com
Use Restricted Tokens
- Windows >= Vista + UAC
- DropMyRights
- StripMyRights
- SAFER SRP
SLIDE 23
Didier@DidierStevens.com
Restricted Token in Action
SLIDE 24
Didier@DidierStevens.com
Disclosure CVE-2009-2979
SLIDE 25
Didier@DidierStevens.com
XML-Bomb in Metadata
SLIDE 26
Didier@DidierStevens.com
Questions?
And hopefully some answers...
SLIDE 27
Didier@DidierStevens.com