Slashdot Mirror
Hacker Finds Multiple PDF Backdoors
Gungadin writes "Eweek.com has a story about a British security researcher figuring out a way to manipulate legitimate features in Adobe PDF files to open backdoors for computer attacks. David Kierznowski, a penetration testing expert specializing in Web application testing, has released proof-of-concept code and two sample PDF files to demonstrate how the Adobe Reader program can be rigged to launch Web-based attacks without any user action. He claims there are least seven different ways to backdoor a PDF."
Ok, i don't have the Adobe reader installed but rather Evince and gPDF, since these lack support for a lot of the additional features of PDF am i any safer?
Software Freedom Day!.
Huh huh, penetration.
</beavis_and_butthead>
Who started giving this title?
"It ain't a war against drugs.it's a war against personal freedom" --Bill Hicks
Funnypics
After reading the article I am not sure if this is an Adobe Reader problem or a PDF problem. Every example cites an Adobe product, but the "hacker" said, "I do not really consider these attacks as vulnerabilities within Adobe. It is more exploiting features supported by the product that were never designed for this." Translation?
How badly do you have to screw up to make it possible to hack through a virtual document?
The article has two testcases. The second uses Windows ODBC so, unsurprisingly, fails. The first is supposed to open a web page automatically, but I'm presented with a dialogue asking me if I really want to open it (and the URL is identified in the dialogue). This seems to be good behavior. Did Adobe get things right on Linux & not on Windows? That's got to be a first.
I also mostly use evince. Neither test worked. They triggered this message:
"** (evince:18185): WARNING **: Unimplemented action: POPPLER_ACTION_UNKNOWN, please post a bug report with a testcase."
Note that a different implementation only gives you DIFFERENT bugs and holes, as anyone who has followed exploits in xpdf knows.
He claims there are least seven different ways to backdoor a PDF.
I've seen quite a bit of pr0n. There's way more than seven ways.
The theory of relativity doesn't work right in Arkansas.
Sources claim the exploits would have been found sooner if any other hackers had the patience to wait for PDFs to load.
Just when i thought i didn't like PDFs, up comes this neat little "Feature" to try and make me like them all the more...
Wait, this isn't a good thing, is it... And i'm willing to bet Adobe is not really all that happy about it either...
Maybe this will prod them into getting back to their roots of a simpler system that did not take 30+ seconds to start up and did not bring a browser to its knees when it decided to act up... Or maybe i could just be dreaming.
~Mozleron
Never underestimate the power of stupid people in large groups
Comment removed based on user account deletion
that's assuming that by "PDF", he means "Pretty Drunk Female"....
The theory of relativity doesn't work right in Arkansas.
Make sure you mod parent up, very funny.
David Kierznowski, a penetration testing expert I wish I was a penetration test expert!
(My apologies for the above formatting, I was editing and the cat walked on the laptop, which normally doesn't result in a permanent mistake!)
Has everyone downloaded the new version of firefox because 5 out of 7 of the vulns it fixes are javascript related. Why do we have to keep going through this, are people in denial or something? We all know what the problem is. There's only one security advisory I'd like to see for javascript problems, the mother of all advisories:
Use FoxitReader (http://www.foxitsoftware.com), much lighter and faster than Adobe Reader, and probably with its own set of vulnerabilities, but unlikely to be much targeted.
Rome taught me patience and assiduous application to detail. Virtues which temper the boldness of great, general views.
Since when is a respected security researcher a "HACKER"?!
Seriously. I know the old definition of "hacker" and have been proud to be called one (in that sense) in the past, but the headline clearly refers to the malicious definition of hacker. This headline seems to serve no purpose other than deliberately blurring the line between legitimate researchers and the jerks who exploit weaknesses.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Oh lord, we're doomed!
http://en.wikipedia.org/wiki/Omicron_Persei_VIII
there is no need to sign your posts. this isn't usenet. your username is right there above your post. stop it.
Malvin: I can't believe it, Jim. That girl's standing over there listening and you're telling him about our back doors?
Jim Sting: [yelling] Mister Potato Head! Mister Potato Head! Back doors are not secrets!
Malvin: Yeah, but Jim, you're giving away all our best tricks!
Jim Sting: They're not tricks.
The vulnerabilities aren't in the format per se, but more in Adobe's implementation of their Acrobat products.
Apple, along with Preview, has its own implementation of rendering and viewing PDFs
Error 407 - No creative sig found
The Mac version of Acrobat reader is actually not affected by these vulnerabilities; they only occur on the Windows platform.
