March 30, 2010, 4:58PM
Hacker Finds a Way to Exploit PDF Files, Without Vulnerability
16 Comments
SEE: Updated report with response from Adobe and FoxIt Software
A security researcher has managed to create a proof-of-concept PDF file that executes an embedded executable without exploiting any security vulnerabilities.
Editor's Pick
The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file.
Here’s the skinny from researcher Didier Stevens.
I use a launch action triggered by the opening of my PoC PDF. With Adobe Reader, the user gets a warning asking for approval to launch the action, but I can (partially) control the message displayed by the dialog. Foxit Reader displays no warning at all, the action gets executed without user interaction.
Although PDF viewers like Adobe Reader and Foxit Reader doesn't allow embedded executables (like binaries and scripts) to be extracted and executed, Stevens discovered another way to launch a command (/Launch /Action), and ultimately run an executable he embedded using a special technique.
Stevens said Adobe’s PDF Reader will block the file from automatically opening but he warned that an attacker could use social engineering tricks to get users to allow the file to be opened.
With Foxit Reader, there is no warning whatsoever.
Stevens has not released the proof-of-concept file. The issue has been reported to Adobe’s security response team.
With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this (I don’t use JavaScript in my PoC PDF), and patching Adobe Reader isn’t possible (I’m not exploiting a vulnerability, just being creative with the PDF language specs).
Stevens tested his research on Adobe Reader 9.3.1 (Windows XP SP3 and Windows 7).
Commenting on this Article is closed.
Today's Most Popular
- Privacy Fail: Is Uncle Sam Encouraging Bad Security?
- Infographic: How To Spot A Fake Facebook Friend Profile
- April Patch Tuesday Fixes Critical IE, SMB Bugs
- Anonymous Hacks, Leaks E-mails, Voicemails of California Special Agent
- Lost BP Laptop Contains Financial Information on Thousands of Gulf Oil Spill Victims
Most Commented Stories
Newsletter Sign-up
Take Our Poll
Follow Threatpost
 |  |  |  |
| Tumblr |
Comments
Wow!!! very interesant...
Thank God Didier decided to do the right thing and forward it to Adobe, we have enough idiots slinging junk around the internet for even bigger idiots to ruin our lives online...
Evince is fine - exploit doesnt run, I switched a couple weeks back because I had enough of Adobe.
Its fast, and free.. perfect if you want a reader.
Thanks to Slashdot.org for the advice.
http://projects.gnome.org/evince/
Or just Okular.....oh a Windows exploit? Yawn....
Any idea if other platforms, like Linux and OS X, could be targeted the same way? Is using an alternate reader a solution? (Most OS X users would use the included Apple Preview app instead of the Adobe reader)
I doubt this would affect PDF renderers like GhostScript, would it?
Way to label all security researchers as "hackers." If it was the original connotation of the word, I wouldn't be upset. As it is, it's rather misleading to the layperson. This is a *very* good thing for security, as the flow of information was controlled.
Didier Stevens is an amazing security researcher, and deserves full credit for this work and the responsible notification of Adobe. Here's to hoping they respond quickly and competently, for the first time.
-Jeff McJunkin
>This article indicates its a problem with the PDF specification, not buggy software, so everyone's favorite reader probably should have the same hole. Enjoy!
Only if your reader supports the "/Launch" command, which most non-windows readers don't :)
maybe it restricted to foxit/adobe reader? try to open with sumatra pdf and the exploit doesnt run too [win7/winxp]
If you read the comments under the original blog post you will find out that it works with acroread as well if you change the code a bit. @McJunkin the mass media is even worse calling everyone who is interviewed and involved anyhow with the discussed matter an expert.
The foxit people have published a patched version now
Is this some thing really new ?
I belive, that is how ProText, one of the tex distributions for windows gets installed. From what I remember, you fire up the installer and it opens up a PDF file. You start reading it, the instructions in the PDF says you to click <here> of you want to install <this_component> and so on. If you click, the installer for that component starts. Once you finish reading the PDF you are done with the installation, with all components you needed to start your work !!
A cachy way to install a type-setting software :)
Back in the day, it used to be a good thing to be a hacker - as hackers were research oriented and took code apart to discover new things, or find hidden flaws. Only recently has it been a bad thing to be a hacker.
This is a very informative article.I was looking for these things and here I found it. I am doing a project and this information is very useful me Metal Ceilings