Find malicious PDF files using PHP validation?

Question

Currently for file validations the following actions are implemented,

• File type validations using MIME details like application/pdf
• Validating the file extensions along with MIME details.

But some PDF files contains the malicious scripts like JavaScript to damage the system

More details about the PDF attacks:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-2992

Question: For this case any recommended solutions?

Answer 1

Take a look into this project https://github.com/urule99/jsunpack-n - A Generic JavaScript Unpacker

jsunpack-n emulates browser functionality when visiting a URL. It's purpose is to detect exploits that target browser and browser plug-in vulnerabilities. It accepts many different types of input: ( also PDFs* )

By looking into ths file https://raw.githubusercontent.com/urule99/jsunpack-n/master/pre.js it looks like it directly addresses your problem.

var util = {
375     printf : function(a,b){print ("//alert CVE-2008-2992 util.printf length ("+ a.length + "," + b.length + ")\n"); },

On upload I would feed pdf into this tool and check the results.

Below some interesting resouces related to that vunelabirity which explain everything in-depth.

http://resources.infosecinstitute.com/hacking-pdf-part-1/

http://resources.infosecinstitute.com/hacking-pdf-part-2/

In part 2 of the article there is a fragment saying that you can use Spider monkey to execute pre.js (the file I mentioned eariler ) to get info about CVE

js -f pre.js -f util_printf.pdf.out

//alert CVE-2008-2992 util.printf length (13,undefined)