Vulnerability file using a confusion technique? - Vulnerability warning-the black bar safety net

2012-11-24T00:00:00
ID MYHACK58:62201235703
Type myhack58
Reporter 佚名
Modified 2012-11-24T00:00:00

Description

Vulnerability file using a confusion technique? We are following it to a PDF file, for example:

For PDF file parsing, you must first be familiar with PDF files of each type, looks like all the official PDF files of the documents are in English. So there is no way, bite the bullet and go read it, if you own the English be confident that it is here to see reference. In addition you can find some domestic writing-related information. Familiar with PDF files of each type after, how to parse PDF file? My current approach is to find the PDF file inside the keywords section, do the drawbacks is for the Obj object in the stream object(stream)contain content that is Can't find. In addition there are some PDF vulnerabilities file using some obfuscation techniques, This PDF file is temporarily no good way to resolve. As in the following case:

%PDF-1.5

1 0 obj

<>

endobj

The keyword here is to consider generally the malicious PDF file, mainly for the following key segments(personal opinion and holes not involved in the relationship is not considered)lookup and parsing, as shown below:

·obj

·endobj

·stream

·endstream

·xref

·trailer

·startxref

·/Page

·/Encrypt

·/ObjStm

·/JS

·/JavaScript

·/AA

·/OpenAction

·/AcroForm

·/URI

·/Filter

·/JBIG2Decode

·/RichMedia

·/Launch

Parsing ideas:

Here is that almost every PDF file contains the first 7 fields, there may be do not contain stream and endstream in. Supposedly there are also some PDF documents without xref or trailer, but this situation is relatively rare. If a PDF documents without xref or trailer keyword segments, you can determine it is not a malicious PDF file.

[1] [2] next