В Sat, 27 Jan 2024 03:52:01 -0500 Bob Rudis <b...@rud.is> пишет:
> Two VT sandboxes used Adobe Acrobat Reader to open the PDF and the PDF > seems to either had malicious JavaScript or had been crafted > sufficiently to caused a buffer overflow in Reader that then let it > perform other functions on those sandboxes. Let's talk package versions and SHA256 hashes of poweRlaw/inst/doc/d_jss_paper.pdf. poweRlaw version 0.70.4: Packaged: 2020-04-07 14:55:32 UTC Date/Publication: 2020-04-07 16:10:02 UTC SHA-256(poweRlaw/inst/doc/d_jss_paper.pdf): 96535de112f471c66e29b74c77444b34a29b82d6525c04d477ed2d987ea6ccae Not previously uploaded to VirusTotal, currently checks out clean: https://www.virustotal.com/gui/file/96535de112f471c66e29b74c77444b34a29b82d6525c04d477ed2d987ea6ccae poweRlaw version 0.70.5: Packaged: 2020-04-23 15:36:49 UTC Date/Publication: 2020-04-23 16:40:06 UTC SHA-256(poweRlaw/inst/doc/d_jss_paper.pdf): 5f827302ede74e1345fba5ba52c279129823da3c104baa821d654ebb8d7a67fb Not previously uploaded to VirusTotal, also checks out clean: https://www.virustotal.com/gui/file/5f827302ede74e1345fba5ba52c279129823da3c104baa821d654ebb8d7a67fb/behavior For some reason, the Zenbox report shows a browser starting up and someone (something?) moving the mouse: https://vtbehaviour.commondatastorage.googleapis.com/5f827302ede74e1345fba5ba52c279129823da3c104baa821d654ebb8d7a67fb_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv23...@developer.gserviceaccount.com&Expires=1706348766&Signature=KSTxSZJJUUv0FOA51Kwuot89ep4PKUDTY6tHL7kTyG7VwaMlF8VjmU90loeF4ytLBxKjkEtAk%2Ffr39xFrTTyOym3mehtc3HLyT9DS3C5qGa9OPVcu%2BfQfd8qr%2BRubBWb3SKNnhGpi%2Bn%2BTDhaiRx3PilEz%2BwVGiukfNUzWGBlGweG%2BmR1Y%2F0fIgDxJ3eyZ8KwTaocbywMoOLJeC1GSmoW8VYUAnFS2bb8P9Jt%2Bs%2F0axvAkc0M2pmSN3s2lpMq8u5P%2FZZ8yRIMdmv%2B1kUR5ajBdIa%2FHV8Vw8xAdNjZID6ozwAsmBOOizJmHgzr4zh1tX4V65qmcz8D3jctvDRKsuEqXA%3D%3D&response-content-type=text%2Fhtml;#overview Lots of file activity. I think that all of it can be attributed to either normal Acrobat Reader activity or normal Chrome activity. Then we come to poweRlaw version 0.70.6: Packaged: 2020-04-24 10:44:31 UTC Date/Publication: 2020-04-25 07:30:12 UTC SHA-256(inst/doc/d_jss_paper.pdf): 9486d99c1c1f2d1b06f0b6c5d27c54d4f6e39d69a91d7fad845f323b0ab88de9 The Web Archive capture version 20201205222617 for the address https://cran.r-project.org/web/packages/poweRlaw/vignettes/d_jss_paper.pdf has the same SHA-256 hash. This file is being disputed because some antivirus applications flag it: https://www.virustotal.com/gui/file/9486d99c1c1f2d1b06f0b6c5d27c54d4f6e39d69a91d7fad845f323b0ab88de9/behavior The behaviour is exactly the same as the one from version 0.70.5: browser opens with a link to a wrong DOI. Some links are followed. https://vtbehaviour.commondatastorage.googleapis.com/9486d99c1c1f2d1b06f0b6c5d27c54d4f6e39d69a91d7fad845f323b0ab88de9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv23...@developer.gserviceaccount.com&Expires=1706347808&Signature=Kv1LXUGvDe988Br0pU1AMlttjYY1K9sDwouvZrlzAVSspkdOGS9Ow%2Bg%2F3VjnQLEshx08QqgOHZzQcghownumPDUJLBbEHbOk6KG9IZSH43rxkYhTIy%2BYT5PfNFIupevbJA5XrnJHrm1wKho2%2BDb4t8vA4cgOJJY0UahXTbIMKUeUmPCKAzx9W5kYKj55WhNDrIPrEuni9EeGWkFV45kPr%2BBwYfl2hK4%2BWv6K78CB7zJtzFltF6P3pewafn5Lg3M3AY5YcZ4TryXi01t0dq04Fha83fLRP7JUkmcfpAJauA48Ct0XN7RdCRPSogb0TAGwG%2BDstxNzLAphOEsVju9LUQ%3D%3D&response-content-type=text%2Fhtml;#dropped-info I've uploaded a decompressed version (prepared using qpdf in.pdf --stream-data=uncompress out.pdf) of the same file to VirusTotal, and there are no detections. Zero detections, but the behaviour is the same: some files are "dropped", but all of them relate to cache in Acrobat Reader (which is nowadays a piece of Chrome) and Chrome itself: https://www.virustotal.com/gui/file/5acbc41f103c88a801db36fa72f01d4fa81b9afa1879c36235b1f5373d46ee1a/behavior Finally, there's poweRlaw version 0.80.0: Packaged: 2024-01-25 10:39:42 UTC Date/Publication: 2024-01-25 18:00:02 UTC SHA-256(inst/doc/d_jss_paper.pdf): 17c252a38e6c9bcfab90a69070b17c5e9d8a1713b7bb376badaeba28b3a38739 Same zero flags, same behaviour of starting the browser, same "dropped" files in the cache: https://www.virustotal.com/gui/file/17c252a38e6c9bcfab90a69070b17c5e9d8a1713b7bb376badaeba28b3a38739/behavior https://vtbehaviour.commondatastorage.googleapis.com/17c252a38e6c9bcfab90a69070b17c5e9d8a1713b7bb376badaeba28b3a38739_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv23...@developer.gserviceaccount.com&Expires=1706348864&Signature=UjXMjCvz0uTjS1sqyr5y%2FOwluE%2BskW9F2XupXuOs5JgODlsL1BuwJcWJ56xddQNEtKDHDOaXoRfNxynsffmSaza4yJD9hvPJ6%2BrNMibbB8hojY53g07WKnCd3wdaOmOHEqIP7Md06QWD4CnLEN0KlRvWdsUUA%2F9YTB1bAVqkIR%2FtiaJcRrOTAmdG%2F9Hwrq4xpiEBaFZzO%2FsQPVj3dzNS1LQEXOHFAfnOTaC1LlbBfn9QQWCPib%2FpCOL7huVYqIFSm%2FO8VHWv67JD1qwcTOY7JSl8XPw1ueyumRpF5xF1rpWYCPjC1awU8tho25A2COA7f7LSkku0BRqkuHYW3kuZaw%3D%3D&response-content-type=text%2Fhtml;#dropped-info I've also uploaded a PDF that came directly from a US agency (NOAA) and got a similar report: https://www.virustotal.com/gui/file/0dcffd0096f106229f3aa630bdc460c106c6dab81907535317e27ed00ddb4544/behavior https://vtbehaviour.commondatastorage.googleapis.com/0dcffd0096f106229f3aa630bdc460c106c6dab81907535317e27ed00ddb4544_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv23...@developer.gserviceaccount.com&Expires=1706352702&Signature=rjPfqYbtDFcBAtwaqOQbnAvXe%2B%2FoxKUXqliRCqXh77vi2s0lK81O1m8t0YdYIT9KQdcBwGS2Dk2l2tfdC9DmdWEzAukgJVMJ3uqrs0RDQVTP83Y5jmPghvT6OeiTzC%2BMNCs%2F3CVgHSwjQy2dAvWD1vLly0GnkueJAHjs%2BrWXfoSdMfzb96hzXF0kgPS8VoEogOeDG1DZ7oEZVUlQ3jEv3sBkrt3rFIqeV8LW2xdN7bsiGGRNyjdaF7i1tOvi5UrT87D7vVgT2FRVxySzTPQ3d9JnSLO2t%2B1Gk9Of1l6ASUuTWj3hS5JXao8a0Qm%2BDnNhgSKZ9Bq7LaXCs%2Fc7PIJT5w%3D%3D&response-content-type=text%2Fhtml;#dropped-info (It's actually worse because there's a Firefox crash, but there's still a lot of "dropped" files in Acrobat Reader cache.) How is the potentially malicious poweRlaw_0.70.6.tar.gz/poweRlaw/inst/doc/d_jss_paper.pdf with SHA-256 hash 9486d99c1c1f2d1b06f0b6c5d27c54d4f6e39d69a91d7fad845f323b0ab88de9 different from all the other files considered here, besides a few flags from non-major AVs that disappear when the PDF is repacked using a content-preserving program? -- Best regards, Ivan ______________________________________________ R-package-devel@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-package-devel
