New Method Could Hide Malware In PDFs, No Further Exploits Needed

Trailrunner7 writes "A security researcher has managed to create a proof-of-concept PDF file that executes an embedded executable without exploiting any other security vulnerabilities. The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file. With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this."

Sad

[2.7182]

If only some great pdf/security teacher would take these poor code monkeys who have no future and teach them how to fix this.

Re:Sad

[sopssa]

But for once Adobe is actually more secure than the better alternative Foxit. Adobe PDF Reader at least warns and asks your permission to run the file, but Fox It does neither one but just happily runs it. That fact made me uninstall Foxit for now at least.

Re:Sad

[amicusNYCL]

That fact made me uninstall Foxit for now at least.

You shouldn't have to wait long.

http://forums.foxitsoftware.com/showthread.php?t=18029

this issue has been confirmed, and a maintenance version will be released within this week.

Re:Sad

[c-reus]

Of course, the average user is known to thoroughly read the warnings and definitely will not click "OK, just get this thing out of my face" within half a second after the dialog box has finished rendering.

Re:Sad

[Romancer]

From the author:

" My PoC PDF requires some changes for Foxit Reader, because ultimately, the executable doesn't run. But that's probably due to some variation in the PDF language supported by Foxit Reader."

Not really a proof of concept since the proof doesn't actually run the code currently. Not that it couldn't but there's no proof that Foxit is less secure since it doesn't actually run the code.

Re:Sad

dunno how it holds up as far as security but for basic pdf needs sumatra > foxit imo.. http://blog.kowalczyk.info/software/sumatrapdf/index.html

Re:Sad

[Spad]

http://blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/

He got it working in Foxit pretty quickly after the first post about the PoC.

Re:Sad

[Roberticus]

I think I saw a movie about that. What was it, "Bloat and Re-Render"?

Re:Sad

[bynary]

...I was thinking PoC meant Piece of Crap which I thought was redundant when referring to a PDF.

Re:Sad

[Pentium100]

Also the first comment there says how you can hex edit the .exe to disable this "feature".

If you can live without the /Launch functionality (I can!), edit the executable:

- search for “^@Launch^@” (^@ == null byte, file offset 7040965 in 3.13.1030) in Foxit Reader.exe,

- change it to e.g. “L!unch” (no quotes),

- save AS BINARY,

done.

Comment by Thomas — Wednesday 31 March 2010 @ 12:20

Re:Sad

Fuck, those guys are awesome. Let's start the timer for how long it takes Adobe to do the same.

Re:Sad

[aardwolf64]

Ummm... Adobe already warns you about it. So less than zero days.

Re:Sad

Did anyone try this against the new Nuance PDF reader? Shoot - after reading the article, I guess not as the guy didn't release the test file and didn't note testing against anything but Foxit and Adobe. I'd be interested to see how the others stack up.

Re:Sad

[the_humeister]

Huh, where I work, it stands for "products of conception". I was a little confused when reading the article.

Re:Sad

[Darinbob]

I'm behind the times. Isn't the PDF format a document format, that contains only document markup and layout info? When did it start being able to have embedded code? I know it's massively changed since I last looked at internal, with things like permissions and editing added, but executables or scripting seems a bit far fetched. Maybe we need a document format that involves nothing at all except documents...

Re:Sad

[causality]

I'm behind the times. Isn't the PDF format a document format, that contains only document markup and layout info? When did it start being able to have embedded code?

Ever since Adobe perfected the basic PDF functionality and needed to keep adding features. Whether they are frills or not, whether they depart from the purpose of PDF or not, Adobe has to do this to justify its marketing. They want their customers to have reasons to keep wanting the latest version. Feature creep, in other words.

Re:Sad

Come on, there's got to be a catch somewhere! After all, there's no such thing as a free “L!unch”!

Re:Sad

[QRDeNameland]

...I was thinking PoC meant Piece of Crap which I thought was redundant when referring to a PDF.

In my experience, the proper industry acronym is BFPoC, for Big Fat Piece of Crap, a term allegedly coined by one Artemus Clyde Frog.

Re:Sad

[halcyon1234]

Works on version 2.2. Thanks.

Re:Sad

[Chyeld]

A portion of the PDF spec is based on a subset of the PostScript language, which is a Turing Complete programing language. It's never been 'just a document markup and layout' format. It's just that few people have considered it worth the bother to attack it till recently.

Re:Sad

[shentino]

What's worse is that malware is even possible in what is supposed to be a document format.

Unless macros and the like are features of a PDF, anything other than text and pictures should be dumb data sandboxed and jailed in the file. Anything getting out is by definition an exploit.

Re:Sad

[Grishnakh]

PDF is (or was) a good format and standard; it lets you define documents so that they look the same on any platform, and can be printed on any printer and look identical.

The only problem with it is that it was perfected for this purpose long ago, so Adobe kept adding more and more crap to it.

This is one reason open-source is generally better: when an open-source project is done, the developers leave it that way (unless any bugs are found), and go find something else productive to work on. They don't try to keep justifying their existence by adding more and more bloat to something, to try to make it useful for tasks that other tools are better for. TeX is a good example of this.

Re:Sad

It is fun because the main feature of PDF was that it wasn't PS which is damn Turing complete.
Then Adobe realized that you cannot sell an editor for a simple and beautiful document format and started adding crap.
PDF is still great, but people should learn that there are standardized subsets with all the benefits and none of the crap.

Re:Sad

[FlyingBishop]

Foxit is just as bloated as Adobe. Use Sumatra.

Re:Sad

[FlyingBishop]

What you're leaving out however was that the whole intent of pdf was to provide a more stable version of ps, one that was not Turing complete and therefore not as vulnerable to this sort of attack.

And if you use Sumatra, for example, it is.

Re:Sad

[shutdown+-p+now]

This is one reason open-source is generally better: when an open-source project is done, the developers leave it that way (unless any bugs are found), and go find something else productive to work on.

One word: Emacs.

Re:Sad

[Darinbob]

Yes, but you can have a Turing complete language that does not muck with your machine. Ie, it should be interpreted, never given access to the file system or system RAM, etc. Ie, the virtual machine should never be given access to the physical machine.

Especially in a language designed to be portable adding the equivalent of peeks/pokes and fread/fwrite is pretty silly.

(Of course there may be bugs with the interpreter so that you could use stack smashing attacks or similar hacks as an exploit; but you can fix those bugs or use a different reader.)

Re:Sad

[2.7182]

You're like in the 1970s in fact. Postscript is even a full language, and it is the predecessor of pdf. I think that a security flaw existed in the old Xfig app for unix in the 80s that had its basis in the fact that it executed postscript.

Re:Sad

[DamnStupidElf]

Until, of course, someone modifies the proof of concept to use the /L!unch functionality you just added.

Re:Sad

[jackbird]

What's worse is that malware is even possible in what is supposed to be a document format.

That's true, but starting with the Melissa virus, it's here to stay.

Re:Sad

[Pentium100]

solution - generate the replacement string randomly.

In any case, this is only a short time solution until Foxit (hopefully) patches it. I don't want to use Adobe...

Re:Sad

You sir, have finally convinced me.

/drop vi
/use emacs


eh... wait.

Re:Sad

[perryizgr8]

actually, foxit is much lighter than adobe. and as a bonus it does not install the adobe AIR crap automatically.

Re:Sad

[FlyingBishop]

Adobe may be larger, but it's faster. In any case, Foxit has just about all the features Adobe has that turn what should be a document printing tool into a malware vector.

Re:Sad

[thePowerOfGrayskull]

This is good reason to ensure that no matter *which* PDF reader you use, you disable the "automatic open in browser" behavior and file behavior associations (in FF). It's one extra click to have to manually open the file, and this way you don't have to worry about a hidden iframe containing evil things.

PDF-XChange

[Peter+Simpson]

We don't use the bloated Adobe viewer any more. There are several alternatives; we like this one.

Re:PDF-XChange

*reads the article* It sounds like it'll run automatically with no warning in Foxit.

So. Not sure if the alternatives even stop this since it's not an exploit in the pdf reader but an exploit in the PDF file type or something. He gets it to run code somehow anyway.

Re:PDF-XChange

[abigor]

Do you always refer to yourself with the royal "we"?

Re:PDF-XChange

[Monkeedude1212]

He says that it works in other PDF Readers (well he mentioned one, Foxit) - because he's not exploiting a vulnerability in any of the applications, but the PDF Language itself.

So, chances are, you are just as vulnerable. He also said he reported it to Adobe, without releasing his proof of concept to the public - so we'll see what comes out of it.

It might just end up that Adobe products become more secure for reading PDFs than the others, and Adobe then has an upper hand.

[tinfoil speculation]
And if thats the case, why would they inform other PDF Readers. And unless the proof of concept is made public, how do we know there is actually a vulnerability besides the word of this hacker and Adobe?
[/tinfoil speculation]

Re:PDF-XChange

[K.+S.+Kyosuke]

He says that it works in other PDF Readers (well he mentioned one, Foxit) - because he's not exploiting a vulnerability in any of the applications, but the PDF Language itself.

But what vulnerability can be in a data format? Especially if I open it with a viewer that knows no stinkin' JavaScript etc.? GhostView and Xpdf simply say that the file is broken and display what they can.

Re:PDF-XChange

If you read the comments under the original author post (linked from the article), people are reporting PDF X-Change as ignoring that part of the language spec and not executing the payload.

I haven't tested if that's true.

Re:PDF-XChange

[sopssa]

He says that it works in other PDF Readers (well he mentioned one, Foxit) - because he's not exploiting a vulnerability in any of the applications, but the PDF Language itself.

But what vulnerability can be in a data format? Especially if I open it with a viewer that knows no stinkin' JavaScript etc.? GhostView and Xpdf simply say that the file is broken and display what they can.

In this case it's not even vulnerability, it's just interesting way to use the PDF specs to get that result. However as for your question, vulnerabilities aren't in the data formats itself, but in the programs that read them (buffer overflow etc)

Re:PDF-XChange

RTFA - no JavaScript required, only adherence to the PDF Spec.

No kidding, the Windows payload didn't work on your Linux apps?

Re:PDF-XChange

But what vulnerability can be in a data format?...

Clearly you are not familiar with PDF.

Re:PDF-XChange

[Lunix+Nutcase]

Especially if I open it with a viewer that knows no stinkin' JavaScript etc.?

Did you even bother to read the summary?

Disabling JavaScript will not prevent this.

To quote further from the actual article:

With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this (I don’t use JavaScript in my PoC PDF), and patching Adobe Reader isn’t possible (I’m not exploiting a vulnerability, just being creative with the PDF language specs).

This has nothing to do with JavaScript or anything else. It has to do with the actual PDF language spec itself. Amazing how you got modded interesting by not even understanding what the issue is.

Re:PDF-XChange

[the_humeister]

Each of us is composed of trillions of eukaryotic cells and even more bacterial cells. Thus, we think it appropriate to use "we" when speaking for us.

Re:PDF-XChange

this means that P D F is a wrong term, it should be called Adobe ActiveX format!

it should be Portable Dodument and Code Format

Assumption: this is not a grand April Fools' joke.

Re:PDF-XChange

[99BottlesOfBeerInMyF]

He says that it works in other PDF Readers (well he mentioned one, Foxit) - because he's not exploiting a vulnerability in any of the applications, but the PDF Language itself.

Technically, I think he's exploiting a common way the spec is implemented. the "/launch" command is supposed to be to a PDF file or be handled as a URI action.

He implements a file including:

/Type /Action /S /Launch /Win /F (cmd.exe)

By my reading of the spec (which is admittedly not expert) the way things are being handled by the PDF reader are questionable and by the OS is stupid.

In my mind this is simply one more argument for default ACLs and sandboxing for all applications as an integral part of OS design..

