Slashdot Mirror
Hacker Finds Multiple PDF Backdoors
Gungadin writes "Eweek.com has a story about a British security researcher figuring out a way to manipulate legitimate features in Adobe PDF files to open backdoors for computer attacks. David Kierznowski, a penetration testing expert specializing in Web application testing, has released proof-of-concept code and two sample PDF files to demonstrate how the Adobe Reader program can be rigged to launch Web-based attacks without any user action. He claims there are least seven different ways to backdoor a PDF."
Ok, i don't have the Adobe reader installed but rather Evince and gPDF, since these lack support for a lot of the additional features of PDF am i any safer?
Software Freedom Day!.
Huh huh, penetration.
</beavis_and_butthead>
Who started giving this title?
"It ain't a war against drugs.it's a war against personal freedom" --Bill Hicks
Funnypics
After reading the article I am not sure if this is an Adobe Reader problem or a PDF problem. Every example cites an Adobe product, but the "hacker" said, "I do not really consider these attacks as vulnerabilities within Adobe. It is more exploiting features supported by the product that were never designed for this." Translation?
How badly do you have to screw up to make it possible to hack through a virtual document?
The article has two testcases. The second uses Windows ODBC so, unsurprisingly, fails. The first is supposed to open a web page automatically, but I'm presented with a dialogue asking me if I really want to open it (and the URL is identified in the dialogue). This seems to be good behavior. Did Adobe get things right on Linux & not on Windows? That's got to be a first.
I also mostly use evince. Neither test worked. They triggered this message:
"** (evince:18185): WARNING **: Unimplemented action: POPPLER_ACTION_UNKNOWN, please post a bug report with a testcase."
Note that a different implementation only gives you DIFFERENT bugs and holes, as anyone who has followed exploits in xpdf knows.
He claims there are least seven different ways to backdoor a PDF.
I've seen quite a bit of pr0n. There's way more than seven ways.
The theory of relativity doesn't work right in Arkansas.
Sources claim the exploits would have been found sooner if any other hackers had the patience to wait for PDFs to load.
Just when i thought i didn't like PDFs, up comes this neat little "Feature" to try and make me like them all the more...
Wait, this isn't a good thing, is it... And i'm willing to bet Adobe is not really all that happy about it either...
Maybe this will prod them into getting back to their roots of a simpler system that did not take 30+ seconds to start up and did not bring a browser to its knees when it decided to act up... Or maybe i could just be dreaming.
~Mozleron
Never underestimate the power of stupid people in large groups
Comment removed based on user account deletion
that's assuming that by "PDF", he means "Pretty Drunk Female"....
The theory of relativity doesn't work right in Arkansas.
David Kierznowski, a penetration testing expert I wish I was a penetration test expert!
(My apologies for the above formatting, I was editing and the cat walked on the laptop, which normally doesn't result in a permanent mistake!)
Has everyone downloaded the new version of firefox because 5 out of 7 of the vulns it fixes are javascript related. Why do we have to keep going through this, are people in denial or something? We all know what the problem is. There's only one security advisory I'd like to see for javascript problems, the mother of all advisories:
Use FoxitReader (http://www.foxitsoftware.com), much lighter and faster than Adobe Reader, and probably with its own set of vulnerabilities, but unlikely to be much targeted.
Rome taught me patience and assiduous application to detail. Virtues which temper the boldness of great, general views.
Since when is a respected security researcher a "HACKER"?!
Seriously. I know the old definition of "hacker" and have been proud to be called one (in that sense) in the past, but the headline clearly refers to the malicious definition of hacker. This headline seems to serve no purpose other than deliberately blurring the line between legitimate researchers and the jerks who exploit weaknesses.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Oh lord, we're doomed!
http://en.wikipedia.org/wiki/Omicron_Persei_VIII
there is no need to sign your posts. this isn't usenet. your username is right there above your post. stop it.
Malvin: I can't believe it, Jim. That girl's standing over there listening and you're telling him about our back doors?
Jim Sting: [yelling] Mister Potato Head! Mister Potato Head! Back doors are not secrets!
Malvin: Yeah, but Jim, you're giving away all our best tricks!
Jim Sting: They're not tricks.
The vulnerabilities aren't in the format per se, but more in Adobe's implementation of their Acrobat products.
Apple, along with Preview, has its own implementation of rendering and viewing PDFs
Error 407 - No creative sig found
The Mac version of Acrobat reader is actually not affected by these vulnerabilities; they only occur on the Windows platform.
Create a parallel directory to installdir/adobe/acrobat 7.0/acrobat/plug-ins/ directory, call it plug-not, and move all non essential plug-ins into that directory.
I just want a reader, not a full fledged pseudo-browser app with tons of security exploits - there's already one called Internet Explorer on my PC!
So I've moved away: Accessibility, Acroform, ADBC, EScript, Multimedia, weblink, webpdf, etc.
Now when you open those "exploit" links, you get an pop-up saying, "The plug-in required by this 'URI' action is not available."
You get another benefit from this. Your acrobat reader will load sooo much faster too!
In the article the second "back door demo (PDF)" link just points to the same PDF as the first link. The correct link is:
http://michaeldaw.org/projects/backdoored2.pdf
The first back door (PDF), which eWEEK confirmed on a fully patched version of Adobe Reader, involves adding a malicious link to a PDF file. Once the document is opened, the target's browser is automatically launched and loads the embedded link.
Just about anything can automatically open a link. If there is something malicious on the page it is loading, that's a browser problem.
Better yet, use Ghostscript. It's also much lighter and faster than Acrobat Reader, and -- more importantly, and unlike Foxit Reader -- is Free Software.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
I've tried both exploits on Linux (acroread & Gnome Document Viewer). Neither work. The first asks if I want to connect to the web site and I have to explicitly click "Allow" (in acroread). The second of-course doesn't work because I don't have any ODBC junk on my Linux box. But that doesn't mean that it can't talk to other unsecured ports on my computer. That would be interesting to find out.
Stroller.
Load PDFs with Acrobat in seconds
Fear not: the title (replicated from TFA) is glaringly inaccurate in an attempt to sensationalise and induce general panic.
As even the blurb above states quite clearly, these are not vulnerabilities in PDF, a file format, they're vulnerabilities in Adobe Reader, an application (and one which most OS X users have no need for, thanks to Preview).
In fact, TFA seems to indicate moreover that the attacks are specific to Windows.
Nothing to see here .... unless you use Adobe Reader in Windows.
I am using Slashdot's Discussion2 and I accidentally modded you redundant. Just posting this reply to cancel the mod.
I find it very odd that there is no confirmation before a selected mod is applied. I think I'll submit that as a UI bug. Sorry for the inconvenience.
BTW, I meant to mod the parent as Interesting, because he raises a great question: Are these flaws of the PDF format? Or just Adobe's implementation (or extensions)?
Respectfully disagree.
PDF is incredibly useful...to people other than yourself. The bloat that annoys you so much guarantees layout and color fidelity to people who care about those things. Do you find PostScript printers bloated and wasteful?
Actually I have it installed on my Mac. There are a few features Preview does not support.
MidnightBSD: The BSD for Everyone
HTML and similar document formats do not retain character sets, pagination, and other presentation-related pieces of data. Create a webpage, and view it in different browsers on different OSes with different font sets. The page is not guaranteed to look the same, and most likely will render different on each different browser. PDF, on the other hand, will render the same with every PDF reader.
PDF is designed to be a read-only document presentation format. Sort of a globally understood "print to file" format with some added features. It does this very, very well. It is often abused, however, by people who don't understand the purpose behind the PDF format.
Don't confuse Adobe's somewhat bloated PDF reader's sluggish speed with the format being "slow." Try any of the third-party document readers (xpdf, etc). They are blazingly fast.
future mother-in-law: so, what do you do?
guy: i'm a penetration tester.
....fill in rest.....
Apart from its (known) security problems, Acrobat Reader has a number of other problems, foremost that it's slow and that it fails to comply with Gnome, KDE, and Macintosh desktop UI standards.
There are more usable, faster, and safer alternatives.
Well the first order of business would be to hunt down an kill all the "web developers" who insist on using javascript for essential parts of their site. If it wasn't for them, I could just use dillo like I want to and not worry about javascript crap...
