Hacker Finds a Way to Exploit PDF Files, Without Vulnerability

SEE: Updated report with response from Adobe and FoxIt SoftwareA security researcher has managed to create a proof-of-concept PDF file that executes an embedded executable without exploiting any security vulnerabilities.The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file. 

SEE: Updated report with response from Adobe and FoxIt Software

A security researcher has managed to create a proof-of-concept PDF file that executes an embedded executable without exploiting any security vulnerabilities.

The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file. 

Here’s the skinny from researcher Didier Stevens.

I use a launch action triggered by the opening of my PoC PDF. With Adobe Reader, the user gets a warning asking for approval to launch the action, but I can (partially) control the message displayed by the dialog. Foxit Reader displays no warning at all, the action gets executed without user interaction.

Although PDF viewers like Adobe Reader and Foxit Reader doesn’t allow embedded executables (like binaries and scripts) to be extracted and executed, Stevens discovered another way to launch a command (/Launch /Action), and ultimately run an executable he embedded using a special technique.

Stevens said Adobe’s PDF Reader will block the file from automatically opening but he warned that an attacker could use social engineering tricks to get users to allow the file to be opened.

With Foxit Reader, there is no warning whatsoever.

Stevens has not released the proof-of-concept file.  The issue has been reported to Adobe’s security response team.

With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this (I don’t use JavaScript in my PoC PDF), and patching Adobe Reader isn’t possible (I’m not exploiting a vulnerability, just being creative with the PDF language specs).

Stevens tested his research on Adobe Reader 9.3.1 (Windows XP SP3 and Windows 7).

Suggested articles

Discussion

  • Cronos7 on

    Wow!!! very interesant...

  • Anonymous on

    Thank God Didier decided to do the right thing and forward it to Adobe, we have enough idiots slinging junk around the internet for even bigger idiots to ruin our lives online...

  • Anonymous on

    Evince is fine - exploit doesnt run, I switched a couple weeks back because I had enough of Adobe.

    Its fast, and free.. perfect if you want a reader.

    Thanks to Slashdot.org for the advice.

    http://projects.gnome.org/evince/

  • bertmanphx on

    Or just Okular.....oh a Windows exploit?  Yawn....

  • Dbug on

    Any idea if other platforms, like Linux and OS X, could be targeted the same way? Is using an alternate reader a solution? (Most OS X users would use the included Apple Preview app instead of the Adobe reader)

  • Anonymous on

    I doubt this would affect PDF renderers like GhostScript, would it?

  • Anonymous on

    This article indicates its a problem with the PDF specification, not buggy software, so everyone's favorite reader probably should have the same hole. Enjoy!
  • Jeff McJunkin on

    Way to label all security researchers as "hackers." If it was the original connotation of the word, I wouldn't be upset. As it is, it's rather misleading to the layperson. This is a *very* good thing for security, as the flow of information was controlled.

    Didier Stevens is an amazing security researcher, and deserves full credit for this work and the responsible notification of Adobe. Here's to hoping they respond quickly and competently, for the first time.

    -Jeff McJunkin

  • F.Ultra on

    >This article indicates its a problem with the PDF specification, not buggy software, so everyone's favorite reader probably should have the same hole. Enjoy!

    Only if your reader supports the "/Launch" command, which most non-windows readers don't :)

     

  • Anonymous on

    maybe it restricted to foxit/adobe reader? try to open with sumatra pdf and the exploit doesnt run too [win7/winxp]

  • Anonymous on

    If you read the comments under the original blog post you will find out that it works with acroread as well if you change the code a bit. @McJunkin the mass media is even worse calling everyone who is interviewed and involved anyhow with the discussed matter an expert.

  • Anonymous on

    The foxit people have published a patched version now

  • ThomasJ on

    Is this some thing really new ?

    I belive, that is how ProText, one of the tex distributions for windows gets installed. From what I  remember, you fire up the installer and it opens up a PDF file. You start reading it,  the instructions in the PDF says you to click <here> of you want to install <this_component> and so on. If you click, the installer for that component starts. Once you finish reading the PDF you are done with the installation, with all components you needed to start your work !!

    A cachy way to install a type-setting software :)

  • Anonymous on

    Back in the day, it used to be a good thing to be a hacker - as hackers were research oriented and took code apart to discover new things, or find hidden flaws.  Only recently has it been a bad thing to be a hacker.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.