Re:PDF-XChange

[idontgno]

I'm pretty sure a substantial minority of your eukaryotes actually prefer Adobe products.

The "we" you're using is just your corporeal ruling elite talking, Man! It's just another example of your neurons keepin' your connective cells and fat tissue down!

Re:PDF-XChange

[betterunixthanunix]

PDF is not a simple data format; it contains a weird programming language for rendering documents. This hacker is using that language to execute malicious code, which theoretically works in any PDF reader.

Re:PDF-XChange

[SanityInAnarchy]

Are you sure that's how he does it? He apparently has a better proof-of-concept that he hasn't posted, only sent to Adobe.

Re:PDF-XChange

[natehoy]

As Mark Twain once said, "Only kings, presidents, editors, and people with tapeworms have the right to use the editorial 'we.'"

Peter does not appear to be a king, is unlikely to be a president, and he's probably not an editor...

Re:PDF-XChange

[suomynonAyletamitlU]

To be fair, my fatty tissue is an ass, and my connective tissues jerk me around all the time.

Re:PDF-XChange

[kaizendojo]

-1 mod

(we are not amused)

Re:PDF-XChange

[99BottlesOfBeerInMyF]

Are you sure that's how he does it? He apparently has a better proof-of-concept that he hasn't posted, only sent to Adobe.

That certainly seems to be the basis for his attack based upon the data and samples he's presented. It's not the first time this particular part of the spec has been a security problem either.

Re:PDF-XChange

[treeves]

We recommend niclosamide or another anthelminthic for Pete.

Re:PDF-XChange

[Jorl17]

The royal weee? Last time I heard that it was when the Queen decided to pee. That was a royal wee.
;)

Re:PDF-XChange

[MagicM]

the "/launch" command is supposed to be to a PDF file or be handled as a URI action

The PDF spec I'm reading in Table 8.48 (Action types) says:

Action Type: Launch
Description: Launch an application, usually to open a file.

And there are other instances where it clearly states that "A launch action launches an application or opens or prints a document."

Re:PDF-XChange

[atisss]

/usr/bin/cmd.exe didn't work on linux/evince

Re:PDF-XChange

[Junior+J.+Junior+III]

Do you always refer to yourself with the royal "we"?

He's referring to himself, the laptop, his tapeworms, and the infected PDF .

Re:PDF-XChange

[Hurricane78]

Yes! And:

It rubs the lotion on its skin. It does this whenever it is told.

Got it? ^^

Re:PDF-XChange

[99BottlesOfBeerInMyF]

Yes, that is the summary of what it does, but the spec I'm read ing (1.5) says it is to be implemented via a URI, not call a specific application. That is to say, hand the URI for a .exe file to the OS and let it decide what is registered to open it. The spec lists the variable type as "File" which in turn requires URI and a file location.The only option listed is a new window or not a new window. So if they implemented "Launch" to launch a specific application, it looks like a violation of the spec, or at very least something not included in the spec.

Of course if Adobe goes beyond the spec it is easy to see why sometimes third parties copy them for compatibility.

Re:PDF-XChange

[PhxBlue]

In all fairness, it's hard sometimes to separate the tapeworms from the editors on Slashdot. But generally, the tapeworms have better grammar. :)

Re:PDF-XChange

[K.+S.+Kyosuke]

This has nothing to do with JavaScript or anything else. It has to do with the actual PDF language spec itself. Amazing how you got modded interesting by not even understanding what the issue is.

Then explain me the issue, please. And not in such weasel words as "it has to do with the specification itself".

Re:PDF-XChange

[izomiac]

I just tested it using 64-bit PDF X-Change Viewer V2.0 Build 44 on Windows 7 and it did not execute the payload. Others on the source blog are reporting that they get a warning but even saying "Yes" fails to open the payload. So it seems that PDF X-Change Viewer is not vulnerable to this exploit.

Re:PDF-XChange

[K.+S.+Kyosuke]

PDF is not a simple data format; it contains a weird programming language for rendering documents.

Nope. PDF is basically a specification for storing a (rather weird, but efficient) data structure consisting of graphical operators and various embedded resources, such as pictures or fonts. One could (very inaccurately, but you'll get the point) say that PDF is to PostScript what S-expressions are to Lisp. The only thing reminding me of any sort of programming in PDF are Type 4 functions, described in section 7.10.5 of the ISO 32000 specification. The instruction set for these function is, however, not even Turing-complete, and therefore you can't even DOS your printer with it (which was apparently the designer's intention).

Re:PDF-XChange

[K.+S.+Kyosuke]

I take it you are. :)

Re:PDF-XChange

[The+End+Of+Days]

Here, I found an article explaining the issue.

Re:PDF-XChange

[HiThere]

PDF is basically a specialized subset of Forth. Unlike Postscript, it was presumed to be safe. This, however, may show otherwise.

Postscript is essentially a specialized dialect (not subset) of Forth. It is clearly Turing complete, so a Postscript program might do nearly anything. PDF had been presumed to have been safely neutered. This calls that into question.

P.S.: No, I didn't read the original article. This is all basic background stuff, with a few of my speculations about what this "exploit" means. I tried to indicate where I was speculating.

Re:PDF-XChange

[petermgreen]

While details are hard to come by I think this may run deeper than pdf.

The whole idea of "opening a file in a way determined by the OS for that type of file" is poor from a security point of view. Opening a file can mean anything from viewing an image in an image viewer (safe unless there is a bug in the image viewer) through opening something like an office document (may or may not be safe depending on office security settings) though to running an executable (unsafe by design).

On windows afaict the normal way to open a file or to load a url in the default browser is to pass the name of the file to "shellexecute" but that api has no provisions for checking if the file in question is dangerous.

Sadly i'm not sure there are any better alternatives so for now we seem stuck with papering over the cracks with warning dialogs.

Re:PDF-XChange

[oatworm]

Wait - time out. You mean to tell me that I can program a BSD bootloader in Postscript? Just when I thought it couldn't get any stranger...

Re:PDF-XChange

The two major pdf readers on linux (okular and evince) are not vulnerable however....

They decided not to support silly things in the spec.

Re:PDF-XChange

[YttriumOxide]

As a proof of concept several years back, I wrote a "postscript virus". It was specifically designed to target print devices of course since I work in the print industry and postscript it most common on print devices compared to elsewhere. The purpose of the virus was to save itself to storage if available, print a page, scan the network for print devices, and then copy itself to them. I released it in to one printer in my test lab at work and within seconds, every device in the room (about 50 printers) was spitting out pages and pages. Turning them off an on would fix the ones without storage, but those with it would just restart after booting. Quite fun to watch. Took me about 2 hours to go through and clear it from all the devices though (formatting/clearing the appropriate storage one at a time with all other devices off to avoid reinfection)

Before anyone asks, no I don't have the code anymore. I could probably rewrite it, but have no intention to. Also, I don't think it'd work on all postscript printers - the device needs a pretty full implementation whereas many "home" printers simply don't implement the full spec. Mostly it was an "office MFP" attack.

Re:PDF-XChange

[99BottlesOfBeerInMyF]

While details are hard to come by I think this may run deeper than pdf.

Clearly security issues go beyond this single flaw in PDF and to some of the primary assumptions of OS's in mainstream computing.

The whole idea of "opening a file in a way determined by the OS for that type of file" is poor from a security point of view.

I disagree. That is to say, can't think of any better way. The OS determining what to use makes for a smaller exposure to exploitation because an attacker cannot specify or know what will be used to open a particular data type in most instances.

Opening a file can mean anything from viewing an image in an image viewer (safe unless there is a bug in the image viewer) through opening something like an office document (may or may not be safe depending on office security settings) though to running an executable (unsafe by design).

You provide three examples, but all three could be made quite safe if OS's were designed to do that. Sandbox every application and give it access to only what it needs. Monitor the integrity of the sandbox. In my opinion an average user should be able to run a random .exe file from an unknown, untrusted source and the OS should appropriately restrict that executable to prevent harm. That's not to say the user should not be able to override the OS's decision, but only when made aware of exactly what the executable is trying to do and being given the choice of doing it in a safe environment instead.

Heck, I can do it today. Send me a random .exe file and I can put it into one of my premade windows VMs, run it, only granting explicit access to my real data as needed, and reverting the VM back to it's original state or saving it as a one-off for using that executable. The problem is, this task is far too difficult for the normal user. The whole process could be streamlined and automatic though, if the market was responsive to the needs of users.

No vulnurebility?

That's a big red vulnerability named PDF.

With Foxit Reader

[wiredog]

There's no warning at all. It just runs.

Re:With Foxit Reader

From TFA:

"In this case, Foxit Reader is probably worse than Adobe Reader, because no warning gets displayed to prevent the launch action. My PoC PDF requires some changes for Foxit Reader, because ultimately, the executable doesn’t run. But that’s probably due to some variation in the PDF language supported by Foxit Reader."

So apparently it *DOESN'T* "just run". Yet, at least.

further proof D. Knuth was right

Who the hell thought it was a good idea to have dynamic content in a document description language?

Notice you never hear about exploits-of-the-week like this for LaTeX !

Re:further proof D. Knuth was right

[Lunix+Nutcase]

What dynamic content? This has nothing to do with JavaScript.

With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this ( I don’t use JavaScript in my PoC PDF ), and patching Adobe Reader isn’t possible (I’m not exploiting a vulnerability, just being creative with the PDF language specs).

Re:further proof D. Knuth was right

[TheRaven64]

I can't decide if you're trying to be ironic, but there are no 'vulnerabilities' in LaTeX because the ability to interact with files and run arbitrary programs are part of the language. The reason LaTeX isn't often exploited is that it is very rare to run LaTeX programs from untrusted sources; you distribute the output from the program, not the program itself.

On a slightly different topic, is there a competition going on in Adobe to see if the Flash or Acrobat teams can collect the most security advisories?

Re:further proof D. Knuth was right

[Chyeld]

PDF is the evolved form of PostScript - http://en.wikipedia.org/wiki/PostScript and at the time PS came out, it wasn't that bad of an idea, especially since it enabled us to actually print IMAGES.

Unfortunately, feature creep set in and instead of creating a language actually meant for publishing and sharing documents, Adobe just reimplemented PS in PDF and glossed over the fact that they were using an elephant gun to shoot mosquito. This is coming back around to bite them in their butt. But the actual origins of the language weren't as boneheaded as you make them out to be.

Re:further proof D. Knuth was right

[plover]

What dynamic content? This has nothing to do with JavaScript.

Dynamic content != JavaScript.

Dynamic content is a generic name for all manner of executable things, including not only PDFs and JavaScript, but also LaTeX, ActiveX, VBScript, etc. JavaScript is simply one of many different implementations of dynamic content.

In this case it's a "/Launch" command in the PDF syntax that's being exploited.

Re:further proof D. Knuth was right

[TeknoHog]

PS is a full programming language, as witnessed by those web servers and fractal generators that, I imagine, take ages to run on a printer. Thus PDF was originally created as a simpler page description language, but have you ever heard of PS exploits?

Re:further proof D. Knuth was right

[Hurricane78]

PostScript, the basis of PDF, is a full, turing-complete programming language! This has nothing to do with JavaScript!

Re:further proof D. Knuth was right

Launching arbitrary commands/code is not dynamic enough for you?

Re:further proof D. Knuth was right

[jirka]

Why don't you compile the following document with "tex --shell-escape" as root

\write18{rm -fR /}

Re:further proof D. Knuth was right

[starfishsystems]

What JavaScript? This has to do with dynamic content.

You've heard of PostScript, right?

Re:further proof D. Knuth was right

[Chester+K]

Who the hell thought it was a good idea to have dynamic content in a document description language?
Notice you never hear about exploits-of-the-week like this for LaTeX !

That's a good question. Someone should be asking the people who put Javascript in Netscape the same thing! I mean, there's absolutely no use cases for having dynamic documents!

Re:further proof D. Knuth was right

[Chyeld]

Actually while I was a CS major one of our labs was half NeXTSTEP (http://en.wikipedia.org/wiki/NeXTSTEP) and was aware of graduate students who pranked each other on the lab computers using the fact that the computers used postscript as a display engine.

Re:further proof D. Knuth was right

[einhverfr]

I have heard of all manner of evil things one can do to printers by sending malicious Postscript documents to them.....

So in answer to your question, "yes."

Re:further proof D. Knuth was right

Dynamic content i.e the ability for the document to run code. It doesn't have to be Javascript.

Re:further proof D. Knuth was right

[pclminion]

PDF has some superficial syntactic similarities to PostScript. Beyond that, it is not at all like PostScript. The reason the content stream language of PDF is PostScript-like is because it made it easy to print PDF by simply blowing the content stream out as PostScript, accompanied by the appropriate ProcSets. Such usage is deprecated these days -- ProcSets are no longer required to be declared, and modern PDFs can't be printed by blowing the content stream directly to the printer any more.

Even in the areas where PDF looks like PostScript, it's fundamentally different. There is no operand stack. There are no control flow operators. If you start trying to create a PDF under the impression that it's just like PostScript, you'll fail miserably.

Re:further proof D. Knuth was right

[colinrichardday]

How is LaTeX executable? Unless you do something really stupid, it's just markup, no more executable than plain HTML.

Re:further proof D. Knuth was right

[plover]

What if you included this in your LaTex? \url{file:///C:/WINDOWS/SYSTEM32/cmd.exe} Maybe you could make it work with the \providecommand macro. Or perhaps hack something together in the Form environment.

I don't know, I'm certainly not a LaTeX hacker. But LaTeX can do an awful lot of the things PDFs can do, which means the potential* for misuse is there.

John

*"potential" does not mean security holes exist, but it doesn't mean it's squeaky clean, either.

Re:further proof D. Knuth was right

[plover]

sorry, I meant to write that as "you can do an awful lot of the same things in LaTeX as you can in PDFs".

Re:further proof D. Knuth was right

[colinrichardday]

What if you included this in your LaTex? \url{file:///C:/WINDOWS/SYSTEM32/cmd.exe} Maybe you could make it work with the \providecommand macro?

I don't know if that would work on my Ubuntu box :-). Also, I believe that violates the "really stupid" clause in my post. As another poster pointed out, one can have \write18{rm -fr /} in a TeX document, and then run tex with the --shell-escape option. Also not a good idea.

Re:further proof D. Knuth was right

[dudpixel]

well it seems to be the order of the day these days to measure an OS's quality by the number of security fixes implemented in a given period...so maybe you're onto something...

Re:further proof D. Knuth was right

[ultranova]

That's a good question. Someone should be asking the people who put Javascript in Netscape the same thing! I mean, there's absolutely no use cases for having dynamic documents!

True, there isn't. A "dynamic document" is an unbelievably annoying gimmick. Recently they've graduated to full-blown Web Applications, which is fine; but prior to XMLHttpRequest and its ilk I usually surfed with Javascript disabled to avoid all the "dynamic" crap.

"This cannot be patched"

[Manip]

"This cannot be patch because it isn't a vulnerability." Uhh yes it can, and sure it is. There are millions of bugs that were entirely by design and the designs adapted to eliminate them. I will grant that they might have to break the PDF spec' to fix it but frankly it is the right thing to do for everyone concerned.

Re:"This cannot be patched"

One man's feature is another man's defect.

Re:"This cannot be patched"

[Applekid]

Exactly. To execute code, at some point, the reader is branching into data created or loaded by the pdf. When is that ever a good idea? If it's part of the PDF spec then it's a pretty good part to break compatibility with.

Re:"This cannot be patched"

[plover]

One man's feature is another man's defect.

In the case of security "features", one man's feature is EVERYONE's defect.

Re:"This cannot be patched"

Exactly. To execute code, at some point, the reader is branching into data created or loaded by the pdf. When is that ever a good idea? If it's part of the PDF spec then it's a pretty good part to break compatibility with.

It doesn't sound like Reader is really doing this. Invoking an existing command shell or a delete program doesn't necessarily involve running data as code.

Not that I disagree with the larger point I think that you're trying to make, that Reader (and/or the PDF spec) should not have this functionality, at least not enabled by default.

Clever social engineering...

[Chris+Burke]

You open the .pdf. On page 1 you see: "Hey you! Close this file, rename it to end with '.exe', and then double click it! There's, uh, boobs! Yeah lots of boobies."

Okay so that's not entirely accurate, and at least one .pdf reader requires no social engineering at all other than getting them to open the pdf itself. Why would you make it so that you can't (normally) embed executables in the .pdf, but then allow .pdfs to launch arbitrary commands?

Re:Clever social engineering...

[TheRaven64]

Being able to run external programs does make sense for some use-cases of PDFs. For example, a PDF form might contain some JavaScript logic for validating a form and then an action to submit it via some custom mechanism. You probably wouldn't distribute PDFs like this in the wild, but you might use them inside a company. A time sheet might be an example of this - you'd fill in the data in Adobe Reader and then submit it into the corporate accounts system. It's a bit of a stretch, but this feature was probably added back when the web was a lot less common.

Re:Clever social engineering...

[T+Murphy]

The guys at Adobe heard about oscilloscopes with hidden games on them, and Word's flight simulator, so they incorporated "features" so they could make an easter egg of their own. They never got around to that easter egg, so now lots of people are kindly lending them a hand at it.

Re:Clever social engineering...

[idontgno]

If you design a sharp blade into an out-of-the-way spot of a hammer, don't be upset if you get cut while driving nails.

Not every tool is proper for every job. Using PDF as a general-purpose computing language is either mistaken or willfully stupid.