Evince and gPDF, since these lack support for a lot of the additional features of PDF am i any safer?
From the Fine Article:
the target's browser is automatically launched and loads the embedded link. "At this point, it is obvious that any malicious code [can] be launched," Kierznowski said.
That looks like a lot of auto magic nonsense that most free software would not do. The only thing that's obvious to me is that any malicious w32 code is going to bounce off my browser. My pdf reader, kpdf, did not take the first step of automatically launching a browser and my browser would not take any of the dozens of brain dead and spam friendly automatic steps that makes IE a dissaster. A computer that's not internet safe but is connected to a network is always at risk.
Note that it's not a "lack of features" that makes kpdf work right. Kpdf has links that work when you press them, table of content browsing, keyword searches, text and image cut and paste, and prints flawless copy. Those are the features you want in a pdf viewer. Automatically popping up a browser is a feature you don't want.
Friends don't help friends install M$ junk.
Sorry, I got to disagree with this. If you are looking for print quality (as in book), PDF is way ahead of any standard HTML I have ever seen.
Yes, AcroRead takes longer and longer to load, defeating the purpose of being this ubiquitous reader Adobe is pitching. Yes it's not open.
But still, it's the saftest way I have found so far to send someone a document so I could be sure that when they open it, it looks exactly like I intended it to look. That to me is key: I care about the looks of what I do.
Alain.
Even for Windows. I tested the proof of concept PDFs in FoxIt PDF reader (http://foxitsoftware.com/), and none of them worked. The flaws aren't in the PDF format itself, they're in Adobe's implementation of it.
If you believe everything you read, you'd better not read. - Japanese proverb
"He claims there are least seven different ways to backdoor a PDF."
But remember there must be 50 ways to leave your lover
The nearly featureless PostScript viewer GhostView ( http://www.cs.wisc.edu/~ghost/ ) does me fine for most PDF viewing chores. If a document needs more attention than can be read on screen in a few minutes, I'm just going to send it to a printer anyway.
If it's full of "interactive content," then, well, you shouldn't have made it a PDF, since I'm pretty unlikely to jump through hoops to discover what you're trying to say. Use HTML or PowerPoint or what have you if you really need interactivity. My distrust of active content is high when it's not running in a sandbox like a well-configured browser. Simple hyperlinks are a possible exception, as long as there's no attempt to obfuscate the URI and action.
Pi Ran Out
Get your PDF version of the story here
(%i1) factor(777353);
(%o1) 777353
Even faster !
The first "vulnerability" is the ability to have clickable web links in a pdf. It's a standard feature of the PDF document language, and all conforming viewers should support it. I'd be surprised if evince doesn't, but most of the other free viewers are too primitive.
In my view this claim is idiotic anyway. I just found a giant security hole in HTML where if they view my page or email with a link and if they click on it, it might take them to a malicious site.
*yawn*
My mistake - that post is not correct. It appears to actually be using JavaScript as supported by Adobe reader to automatically launch a link. Still, in my view, not a big deal (and my Adobe Reader asks for confirmation anway) but somewhat more valid.
He read it in MacWorld I guess.
Most PDFs can be viewed with gsview, the old Postscript previewer. It doesn't have all that crap Adobe put in like WebBuy, but nobody uses that anyway. Gsview will display PDFs that older versions of Adobe Reader won't.
Opening the first PDF with Preview does not cause Safari to launch, and appears to show a static Google web page. No outbound traffic was observed when opening the PDF in Preview. Opening the PDF using Acrobat 5.0, 6.0 , and 7.0 appears to cause Safari to launch and open "http://www.google.com/owned.html". It looks like Preview is not vulnerable to this particular attack, while at least some Adobe Acrobat readers for OSX are vulnerable.
GNU Ghostscript is free software... Aladdin Ghostscript, the one hightlighted in bold on the page you link to and the one that they'd really like you to download, is not free software - its license (the A"F"PL) restricts commercial redistribution. Unfortunately the GNU fork is several years of development behind the non-free one.
