Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker Finds Multiple PDF Backdoors

Posted by ryuzaki0 on from the watch-where-you-put-that dept.

Gungadin writes "Eweek.com has a story about a British security researcher figuring out a way to manipulate legitimate features in Adobe PDF files to open backdoors for computer attacks. David Kierznowski, a penetration testing expert specializing in Web application testing, has released proof-of-concept code and two sample PDF files to demonstrate how the Adobe Reader program can be rigged to launch Web-based attacks without any user action. He claims there are least seven different ways to backdoor a PDF."

17 of 147 comments (clear)

  1. Non Adobe? by BiggyP · · Score: 4, Insightful

    Ok, i don't have the Adobe reader installed but rather Evince and gPDF, since these lack support for a lot of the additional features of PDF am i any safer?

    --
    Software Freedom Day!.
  2. Heh by Shawn+is+an+Asshole · · Score: 4, Funny


    Huh huh, penetration.
    </beavis_and_butthead>

    Who started giving this title?

    --
    "It ain't a war against drugs.it's a war against personal freedom" --Bill Hicks
  3. It's not a vulnerability, it's an exploit... by crazyjeremy · · Score: 4, Insightful
    "I do not really consider these attacks as vulnerabilities within Adobe. It is more exploiting features supported by the product that were never designed for this," Kierznowski said in an e-mail interview with eWEEK.
    Isn't that what a vulnerability is? Exploiting a "feature" in a way not originally intended?
    --
    Funnypics
    1. Re:It's not a vulnerability, it's an exploit... by JustNilt · · Score: 4, Insightful

      It seems a fine line but I think many would consider this an exploit. A vulnerability would be a non-feature that can be exploited in some manner. I could be wrong (as far as speaking for others) but this is my take on it. Again, it seems a little like semantics but it's a line that can be defines quite well.

      --
      You know the thing about UDP jokes? I don't care if you get it or not.
  4. Linux version of acroread seems fine by Noksagt · · Score: 4, Interesting

    The article has two testcases. The second uses Windows ODBC so, unsurprisingly, fails. The first is supposed to open a web page automatically, but I'm presented with a dialogue asking me if I really want to open it (and the URL is identified in the dialogue). This seems to be good behavior. Did Adobe get things right on Linux & not on Windows? That's got to be a first.

  5. Evince, etc. by Noksagt · · Score: 4, Interesting

    I also mostly use evince. Neither test worked. They triggered this message:
    "** (evince:18185): WARNING **: Unimplemented action: POPPLER_ACTION_UNKNOWN, please post a bug report with a testcase."

    Note that a different implementation only gives you DIFFERENT bugs and holes, as anyone who has followed exploits in xpdf knows.

    1. Re:Evince, etc. by Anonymous Coward · · Score: 5, Funny

      Did you file a bug to let them know they didn't support the exploit? This is free software, they should get right on it.

  6. pr0n by User+956 · · Score: 5, Funny

    He claims there are least seven different ways to backdoor a PDF.

    I've seen quite a bit of pr0n. There's way more than seven ways.

    --
    The theory of relativity doesn't work right in Arkansas.
  7. Sources claim... by Mikachu · · Score: 5, Funny

    Sources claim the exploits would have been found sooner if any other hackers had the patience to wait for PDFs to load.

  8. Re:Confused by MarkCollette · · Score: 4, Informative

    Basically, the PDF standard allows for a lot of ways to access data on your local machine, in databases, and through your web browser. It also has mechanisms for running JavaScript, and even executing arbitrary local programs. Some of these things require a user to click on a link in a PDF, and some require just openning the PDF or visiting a specific page in the PDF.

    Many of these features are quite helpful for corporate clients, but maybe shouldn't be allowed by default.

    In retrospect, some of the other free 3rd part PDF viewers, that don't support those fancy features, might be better for people to use:

    http://www.icesoft.com/products/icepdf.html

  9. Easy by OpenSourced · · Score: 4, Informative

    Use FoxitReader (http://www.foxitsoftware.com), much lighter and faster than Adobe Reader, and probably with its own set of vulnerabilities, but unlikely to be much targeted.

    --
    Rome taught me patience and assiduous application to detail. Virtues which temper the boldness of great, general views.
  10. "Hacker"?! by coyote-san · · Score: 4, Interesting

    Since when is a respected security researcher a "HACKER"?!

    Seriously. I know the old definition of "hacker" and have been proud to be called one (in that sense) in the past, but the headline clearly refers to the malicious definition of hacker. This headline seems to serve no purpose other than deliberately blurring the line between legitimate researchers and the jerks who exploit weaknesses.

    --
    For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
  11. Back Door Demo #2 - Link Wrong by md17 · · Score: 4, Informative

    In the article the second "back door demo (PDF)" link just points to the same PDF as the first link. The correct link is:
    http://michaeldaw.org/projects/backdoored2.pdf

  12. Load PDFs with Acrobat in seconds by dw604 · · Score: 5, Informative

    Load PDFs with Acrobat in seconds

  13. Re:Doesn't work on Linux by flyingfsck · · Score: 5, Funny

    Hmm, Linux just isn't ready for the desktop yet.

    --
    Excuse me, but please get off my Pennisetum Clandestinum, eh!
  14. Windoze and IE implicated, again. by twitter · · Score: 4, Interesting

    Evince and gPDF, since these lack support for a lot of the additional features of PDF am i any safer?

    From the Fine Article:

    the target's browser is automatically launched and loads the embedded link. "At this point, it is obvious that any malicious code [can] be launched," Kierznowski said.

    That looks like a lot of auto magic nonsense that most free software would not do. The only thing that's obvious to me is that any malicious w32 code is going to bounce off my browser. My pdf reader, kpdf, did not take the first step of automatically launching a browser and my browser would not take any of the dozens of brain dead and spam friendly automatic steps that makes IE a dissaster. A computer that's not internet safe but is connected to a network is always at risk.

    Note that it's not a "lack of features" that makes kpdf work right. Kpdf has links that work when you press them, table of content browsing, keyword searches, text and image cut and paste, and prints flawless copy. Those are the features you want in a pdf viewer. Automatically popping up a browser is a feature you don't want.

    --

    Friends don't help friends install M$ junk.

  15. Re:Does anyone else think this is good news? by alain94040 · · Score: 4, Insightful

    Sorry, I got to disagree with this. If you are looking for print quality (as in book), PDF is way ahead of any standard HTML I have ever seen.

    Yes, AcroRead takes longer and longer to load, defeating the purpose of being this ubiquitous reader Adobe is pitching. Yes it's not open.

    But still, it's the saftest way I have found so far to send someone a document so I could be sure that when they open it, it looks exactly like I intended it to look. That to me is key: I care about the looks of what I do.

    Alain.