Slashdot Mirror
Hacker Finds Multiple PDF Backdoors
Gungadin writes "Eweek.com has a story about a British security researcher figuring out a way to manipulate legitimate features in Adobe PDF files to open backdoors for computer attacks. David Kierznowski, a penetration testing expert specializing in Web application testing, has released proof-of-concept code and two sample PDF files to demonstrate how the Adobe Reader program can be rigged to launch Web-based attacks without any user action. He claims there are least seven different ways to backdoor a PDF."
Ok, i don't have the Adobe reader installed but rather Evince and gPDF, since these lack support for a lot of the additional features of PDF am i any safer?
Software Freedom Day!.
Huh huh, penetration.
</beavis_and_butthead>
Who started giving this title?
"It ain't a war against drugs.it's a war against personal freedom" --Bill Hicks
Funnypics
After reading the article I am not sure if this is an Adobe Reader problem or a PDF problem. Every example cites an Adobe product, but the "hacker" said, "I do not really consider these attacks as vulnerabilities within Adobe. It is more exploiting features supported by the product that were never designed for this." Translation?
The article has two testcases. The second uses Windows ODBC so, unsurprisingly, fails. The first is supposed to open a web page automatically, but I'm presented with a dialogue asking me if I really want to open it (and the URL is identified in the dialogue). This seems to be good behavior. Did Adobe get things right on Linux & not on Windows? That's got to be a first.
I also mostly use evince. Neither test worked. They triggered this message:
"** (evince:18185): WARNING **: Unimplemented action: POPPLER_ACTION_UNKNOWN, please post a bug report with a testcase."
Note that a different implementation only gives you DIFFERENT bugs and holes, as anyone who has followed exploits in xpdf knows.
He claims there are least seven different ways to backdoor a PDF.
I've seen quite a bit of pr0n. There's way more than seven ways.
The theory of relativity doesn't work right in Arkansas.
Sources claim the exploits would have been found sooner if any other hackers had the patience to wait for PDFs to load.
Just when i thought i didn't like PDFs, up comes this neat little "Feature" to try and make me like them all the more...
Wait, this isn't a good thing, is it... And i'm willing to bet Adobe is not really all that happy about it either...
Maybe this will prod them into getting back to their roots of a simpler system that did not take 30+ seconds to start up and did not bring a browser to its knees when it decided to act up... Or maybe i could just be dreaming.
~Mozleron
Never underestimate the power of stupid people in large groups
Comment removed based on user account deletion
that's assuming that by "PDF", he means "Pretty Drunk Female"....
The theory of relativity doesn't work right in Arkansas.
David Kierznowski, a penetration testing expert I wish I was a penetration test expert!
Has everyone downloaded the new version of firefox because 5 out of 7 of the vulns it fixes are javascript related. Why do we have to keep going through this, are people in denial or something? We all know what the problem is. There's only one security advisory I'd like to see for javascript problems, the mother of all advisories:
Use FoxitReader (http://www.foxitsoftware.com), much lighter and faster than Adobe Reader, and probably with its own set of vulnerabilities, but unlikely to be much targeted.
Rome taught me patience and assiduous application to detail. Virtues which temper the boldness of great, general views.
Since when is a respected security researcher a "HACKER"?!
Seriously. I know the old definition of "hacker" and have been proud to be called one (in that sense) in the past, but the headline clearly refers to the malicious definition of hacker. This headline seems to serve no purpose other than deliberately blurring the line between legitimate researchers and the jerks who exploit weaknesses.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
The vulnerabilities aren't in the format per se, but more in Adobe's implementation of their Acrobat products.
Apple, along with Preview, has its own implementation of rendering and viewing PDFs
Error 407 - No creative sig found
Create a parallel directory to installdir/adobe/acrobat 7.0/acrobat/plug-ins/ directory, call it plug-not, and move all non essential plug-ins into that directory.
I just want a reader, not a full fledged pseudo-browser app with tons of security exploits - there's already one called Internet Explorer on my PC!
So I've moved away: Accessibility, Acroform, ADBC, EScript, Multimedia, weblink, webpdf, etc.
Now when you open those "exploit" links, you get an pop-up saying, "The plug-in required by this 'URI' action is not available."
You get another benefit from this. Your acrobat reader will load sooo much faster too!
In the article the second "back door demo (PDF)" link just points to the same PDF as the first link. The correct link is:
http://michaeldaw.org/projects/backdoored2.pdf
Better yet, use Ghostscript. It's also much lighter and faster than Acrobat Reader, and -- more importantly, and unlike Foxit Reader -- is Free Software.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
I've tried both exploits on Linux (acroread & Gnome Document Viewer). Neither work. The first asks if I want to connect to the web site and I have to explicitly click "Allow" (in acroread). The second of-course doesn't work because I don't have any ODBC junk on my Linux box. But that doesn't mean that it can't talk to other unsecured ports on my computer. That would be interesting to find out.