I work in a fairly standard office. Even though we have nice diplays (a lot of desktops even have two screens) documents are quit often printed. Paper is just too convenient. You can carry it everywhere, pass it around, make notes on it, read it while sitting in a comfortable chair, pin it to a wall. And you don't even need a nearby computer to do all of that.
If I email someone (manager, coworker) a document I want it to be displayed and printed properly. For this purpose PDF is great. If it's just going to be glanced at or archived directly, it doesn't matter that much, but if the document is actually going to be used and decissions will be based on it then I want it to look correct and professional.
Good HTML might be easy to navigate (to computer illiterates (read: managers) it really is not) but it absolutely doesn't translate to paper. Looking at my surroundings PDF isn't going away anytime soon. Maybe in twenty years, when we have perfect digital paper everywhere.
Both test cases give me a confirmation dialog offering to add the target site to a trusted list.
Curiously, both XP and Firefox updated over the last two days.
"Will future ages believe that such stupid bigotry ever existed!" -- Ivanhoe
The second test too failed the same way.
But in the tabs where I expected pdf docs now there is a 404 Not Found error. What does it prove?
What should I do to remove these fancy features from pdf readers?
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
A -1 funny. Fucking amazing.
IIRC, at least PostScript has been demonstrated as a Turing complete language (someone wrote a printer's driver in it, as reported on Slashdot many years ago, IIRC). And, given PDF's background, why shouldn't it be that too? Please, someone with more knowledge, please enlighten me if I'm on the wrong track! And, if it is, would that matter to this context, finding (or writing) 'backdoors'?
Ah, ok. Please excuse me - you have my apologies. Having not tried this under the Adobe applications I assumed the point was to load the Google webpage, and because clicking on links within that open Safari I assumed the page be dynamic. I also wanted to reply to a Mac user smug about security.
...but why can't Slashdot, of all places, use "cracker"?
Advice: on VPS providers
When the user types in the search box in recent versions of Acrobat reader, while viewing a .pdf retrieved from the web, the reader performs a GET on the search keywords appended to the original location of the document (enclosed in double quotes).
So, as a website owner you get the search terms used on your documents as 404 errors in the logfile.
(I have not yet tried to answer those queries with a 200 response, who knows what happens then...)
For version 0.5.1 (might be old by now) of kpdf, the thumbnails in the side pane do page numbering as you want. I'm not sure about the rotation because I have not needed to do that in years, but that would be a useful feature. It's on the wish list and you can fall back to Kghostview if you run into something that really needs rotating. It should show up under View->View Mode of Konqueror as an option when you look at pdf files.
Kpdf also has browser like navigation buttons that are very helpful in large documents. For an example of aids to navigation and not needing to rotate see the very useful Idaho National Laboratory Ge(Li) Gamma Sectrum Catalog (warning, this is an 89MB file). This document makes me think rotate has been done automatically, which would explain my never needing to do it. For an example of text searching where you thought there was not text because the file is obviously an image of an ancient, manually typed manuscript, see here. Those features, combined with Konqueror's ability to split tabs, have made it so I have not printed someone else's pdf in two years.
KDE just keep rocking.
Friends don't help friends install M$ junk.
30 seconds to show the next page in a 1GHz machine with xpdf.
PDF does something to bitmap images that makes large ones unbelievably slow to display. I don't know what, but it's definitely a very slow format in that respect.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
Good job, bigot boy!
"It is our blasphemy which has made us great, and will sustain us, and which the gods secretly admire in us." - Zelazny
No, I am currently not free to become a stain on life's floor. Under the Republican plan, you are just as free to keep your Social Security as is, and I would be somewhat more free to attempt to do better for myself than with a government-run pyramid scheme.
Adobe ruined the benefits of the somewhat :P
combersome pdf format the moment they added
Scripting support in about version 6.
Pdf files were popular because they acted like
paper. The pages did not try to change or send
you pop-up windows while you were viewing the
document.
Full disclosure: I still use lynx
(http://lynx.isc.org) because I am still bitter
over the transition to DHTML.
PS: sorry for the late reply; the server decided
I wasn't human becuase I couldn't see the
challange image
If the PDF format is the problem then the PDF will become a Portable backDoor File ... I am also suprise and wait for stable patch from adobe :)