Skip to content

Commit 2225a2e

Browse files
jonaslejonclaude
andcommitted
Fix URL preservation in obfuscation and add test results
- Fix obfuscation to only encode URLs in /URI actions, not FileSpec /F entries (which need literal URLs for network requests) - Add obfuscation test results to README showing all levels work against both Acrobat DC and vulnerable PDF.js Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent ee7e209 commit 2225a2e

2 files changed

Lines changed: 25 additions & 5 deletions

File tree

README.md

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -138,6 +138,26 @@ Only the **Thread action** (test31) produced a callback on the latest Adobe Acro
138138

139139
PDF.js v5.6.205 blocks all callback vectors. The CVE-2024-4367 FontMatrix injection (test29) is patched since v4.2.67.
140140

141+
### Obfuscation Levels vs Adobe Acrobat DC v26.001.21367 — test31 (Thread action)
142+
143+
| Level | Techniques Applied | Callback? |
144+
|-------|--------------------|-----------|
145+
| 0 | None | **YES** |
146+
| 1 | PDF name hex encoding + string octal/hex | **YES** |
147+
| 2 | + JS bracket notation + javascript: URI case variation | **YES** |
148+
| 3 | + FlateDecode stream compression | **YES** |
149+
150+
### Obfuscation Levels vs PDF.js v4.1.392 (vulnerable) — test29 (CVE-2024-4367)
151+
152+
| Level | Techniques Applied | Callback? |
153+
|-------|--------------------|-----------|
154+
| 0 | None | **YES** |
155+
| 1 | PDF name hex encoding + string octal/hex | **YES** |
156+
| 2 | + JS bracket notation + javascript: URI case variation | **YES** |
157+
| 3 | + FlateDecode stream compression | **YES** |
158+
159+
All obfuscation levels produce callbacks on both viewers. The obfuscation only changes the PDF structural layer (name tokens, string encoding, stream compression) without affecting the actual exploit payloads.
160+
141161
## Todo / Won't implement
142162
- ~~CVE-2023-26369 - Adobe Acrobat TTF font heap OOB write~~ — Requires binary exploitation (heap spray, ROP chains, shellcode). No public PoC. Cannot produce a simple callback.
143163
- ~~CVE-2021-28550 - Adobe Acrobat Use-After-Free~~ — Requires binary exploitation chain + sandbox escape (CVE-2021-31199/31201). No public PoC. Cannot produce a simple callback.

malicious-pdf.py

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -215,17 +215,17 @@ def _obf_js_content(m):
215215
data = re.sub(rb'/JS\s*\(', lambda m: _name_to_hex(b'/JS') + b' (', data)
216216
data = re.sub(rb'/AA\s*<', lambda m: _name_to_hex(b'/AA') + b' <', data)
217217

218-
# Obfuscate URL strings - find (http...) and (\\...) patterns
219-
# Convert ~50% of literal strings containing URLs to hex strings
218+
# Obfuscate URL strings in /URI actions only (not FileSpec /F which needs literal URLs)
219+
# FileSpec URLs must stay literal for the viewer to make network requests
220220
def _maybe_hex_string(m):
221221
if random.random() < 0.5:
222222
return _string_to_hex(m)
223223
return _string_to_octal(m)
224224

225-
# Match strings containing http/https URLs (but not JS code which has nested parens)
225+
# Only match URLs in /URI context (not preceded by /F or /FileSpec)
226226
data = re.sub(
227-
rb'\((https?://[^()]*)\)',
228-
_maybe_hex_string,
227+
rb'(/URI\s*)\((https?://[^()]*)\)',
228+
lambda m: m.group(1) + _maybe_hex_string(re.match(rb'\((.*)\)', b'(' + m.group(2) + b')')),
229229
data
230230
)
231231

0 commit comments

Comments
 (0)