Load PDFs with Acrobat in seconds
I am using Slashdot's Discussion2 and I accidentally modded you redundant. Just posting this reply to cancel the mod.
I find it very odd that there is no confirmation before a selected mod is applied. I think I'll submit that as a UI bug. Sorry for the inconvenience.
BTW, I meant to mod the parent as Interesting, because he raises a great question: Are these flaws of the PDF format? Or just Adobe's implementation (or extensions)?
Respectfully disagree.
PDF is incredibly useful...to people other than yourself. The bloat that annoys you so much guarantees layout and color fidelity to people who care about those things. Do you find PostScript printers bloated and wasteful?
HTML and similar document formats do not retain character sets, pagination, and other presentation-related pieces of data. Create a webpage, and view it in different browsers on different OSes with different font sets. The page is not guaranteed to look the same, and most likely will render different on each different browser. PDF, on the other hand, will render the same with every PDF reader.
PDF is designed to be a read-only document presentation format. Sort of a globally understood "print to file" format with some added features. It does this very, very well. It is often abused, however, by people who don't understand the purpose behind the PDF format.
Don't confuse Adobe's somewhat bloated PDF reader's sluggish speed with the format being "slow." Try any of the third-party document readers (xpdf, etc). They are blazingly fast.
future mother-in-law: so, what do you do?
guy: i'm a penetration tester.
....fill in rest.....
Evince and gPDF, since these lack support for a lot of the additional features of PDF am i any safer?
From the Fine Article:
the target's browser is automatically launched and loads the embedded link. "At this point, it is obvious that any malicious code [can] be launched," Kierznowski said.
That looks like a lot of auto magic nonsense that most free software would not do. The only thing that's obvious to me is that any malicious w32 code is going to bounce off my browser. My pdf reader, kpdf, did not take the first step of automatically launching a browser and my browser would not take any of the dozens of brain dead and spam friendly automatic steps that makes IE a dissaster. A computer that's not internet safe but is connected to a network is always at risk.
Note that it's not a "lack of features" that makes kpdf work right. Kpdf has links that work when you press them, table of content browsing, keyword searches, text and image cut and paste, and prints flawless copy. Those are the features you want in a pdf viewer. Automatically popping up a browser is a feature you don't want.
Friends don't help friends install M$ junk.
Sorry, I got to disagree with this. If you are looking for print quality (as in book), PDF is way ahead of any standard HTML I have ever seen.
Yes, AcroRead takes longer and longer to load, defeating the purpose of being this ubiquitous reader Adobe is pitching. Yes it's not open.
But still, it's the saftest way I have found so far to send someone a document so I could be sure that when they open it, it looks exactly like I intended it to look. That to me is key: I care about the looks of what I do.
Alain.
You mean like email, word documents and such? God.. who knows?
Even faster !
The first "vulnerability" is the ability to have clickable web links in a pdf. It's a standard feature of the PDF document language, and all conforming viewers should support it. I'd be surprised if evince doesn't, but most of the other free viewers are too primitive.
In my view this claim is idiotic anyway. I just found a giant security hole in HTML where if they view my page or email with a link and if they click on it, it might take them to a malicious site.
*yawn*
My mistake - that post is not correct. It appears to actually be using JavaScript as supported by Adobe reader to automatically launch a link. Still, in my view, not a big deal (and my Adobe Reader asks for confirmation anway) but somewhat more valid.
Opening the first PDF with Preview does not cause Safari to launch, and appears to show a static Google web page. No outbound traffic was observed when opening the PDF in Preview. Opening the PDF using Acrobat 5.0, 6.0 , and 7.0 appears to cause Safari to launch and open "http://www.google.com/owned.html". It looks like Preview is not vulnerable to this particular attack, while at least some Adobe Acrobat readers for OSX are vulnerable.
There are Gnome and KDE UI standards? Who knew?
OK, OK, that's snarky. But when you port a program from one OS to another -- Windows to Linux in this case -- there are going to be UI problems. Most Mac programs are human factors disasters when ported to Windows. And heck yes, that includes Excel. Personally, I've always found Excel to be major aggravation because of its non-Windows (and IMHO pointlessly obtuse) clipboard handling.
Note that Firefox (for example) integration with KDE is less than perfect. The clipboard only works with text, not images. And the cursor control is less than exemplary. Why would Acrobat be any better?
Acrobat doesn't run well in Linux? No suprise. Its ponderous and doesn't run all that well in Windows. Personally, I switched to FOXIT on Windows a couple of years ago and use xpdf on Linux. But I'm retired and don't need to read PDFs to do my job. So I don't mind all that much that images are sometimes missing, and other aggravations that might not occur with Acrobat.
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey