topic Re: PDF exploit evasion(33939) in General Topics

PDF exploit evasion(33939)

tomohiro.sanematsu — Sat, 17 Mar 2012 06:37:59 GMT

Dear all,

Our device warned us of pdf exploit evasion. (id:33939)

But, no information on that.

Please give me information.

Best regards

tomohiro

Re: PDF exploit evasion(33939)

mikand — Sat, 17 Mar 2012 11:21:50 GMT

When you login to https://support.paloaltonetworks.com/ click on "Threat Database" in "Find Answers" (to the left or the right).

In the search box type "33939" (without the quotes), make sure "vulnerability" (for this case) is selected in "type" and finally click on the Find-button.

However... doing the above will only bring you the obvious:

"
Detail

Attack Name     PDF Exploit Evasion Found
Description     This alert indicates that PDF exploit evasion has been found on your network.
Threat ID     33939
Severity
informational
Category     info-leak
"

So ehm... anyone else with ideas? 🙂

Re: PDF exploit evasion(33939)

tettema — Mon, 19 Mar 2012 17:22:26 GMT

Hi Tomohiro,

This signature is looking for use of double- and triple-encoded data within PDFs. This is a commen evasion technique that malicious PDFs use to hide their malicious payload. However, legimate PDFs can sometimes use double- (and perhaps triple-) encoded data as well, and so this signature is rated as "informational". In fact, some PDF reports generated by the Palo Alto Networks firewalls can trigger this informational signature.

This signature, just like any other informational signature, is not the highest priority and should not necessarily trigger immediate alarm, however keeping an eye on instances of this alert for PDFs from untrusted sources is a good idea.

Re: PDF exploit evasion(33939)

tomohiro.sanematsu — Wed, 21 Mar 2012 03:55:29 GMT

Hi, tettema

Thank you for your explanation. I understood this sigunagure.

Best regards,

Tomohiro