PDF is a document format. It's an output format. It's not a form-entry language. It's not the web. It's not an operating system. It sure as hell shouldn't be able to trigger any open-ended OS action. Its vocabulary of actions and action subjects should be limited...to just PDFs. Interpreted entirely internally.

Any use case that involves running external programs from within the PDF interpreter is a broken use case, caused by misapplying a tool for a purpose it's not properly intended for.

Re:Clever social engineering...

[StoatBringer]

PDF is a document format. It's an output format. It's not a form-entry language. It's not the web. It's not an operating system. It sure as hell shouldn't be able to trigger any open-ended OS action.

You've never dealt with a marketing department, clearly.

"Hey, you know what would be cool? What if PDF documents could also play videos?"
"Um.. well, it's technically possible but I don't think that-"
"Great! WE MUST HAVE THIS FEATURE! NOW! DROP EVERYTHING AND GET TO IT!"

Re:Clever social engineering...

[Dishevel]

But it IS all of those things. Maybe it should not be.

It surely should not be.

But it is. Since that is what it is then maybe we should just not be using it at all. If the only thing your company can send me is a fucking PDF then you can print it and mail it to me.

Re:Clever social engineering...

[The+Angry+Mick]

The guys at Adobe heard about oscilloscopes with hidden games on them, and Word's flight simulator, so they incorporated "features" so they could make an easter egg of their own. They never got around to that easter egg, so now lots of people are kindly lending them a hand at it.

I honestly don't know whether to mod this +1 Funny or +1 Insightful.

Re:Clever social engineering...

[dudpixel]

you forgot to attach said "pdf".

Testing done in Windows only...

I'm willing to bet this concern isn't a Linux and/or BSD problem.

Re:Testing done in Windows only...

[Manip]

Foxit Reader for Linux might support it.

Re:Testing done in Windows only...

Unless you put Linux / BSD code in for the executable. Title it something like "Ubuntu Config Made Easy", and I am sure you'll snag plenty of newbies trying to optimize Linux for the first time... which may very well drive them back to Windows.

Windows only again?

Poor Mac OS X and Linux users are left out again.

Re:Windows only again?

[MikePlacid]

Yep. Feeling lonely.

*nix vulnerable too?

[cpuh0g]

What happens on *nix versions of Adobe Reader - OS/X, Solaris, Linux, etc?

Re:*nix vulnerable too?

[Graham+J+-+XVI]

If it's a Windows executable - nothing.

Re:*nix vulnerable too?

[cpuh0g]

Obviously. Im wondering, though, if one could change the exploit to execute *nix executables instead.

Re:*nix vulnerable too?

[betterunixthanunix]

Yes, rtfa with comments.

Re:*nix vulnerable too?

[Jorl17]

I'm not sure, but I'd say it works pretty much the same way, it just runs the code (with or without a confirmation dialog). Like any other exploit/unwanted-feature, the pseudo-hacker must know what he/she is targeting.

Re:*nix vulnerable too?

[selven]

Individual instances of the exploit might be designed for Windows only, but I can't see why Linux would protect you here.

Re:*nix vulnerable too?

Yes, this exploit can be used to execute a *nix executables on *nix versions of Adobe Reader.
However, the exploit does not work with poppler, so if you use Evince or Okular then you should be safe.

Re:*nix vulnerable too?

[Onymous+Coward]

/OpenAction <<
   /F <<
     /DOS (C:\\\\WINDOWS\\\\system32\\\\calc.exe)
     /Unix (/usr/X11R6/bin/xcalc)
     /Mac (/Applications/Calculator.app)
     /TheAnswerIs (yeah\\\\i/think\\\\so)
   >>
   /S /Launch
>>

Re:*nix vulnerable too?

[HiThere]

Could one make it a postscript executable? Or a Java class file. I wouldn't be too certain that this will *stay* a MSWind only exploit.

This might have the potential to become a truly cross-platform exploit.

Re:*nix vulnerable too?

[Dak+RIT]

It can, although it doesn't mean that Mac and Linux are just as vulnerable as Windows.

If you download this proof of concept which works on Linux, Windows and Mac:
http://seclabs.org/fred/docs/sstic09/samples/actions/launch/calc.pdf

you'll discover that although it works in Acrobat Reader on the Mac, the Mac Preview application, which I would hazard is used to open the vast majority of PDFs on Macs, does not support /Launch and thus isn't vulnerable to the attack.

Re:*nix vulnerable too?

[the_womble]

Okular and Evince on Linux also do not seem to support /Launch, and they are far more widely used than Acrobat Reader on Linux.

No executable required?

[keytoe]

I don't understand how someone can say that it doesn't exploit a reader to operate. That implies that opening the file in, say, a text editor will somehow trigger the exploit. I find that claim highly dubious. What about a hex editor? Running 'cat'?

At some point, in order for the exploit to trigger, some executable must operate on the data enclosed in the file. It is therefore an exploit in an executable, and thus it is important to know which executables are vulnerable. Saying anything else is disingenuous and nothing but rampant fear mongering.

Re:No executable required?

[Graham+J+-+XVI]

It's not an exploit if it's using an intentional feature. TFA clearly mentions Adobe Reader as the software used, obviously opening it in something else will not have the same effect.

Re:No executable required?

[SanityInAnarchy]

At some point, in order for the exploit to trigger, some executable must operate on the data enclosed in the file. It is therefore an exploit in an executable, and thus it is important to know which executables are vulnerable.

All which correctly implement the PDF spec. Posting before reading the summary is also disingenuous.

Re:No executable required?

[SanityInAnarchy]

Whoops -- sorry, it's not in the summary. It is, however, in TFA.

Re:No executable required?

[John+Hasler]

> All which correctly implement the PDF spec.

Which is therefor buggy.

Re:No executable required?

[david_thornley]

The PDF spec is buggy in exactly the same way that any language or OS spec is: it provides ways to do things that may be bad. It is certainly arguable that the PDF spec tries to do too many things, and frankly I'd argue that, but given any system that allows sufficiently complex behavior there will be ways to abuse it.

