Update: I figured that there is some interest in these collections, as such I will regularly update this page.

I have been asked to provide some information on analyzing and reversing PDF and DOC exploits, here are some hints where to look and how to do it :


PDF

Office filesSandbox Analysis :
  • CWSandbox is able to analyse PDF files as of 12/2008. It does so by opening the pdf file in an old 8.x version and monitoring various changes. Link
  • Anubis is able to analyse PDF/Flash and Websites. It does so by using IE and Acrobat reader and monitor changes. Link
Recommended PDF viewer :
Recommended gateway policy for fruity targets within your Enterprise
  • Convert all ingress PDF to picture files (TIFF - fax files), the resulting file will have all the pages in a single TIFF. Note: the standard windows viewer allows for persitent commenting, annotations, highlights etc.
  • Example with ghostscript : gs -q -sDEVICE=tifflzw -dBATCH -dNOPAUSE -r120 -sOutputFile=OUTPUTFILE.tiff INPUTFILE.pdf 2>&1
  • P.S: Normal rules apply, don't assume GS parser to be 100% safe

0 comments

Post a Comment