Author Topic: Adobe 0day again  (Read 3354 times)

0 Members and 1 Guest are viewing this topic.

October 08, 2009, 07:52:43 pm
Read 3354 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

October 09, 2009, 10:59:09 pm
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

October 11, 2009, 02:03:39 pm
Reply #2

CM_MWR

  • Special Members
  • Hero Member

  • Offline
  • *

  • 319
66753CADCB8BD537AF50F2AE92D7627B

October 11, 2009, 02:06:43 pm
Reply #3

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
66753CADCB8BD537AF50F2AE92D7627B

I have tested this sample multiple times in  VMWARE using AR 9.1.3. It didn't infect my machine.
AR sometimes crashed, nothing else.
Ruining the bad guy's day

October 11, 2009, 02:18:36 pm
Reply #4

CM_MWR

  • Special Members
  • Hero Member

  • Offline
  • *

  • 319
So this means it doesnt work for everybody or just for you?

 ???

FFS, I wish I had a dollar for everytime I jumped the gun like that!  :D

October 11, 2009, 02:36:24 pm
Reply #5

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
So this means it doesnt work for everybody or just for you?

 ???

Someone else reported that it worked in about 10-15 % of his tests.
Ruining the bad guy's day

October 11, 2009, 04:58:38 pm
Reply #6

CM_MWR

  • Special Members
  • Hero Member

  • Offline
  • *

  • 319
I dont think we ever really kept count, Id say 6 of 10 worked for the setup we had built based on target machines setup.

October 13, 2009, 07:34:22 pm
Reply #7

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

October 13, 2009, 09:43:27 pm
Reply #8

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Update: PDFiD Version 0.0.9 to Detect Another Adobe 0Day
http://blog.didierstevens.com/2009/10/13/update-pdfid-version-0-0-9-to-detect-another-adobe-0day/

Quote
PDFiD is updated to detect the latest Adobe 0day, CVE-2009-3459.

Iíll provide more details in an upcoming post, just now for know that PDFiD detects a /Colors name followed by a very big number (larger than 2^24 or 16777216).

Ruining the bad guy's day

October 14, 2009, 09:21:35 pm
Reply #9

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Message from Didier Stevens on Twitter:

Quote
Not good! My PoC for CVE-2009-3459 still crashes Adobe Reader 9.2.0. Informed Adobe PSIRT
Ruining the bad guy's day