Adobe misfeature

[Animats]

Explaination

Video

Demo PDF file (as .zip)

PDF apparently has (stupidly) a capability to launch an executable program which is run when the PDF file is opened. There's a warning message. All the exploit does is put in some text like "To view the encrypted message in this PDF document, select "Do not show this message again" and click the Open button." into the warning dialog box.

Incidentally, SumatraPDF doesn't do this, but that seems to be a bug; the test file produces "Synchronization file cannot be opened".

Re:Adobe misfeature

[qoncept]

My biggest problem with Reader has been that it's a horribly slow piece of garbage with 3rd party alternatives that work great. I'd call this "strike 2" but it's already way beyond "out."

Adobe Crumbles

[Zorlon]

I find Adobe proprietary apps like pdf viewer and flash to be very annoying. I would love a nice rain to wash that mud away.

Hey Google, integrate this too!

[Graham+J+-+XVI]

Chrome integration of one buggy plugin deserves another, right?

Evince is OK!

I had it with PDF exploits a few weeks back, so decided to try evince.

Current version 2.28.0 on vista (yes i know) and doesn't seem vulnerable to the file on the linked site.

Someone else please confirm.

Oh and its free.

Re:Evince is OK!

[Rich0]

Tried to switch to evince on Windows machines. However, the most recent version doesn't let you print files. That obviously is a problem.

Maybe sometime in the next year or two the developers will post a fix. The last time I looked a few months ago there wasn't a fix, and it looked like the problem had been around for a while. Note to FOSS devs - "fixed in CVS" isn't a fix if there isn't a simple to use free build platform on the target OS.

Re:Evince is OK!

[Gaygirlie]

Have you tried SumatraPDF? I use it for reading PDF files and while it is somewhat ugly it's atleast fast and updated regularly. I cannot say whether it is affected by this bug/feature or not, though, haven't checked yet.

http://blog.kowalczyk.info/software/sumatrapdf/index.html

Re:Evince is OK!

Thanks to you both, didnt notice that print issue :-) and you are correct.
Will give sumatra a shot, also as I got the idea of using vince from Ubuntu in a virtual box - I may pluck up the courage to rebuild and ditch MS.

Thanks /.

Seriously, just uninstall Reader already.

[DrEldarion]

For 98% of people, Reader is unnecessary and just opens up a ton of security holes.

Easy replacement:
1) Install Google Chrome
2) Install this extension which opens up all PDFs in Google Docs.
3) Enjoy your new, safe browsing and PDF-viewing environment.

Re:Seriously, just uninstall Reader already.

Yeah, because Google doesn't have enough of your info already.

Re:Seriously, just uninstall Reader already.

[misterooga]

With the google doc extension, don't you need to be online? Also, that's assuming you don't mind google caching on the pdf you're opening, right?

Re:Seriously, just uninstall Reader already.

[Jorl17]

Or, for once, learn how to open documents sent from SECURE SOURCES. What's all the fuzz with idiot people reading documents sent by evil-idiots? Just teach people about distinguishing between good and bad "software", as it is possible to teach them to distinguish between 'good' and 'bad' words. Sure secure apps matter, but security mustn't be taken for granted and, thus, we should be educated about it.
Ditto.

Re:Seriously, just uninstall Reader already.

[_bug_]

This is a very bad idea.

If you're opening your PDFs with Google Docs then you're uploading your PDF to Google Docs first. Perhaps for some kind of unimportant document such as a manual or spec sheet this might not seem like a big deal. But if you're trying to open, say, last year's tax returns that you've saved in PDF, well now your tax return information is "in the cloud". Or maybe you're filling out a form from by your health care provider concerning some sort of particularly embarrassing medical issue. Do you really want that information "in the cloud"?

You may try to argue that Google Docs is safe and secure. I bet yesterday Adobe would have said Acrobat Reader was safe and secure too.

Re:Seriously, just uninstall Reader already.

[DrEldarion]

The problem with unsecure PDFs is that they're vulnerable to drive-by attacks. If your browser has a security flaw, that can be used to open an infected PDF. A rogue website can redirect to an infected PDF and most browsers are set to auto-open them.

I'd wager that most people infected by PDFs never downloaded anything manually.

Re:Seriously, just uninstall Reader already.

[SOdhner]

No, it's that Google already has SO MUCH of my info that I just don't care anymore. Trying to keep any of my information from Google at this point is like closing the barn doors after the cows are out.

Re:Seriously, just uninstall Reader already.

You forgot step 4. Have Google examine your pdf and save for later.

Re:Seriously, just uninstall Reader already.

[evilviper]

For 98% of people, Reader is unnecessary and just opens up a ton of security holes.

While I still highly recommend any of the alternatives, I've seen several cases where websites are checking for that specific plug-in, and will not make any attempt to display the PDF, or offer any alternative links to the document, if Reader is not detected. Of course if more people dropped Adobe's crap, this would cease to be an acceptable way to display PDFs, but it should at least be noted that you might find just a few dark corners where the alternatives won't work for you.

And let me take a moment to rant on about what a dog Acrobat Reader is. I've seen innumerable systems that had plenty of free memory, UNTIL Reader started up, and grabbed a fricking half GB, and caused serious system swapping. Replacing Reader with XPDF always brings the very same system from dog slow, to lightning fast...

Re:Seriously, just uninstall Reader already.

that just moves the vulnerability onto Google though, doesn't it, since they will still have to run the PDF to get its output. Is getting Google.com infected really worth it?

/s

Re:Seriously, just uninstall Reader already.

[TigerTime]

And what's your solution for someone behind a company firewall that blocks Google Docs?

Re:Seriously, just uninstall Reader already.

[SethJohnson]

The joke here is step number 4-

4) Click on the 'print' link

In Google Docs, a dialogue prompts you to download the PDF to your local computer to either be opened by a helper application or saved to your hard drive.

Seth

Re:Seriously, just uninstall Reader already.

