Researchers find flaws in handling Word and PDF scripts • The Register

Asian black hat Security researchers have designed a tool that finds flaws in the way apps like Microsoft Word and Adobe Acrobat process JavaScript, and it’s been so effective that they’ve found 134 bugs – 59 of them considered to be bugs. worthy of being corrected by vendors, 33 were given a CVE number. , and 17 producing bug bounty payouts totaling $22,000.

The tool is named “Cooper” – a reference to the “cooperative mutation” technique employed by the tool.

Speaking at the Black Hat Asia conference in Singapore, Chinese Academy of Sciences PhD student Xu Peng – one of the tool’s co-authors – explained that Word and Acrobat accept input from scripting languages . Acrobat, for example, allows JavaScript to manipulate PDF files.

For this to happen, the PDF must both define native PDF objects and parse the JavaScript code. Native objects are processed by Acrobat modules and an integrated JavaScript engine manages the scripts. A “binding layer” does the translation.

In his speech and a paper [PDF] Describing Cooper, Xu and his collaborators claim that the binding code “is prone to inconsistent semantics and security flaws, which lead to severe vulnerabilities.”

This few serious vulnerabilities isn’t just bluster. Cooper identified CVE-2021-21028 and https://nvd.nist.gov/vuln/detail/CVE-2021-21035 – a pair of flaws rated 8.8/10 in Acrobat.

Xu said Cooper can find such flaws because the cooperative mutation technique he uses “simultaneously modifies script code and related document objects to explore various code paths of binding code.” This approach contrasts with other defensive techniques that check for flaws in scripts.

As explained on the tool GitHub pageCooper has three components:

• Object grouping At first, Cooper parses the given example documents to extract the native objects. To reduce the object search space, Cooper categorizes objects into different classes based on their attributes.
• Relationship inference Then, Cooper produces a large number of documents by combining different object classes and API groups, and records the execution results of the embedded scripts. Based on the script execution success rate and object class distribution, Cooper infers the relationships between API groups and object classes.
• Relationship Driven Mutation Finally, Cooper exploits the inferred relationship to guide object selection, script generation, and object mutation.

Cooper is therefore in some ways an elaborate fuzzing tool – inferring relationships guides the process of finding the conditions under which scripts, applications, and the link layer produce undesirable and/or dangerous behavior.

The tool itself is a set of scripts – in Python – and is up to you to request. here.

The project was created by Xu Peng and Professor Purui Su, both of the Chinese Academy of Sciences, security researcher Yanhao Wang of the QI-ANXIN Institute of Technological Research and Hong Hu, an assistant professor at the University of Pennsylvania State. ®