Create a parallel directory to installdir/adobe/acrobat 7.0/acrobat/plug-ins/ directory, call it plug-not, and move all non essential plug-ins into that directory.
I just want a reader, not a full fledged pseudo-browser app with tons of security exploits - there's already one called Internet Explorer on my PC!
So I've moved away: Accessibility, Acroform, ADBC, EScript, Multimedia, weblink, webpdf, etc.
Now when you open those "exploit" links, you get an pop-up saying, "The plug-in required by this 'URI' action is not available."
You get another benefit from this. Your acrobat reader will load sooo much faster too!
In the article the second "back door demo (PDF)" link just points to the same PDF as the first link. The correct link is:
http://michaeldaw.org/projects/backdoored2.pdf
The first back door (PDF), which eWEEK confirmed on a fully patched version of Adobe Reader, involves adding a malicious link to a PDF file. Once the document is opened, the target's browser is automatically launched and loads the embedded link.
Just about anything can automatically open a link. If there is something malicious on the page it is loading, that's a browser problem.
Better yet, use Ghostscript. It's also much lighter and faster than Acrobat Reader, and -- more importantly, and unlike Foxit Reader -- is Free Software.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
I've tried both exploits on Linux (acroread & Gnome Document Viewer). Neither work. The first asks if I want to connect to the web site and I have to explicitly click "Allow" (in acroread). The second of-course doesn't work because I don't have any ODBC junk on my Linux box. But that doesn't mean that it can't talk to other unsecured ports on my computer. That would be interesting to find out.
Stroller.
Load PDFs with Acrobat in seconds
HOT ANAL! FUCK MY BACKDOOR! Yea baby, penetrate my backdoor hard! FUCK ME IN MY PDF!!!!!
I LOVE PDFS!! YEA!!!! YES!!! OH YEA!!!!
Thankfully the Mac OS X drawing subsystem isn't built on top of ACROREAD.EXE, so no.
Though that could explain why the Intel chips are so much faster for Mac OS X...
Personally, I've hated PDF files from the day I encountered one. The format is bloated, wasteful, and for the most part, unnecessary. In my opinion, a standardized HTML archive format would be much more useful (smaller and faster, too) than a largely proprietary format. With news like this, maybe PDF will finally die and leave me alone.
Gnaa have been using this for a while in the lastmeasure shock site.. I wont link here.
Fear not: the title (replicated from TFA) is glaringly inaccurate in an attempt to sensationalise and induce general panic.
As even the blurb above states quite clearly, these are not vulnerabilities in PDF, a file format, they're vulnerabilities in Adobe Reader, an application (and one which most OS X users have no need for, thanks to Preview).
In fact, TFA seems to indicate moreover that the attacks are specific to Windows.
Nothing to see here .... unless you use Adobe Reader in Windows.
I am using Slashdot's Discussion2 and I accidentally modded you redundant. Just posting this reply to cancel the mod.
I find it very odd that there is no confirmation before a selected mod is applied. I think I'll submit that as a UI bug. Sorry for the inconvenience.
BTW, I meant to mod the parent as Interesting, because he raises a great question: Are these flaws of the PDF format? Or just Adobe's implementation (or extensions)?
If you have to ask whether this will compromise the security of OS X, how do you feel qualified to name it a "very securely built operating system"? Is that just what the guy in the turtleneck at the "Genius Bar" told you? I mean, it seems like if you were qualified to analyze a system's security you wouldn't need to ask that question. And if you're not qualified, well, you probably shouldn't be making that claim to begin with.
Actually I have it installed on my Mac. There are a few features Preview does not support.
MidnightBSD: The BSD for Everyone
future mother-in-law: so, what do you do?
guy: i'm a penetration tester.
....fill in rest.....
Apart from its (known) security problems, Acrobat Reader has a number of other problems, foremost that it's slow and that it fails to comply with Gnome, KDE, and Macintosh desktop UI standards.
There are more usable, faster, and safer alternatives.
Well the first order of business would be to hunt down an kill all the "web developers" who insist on using javascript for essential parts of their site. If it wasn't for them, I could just use dillo like I want to and not worry about javascript crap...
PDF was a great idea; a WYSIWYG document format.
But Adobe screwed it terribly by fitting features like JavaScript, turning an inert secure format into an active insecure one. What's more, they don't like you turning JavaScript off. When you run Adobe Reader 7 with JavaScript off, it keeps asking you if you'd like to turn it off.
