Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Adobe Reader is a feature rich PDF reader. Rader supports Embedded JavaScript to allow for interactive PDFs. JavaScript allows manipulation of form fields, annotations and other page content in a PDF document.

When adding an annotation to a page, the following below can be used. The gestures are an array of X,Y coordinates.

document.addAnnot({page:0, type: "Ink", point: [1,1,1,1],popupOpen : " ",gestures : arrayOfArrayOfCoordinates});

When the array of coordinates is passed into the annotations API, it appears to take an object and an index for the object as the key. Reader will take an argument of -1 to be the signed integer of '0xFFFFFFFF' returned from atoi. However, there is validation to make sure that value is not bigger than 0x55555. All seems good, right?

When the validation occurs, it adds 1 to the value. This is done because the index is 0-indexed but the length starts at 1. Hence, when the +1 is added to 0xFFFFFFFF, an integer overflow occurs on the validation, leading to the value becoming 0. When this becomes 0, it bypasses the validation, even though 0xFFFFFFFF is way too large of a value the array being accessed.

This integer overflow leads to the accessing of data outside of the buffer. Since the buffer is a group of pointers, it can be used to dereference arbitrary objects in memory. Additionally, with JavaScript, this can be used to form the heap so that the dereferenced object is something that we control. Eventually, this could be taken to code execution.