douleijiang8111
2016-09-21 11:28
浏览 57
已采纳

使用PHP验证查找恶意PDF文件?

Currently for file validations the following actions are implemented,

  • File type validations using MIME details like application/pdf
  • Validating the file extensions along with MIME details.

But some PDF files contains the malicious scripts like JavaScript to damage the system

More details about the PDF attacks:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-2992

Question: For this case any recommended solutions?

图片转代码服务由CSDN问答提供 功能建议

目前,对于文件验证,实施了以下操作:

    < li>使用MIME详细信息(如application / pdf)进行文件类型验证
  • 验证文件扩展名以及MIME详细信息。

    但是一些PDF文件包含像JavaScript这样的恶意脚本来破坏系统

    有关PDF攻击的更多细节:

    http://www.cve.mitre.org/cgi-bin/cvename.cgi ?name = cve-2008-2992

    问题:对于本案例,是否有任何建议的解决方案?

  • 写回答
  • 好问题 提建议
  • 关注问题
  • 收藏
  • 邀请回答

3条回答 默认 最新

  • duandou8457 2016-09-24 01:06
    已采纳

    Take a look into this project https://github.com/urule99/jsunpack-n - A Generic JavaScript Unpacker

    jsunpack-n emulates browser functionality when visiting a URL. It's purpose is to detect exploits that target browser and browser plug-in vulnerabilities. It accepts many different types of input: ( also PDFs* )

    By looking into ths file https://raw.githubusercontent.com/urule99/jsunpack-n/master/pre.js it looks like it directly addresses your problem.

    var util = {
    375     printf : function(a,b){print ("//alert CVE-2008-2992 util.printf length ("+ a.length + "," + b.length + ")
    "); },
    

    On upload I would feed pdf into this tool and check the results.

    Below some interesting resouces related to that vunelabirity which explain everything in-depth.

    http://resources.infosecinstitute.com/hacking-pdf-part-1/

    http://resources.infosecinstitute.com/hacking-pdf-part-2/

    In part 2 of the article there is a fragment saying that you can use Spider monkey to execute pre.js (the file I mentioned eariler ) to get info about CVE

    js -f pre.js -f util_printf.pdf.out

    //alert CVE-2008-2992 util.printf length (13,undefined)

    已采纳该答案
    评论
    解决 无用
    打赏 举报
  • dqmdlo9674 2016-09-23 17:51

    I did this once a few years ago (no longer have code).

    • On upload
      • Scan the file for malicious code (similar to a virus scanner)
      • Deny or Allow file based on functional logic

    Malicious code is usually hidden inside base 64 functions inside of file meta, or using char codes to render the malicious code.

    You'll need to find a dictionary of common malicious code, or create your own and open the file with php functionality and scan for items within your dictionary (Array).

    At this point, you're probably think, that's not very optimized or that would be slow...etc.

    This is correct; anytime you throw security it does take a performance hit, but you could get around it by creating a new server that the files get uploaded to and scanned and then passed back to the original server...etc.

    As far as scanners go I'm sure you may find services or open source code, just found this one; https://github.com/mikestowe/Malicious-Code-Scanner/blob/master/phpMalCodeScanner.php (never used it, or am I recommending it)

    评论
    解决 无用
    打赏 举报
  • dongxianghui3709 2016-09-24 01:42

    Adding another answer as this project below is much easier to use and also is able to find CVE-2008-2992 vulnerability. I know you are asking about PHP but you can simply run any script from PHP using for example escapeshellcmd

    peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. With peepdf it's possible to see all the objects in the document showing the suspicious elements, supports all the most used filters and encodings, it can parse different versions of a file, object streams and encrypted files

    https://github.com/jesparza/peepdf

    Instructions: http://eternal-todo.com/tools/peepdf-pdf-analysis-tool

    and you use it like below, and on the end you get all problematic elements with CVE info

    $ ./peepdf.py -f fcexploit.pdf
    
    File: fcexploit.pdf
    MD5: 659cf4c6baa87b082227540047538c2a
    SHA1: a93bf00077e761152d4ff8a695c423d14c9a66c9
    Size: 25169 bytes
    Version: 1.3
    Binary: True
    Linearized: False
    Encrypted: False
    Updates: 0
    Objects: 18
    Streams: 5
    Comments: 0
    Errors: 1
    
    Version 0:
        Catalog: 27
        Info: 11
        Objects (18): [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 22, 23, 24, 25, 26, 27, 28]
            Errors (2): [11, 25]
        Streams (5): [5, 7, 9, 10, 11]
            Encoded (4): [5, 7, 9, 10]
        Objects with JS code (1): [5]
        Suspicious elements:
            /OpenAction: [1]
            /JS: [4]
            /JavaScript: [4]
            getAnnots (CVE-2009-1492): [5] 
    
    评论
    解决 无用
    打赏 举报

相关推荐 更多相似问题