Then we have the screwed up user interface, lacking even the simple basics like setting bookmarks, putting their help in PDF to prove a point, but coming up with an unusable help format in the process. And that preferences menu with 20 odd bizarrely named entries that make finding anything let alone changing it a pain in the ass. Adobe Reader has the worst designed user interface of any mainstream software product.
I'd love to see someone come up with something that can replace PDF once and for all. GhostScript/GhostView can do it, but their interface isn't up to much either.
For scanned documents we do have an alternative; DJVU. Supposedly it compresses better than PDF, and certainly one of the GUIs (it's open) WinDjView-0.4.2.exe is much better than Adobe Reader. A Document Reader doesn't need do much. WinDjView succeeds where Adobe fails so miserably.
So: Advice to Adobe: Fire your GUI designers/JavaScript boffins. They've screwed PDF badly. Add to that your ridiculous prosecution of that Russian who told the world how crap your security was, and you're a company on the nose. PostScript was nice, but everything after that was downhill.
Advice to GhostView: Give us a decent PDF alternative; Your GUI needs work.
WinDjView: Nice job. Can you do PDF too?
Microsoft: Surely you can annihiliate Adobe? How hard could it be to make a decent reader. (Yeah, MS suck, but Adobe suck too.)
Evince and gPDF, since these lack support for a lot of the additional features of PDF am i any safer?
From the Fine Article:
the target's browser is automatically launched and loads the embedded link. "At this point, it is obvious that any malicious code [can] be launched," Kierznowski said.
That looks like a lot of auto magic nonsense that most free software would not do. The only thing that's obvious to me is that any malicious w32 code is going to bounce off my browser. My pdf reader, kpdf, did not take the first step of automatically launching a browser and my browser would not take any of the dozens of brain dead and spam friendly automatic steps that makes IE a dissaster. A computer that's not internet safe but is connected to a network is always at risk.
Note that it's not a "lack of features" that makes kpdf work right. Kpdf has links that work when you press them, table of content browsing, keyword searches, text and image cut and paste, and prints flawless copy. Those are the features you want in a pdf viewer. Automatically popping up a browser is a feature you don't want.
Friends don't help friends install M$ junk.
Even for Windows. I tested the proof of concept PDFs in FoxIt PDF reader (http://foxitsoftware.com/), and none of them worked. The flaws aren't in the PDF format itself, they're in Adobe's implementation of it.
If you believe everything you read, you'd better not read. - Japanese proverb
"He claims there are least seven different ways to backdoor a PDF."
But remember there must be 50 ways to leave your lover
The nearly featureless PostScript viewer GhostView ( http://www.cs.wisc.edu/~ghost/ ) does me fine for most PDF viewing chores. If a document needs more attention than can be read on screen in a few minutes, I'm just going to send it to a printer anyway.
If it's full of "interactive content," then, well, you shouldn't have made it a PDF, since I'm pretty unlikely to jump through hoops to discover what you're trying to say. Use HTML or PowerPoint or what have you if you really need interactivity. My distrust of active content is high when it's not running in a sandbox like a well-configured browser. Simple hyperlinks are a possible exception, as long as there's no attempt to obfuscate the URI and action.
Pi Ran Out
Get your PDF version of the story here
(%i1) factor(777353);
(%o1) 777353
It's not like they shouldn't have seen this coming and I couldn't wrap my head around just what the fuck a Javascript parser was ever doing in Adobe Acrobat in the first place. I still can't: it's there to present documents as you intended them to be presented and you don't need anything dynamic coded in there to do that and code seems to necessarily defeat the point of the thing (showing documents just as you intended).
Unless there's a project manager over at Adobe with an unhealthy sense of humor who's trying to prove jwz's "applications will grow until they can read e-mail" right.
And, uh. What's with the discoverer's equivocations? Is the vulnerability really in the internets or something? Because I'm lost.
Even faster !
The first "vulnerability" is the ability to have clickable web links in a pdf. It's a standard feature of the PDF document language, and all conforming viewers should support it. I'd be surprised if evince doesn't, but most of the other free viewers are too primitive.
In my view this claim is idiotic anyway. I just found a giant security hole in HTML where if they view my page or email with a link and if they click on it, it might take them to a malicious site.
*yawn*
My mistake - that post is not correct. It appears to actually be using JavaScript as supported by Adobe reader to automatically launch a link. Still, in my view, not a big deal (and my Adobe Reader asks for confirmation anway) but somewhat more valid.
He read it in MacWorld I guess.
Most PDFs can be viewed with gsview, the old Postscript previewer. It doesn't have all that crap Adobe put in like WebBuy, but nobody uses that anyway. Gsview will display PDFs that older versions of Adobe Reader won't.
You pick the sites you trust. Everyone else can go jump.
Opening the first PDF with Preview does not cause Safari to launch, and appears to show a static Google web page. No outbound traffic was observed when opening the PDF in Preview. Opening the PDF using Acrobat 5.0, 6.0 , and 7.0 appears to cause Safari to launch and open "http://www.google.com/owned.html". It looks like Preview is not vulnerable to this particular attack, while at least some Adobe Acrobat readers for OSX are vulnerable.
Why oh why was this article not availible as a PDF?
GNU Ghostscript is free software... Aladdin Ghostscript, the one hightlighted in bold on the page you link to and the one that they'd really like you to download, is not free software - its license (the A"F"PL) restricts commercial redistribution. Unfortunately the GNU fork is several years of development behind the non-free one.
Both test cases give me a confirmation dialog offering to add the target site to a trusted list.
Curiously, both XP and Firefox updated over the last two days.
"Will future ages believe that such stupid bigotry ever existed!" -- Ivanhoe
For performance reasons, I remove half of the plugins that come with Adobe Reader and turn off a bunch of dubious "features" whenever I install it anyway. Some of those things are pretty scary if you are paranoid about security (like embedded JavaScript, unless you think Adobe can write code better than is in web browsers), and they are largely irrelevant to the basic task of viewing a static document, which is what Adobe Reader is used for 99% of the time. It's bloatware. The alternate open source and free commercial options (e.g., FoxPDF on Windows is nice) are much more streamlined and the missing features found in the official Adobe Reader are hardly ever missed.
It would be a useful experiment to determine a secure configuration that would disable all these exploits. It would be even better, for security and performance reasons, if Adobe themselves offered a single-switch option to enable it, but I suppose then Reader wouldn't have all its kitchen-sink-style abilities. Adobe has drifted a long way from the "do one thing and do it well" approach.
The second test too failed the same way.
But in the tabs where I expected pdf docs now there is a 404 Not Found error. What does it prove?
What should I do to remove these fancy features from pdf readers?
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
A -1 funny. Fucking amazing.
IIRC, at least PostScript has been demonstrated as a Turing complete language (someone wrote a printer's driver in it, as reported on Slashdot many years ago, IIRC). And, given PDF's background, why shouldn't it be that too? Please, someone with more knowledge, please enlighten me if I'm on the wrong track! And, if it is, would that matter to this context, finding (or writing) 'backdoors'?
Ah, ok. Please excuse me - you have my apologies. Having not tried this under the Adobe applications I assumed the point was to load the Google webpage, and because clicking on links within that open Safari I assumed the page be dynamic. I also wanted to reply to a Mac user smug about security.
...but why can't Slashdot, of all places, use "cracker"?
Advice: on VPS providers
When the user types in the search box in recent versions of Acrobat reader, while viewing a .pdf retrieved from the web, the reader performs a GET on the search keywords appended to the original location of the document (enclosed in double quotes).
So, as a website owner you get the search terms used on your documents as 404 errors in the logfile.
(I have not yet tried to answer those queries with a 200 response, who knows what happens then...)
For version 0.5.1 (might be old by now) of kpdf, the thumbnails in the side pane do page numbering as you want. I'm not sure about the rotation because I have not needed to do that in years, but that would be a useful feature. It's on the wish list and you can fall back to Kghostview if you run into something that really needs rotating. It should show up under View->View Mode of Konqueror as an option when you look at pdf files.
Kpdf also has browser like navigation buttons that are very helpful in large documents. For an example of aids to navigation and not needing to rotate see the very useful Idaho National Laboratory Ge(Li) Gamma Sectrum Catalog (warning, this is an 89MB file). This document makes me think rotate has been done automatically, which would explain my never needing to do it. For an example of text searching where you thought there was not text because the file is obviously an image of an ancient, manually typed manuscript, see here. Those features, combined with Konqueror's ability to split tabs, have made it so I have not printed someone else's pdf in two years.
KDE just keep rocking.
Friends don't help friends install M$ junk.
Good job, bigot boy!
"It is our blasphemy which has made us great, and will sustain us, and which the gods secretly admire in us." - Zelazny
No, I am currently not free to become a stain on life's floor. Under the Republican plan, you are just as free to keep your Social Security as is, and I would be somewhat more free to attempt to do better for myself than with a government-run pyramid scheme.
If the PDF format is the problem then the PDF will become a Portable backDoor File ... I am also suprise and wait for stable patch from adobe :)