[dave562]

Your rant ignores the legitimate cases where people open documents from untrusted sources. The Human Resources department is the often touted example of that. They receive resumes all the time. If they don't want to accept them in Word (maybe they're scared of being labeled Microsoft toadies?) then they will accept them in PDF.

Re:Seriously, just uninstall Reader already.

[dAzED1]

I register for every account with a random birthday, and other personal information. Why? because if people aren't going to be honest with what they're going to do with that information, then I'm not going to be honest with the information I give. Fark em.

Re:Seriously, just uninstall Reader already.

[Onymous+Coward]

You never did care about that last little cow, huh? After all she did for you?

Might as well burn down the barn while you're at it.

Re:Seriously, just uninstall Reader already.

Why do I need to sacrifice my PDF reading privacy for security?

I don't need Google to know about every PDF I read.

Re:Seriously, just uninstall Reader already.

[rliden]

Google will be bundling both Flash and PDF reader with Chrome as internal plug-ins. The user will be able to disable them in the options menu. You can check out the article here at the Google Operation System blog.

Re:Seriously, just uninstall Reader already.

Nah, all my pdf's are bank statements. Who could be interested in my boring bank statements?

Re:Seriously, just uninstall Reader already.

[petermgreen]

pdf is the standard format for electronic documents in "as printed" form. There are lots of cases where it is nessacery to read documents from sources that are not perfectly trusted. If a pdf can't handle that securely then it's not fit for purpose.

Also at least acrobat (and I think other pdf readers too) installs browser plugins as standard so there is NO WARNING when a web page opens a pdf. This means that acrobat like flash has exposed itself to any website the user visits and therefore needs to be held to the same standards as the web browser itself.

Re:Seriously, just uninstall Reader already.

Or Sumatra, so you don't have give yet more info to google.

Re:Seriously, just uninstall Reader already.

[dudpixel]

For 98% of people, Reader is unnecessary and just opens up a ton of security holes.

really? and all this time I thought it was for opening PDF's. No one tells me anything.

Re:Seriously, just uninstall Reader already.

How does a website detect which browser plug-ins you have?

Re:Seriously, just uninstall Reader already.

[Jorl17]

You are right, I hadn't thought of such an example! Though I'd really always stick to PDF or ODF ;). In those legitimate cases, one can only hope that the idiots (once again, notice this word) who wrote the standard wrote it incely and in a safe way. It can't be safe if it's not thought safe.

Re:Seriously, just uninstall Reader already.

[Jorl17]

"Also at least acrobat (and I think other pdf readers too) installs browser plugins as standard so there is NO WARNING when a web page opens a pdf. This means that acrobat like flash has exposed itself to any website the user visits and therefore needs to be held to the same standards as the web browser itself."

Then teach people not to install such hideous software.

Re:Seriously, just uninstall Reader already.

[thePowerOfGrayskull]

Except the few million of us behind corp firewalls who can't use google docs due to info sharing & leakage risks...

In any case, if you don't have PDF files set to automatically open in your browser (which has always been annoying to me anyway - nested UI's are just irritating) your chances of being affected are much reduced. iframe attacks won't work on you, and you'll be more generally safe with PDF files that you are seeking out and opening deliberately.

Re:Seriously, just uninstall Reader already.

[evilviper]

Javascript can get the software name including version string, and similar. Now this typically only checks that you have "Flash" version "5" or above, but it is possible to get totalitarian, and lock out everything but a few selected names and versions, then 3rd party plugins have to imitate that EXACT string to be allowed. It sucks, but it happens.

function detectReal(redirectURL, redirectIfFound) {
        pluginFound = detectPlugin('RealPlayer');
        if(!pluginFound && detectableWithVB) {
        pluginFound = (detectActiveXControl('rmocx.RealPlayer G2 Control') ||
                              detectActiveXControl('RealPlayer.RealPlayer(tm) ActiveX Control (32-bit)') ||
                              detectActiveXControl('RealVideo.RealVideo(tm) ActiveX Control (32-bit)'));
        }
        return redirectCheck(pluginFound, redirectURL, redirectIfFound);

Re:No *buggy* executable required?

[Chris+Burke]

It means "exploit" a reader as in "take advantage of a bug in", not "make use of in any way". In other words, a perfectly coded pdf reader with zero bugs whatsoever would still be vulnerable. So the answer to which executables is "All of them" At least if they're implemented correctly, which is a very different circumstance than usual and worth making note of.

By your usage of exploit, then they'd have to say this: "This method exploits a PDF reader, a computer operating system, a computer, the electrical grid, the planet earth and its star, Sol, and the laws of physics."

Oh but it does make some difference which reader you are using. Some throw up a warning dialogue (whose content can apparently be controlled to an extent) and at least one doesn't. Foxit is apparently a reader you should avoid.

Yup, part of the PDF spec

[MagicM]

If you're really a nerd, you'll want to scroll through the PDF Reference section 8.5 ("Actions"). Be careful though, as it may hurt a little.

Instead of simply jumping to a destination in the document, an annotation or outline item can specify an action (PDF 1.1) for the viewer application to perform, such as launching an application, playing a sound, or changing an annotation's appearance state. [...] In addition, the optional OpenAction entry in a document's catalog (Section 3.6.1, "Document Catalog") may specify an action to be performed when the document is opened.

It's actually very well-defined, and creating a document that implements this part of the specification should be trivial.

Re:Yup, part of the PDF spec

[John+Hasler]

So it appears that you have found the bug in the spec.

Re:Yup, part of the PDF spec

Then you missed what his exploit is. See http://blog.didierstevens.com/2010/03/29/escape-from-pdf/ but the short of it is that action launch is *not* supposed to allow execution of embedded code. The "POC" PDF he has posted just implements the launch action and only demonstrates that a particular PDF reader supports the launch action.

From a black hat perspective there's a huge difference between executing code on your system and executing arbitrary code.

Further, Adobe Reader displays a scary warning and appears intended to include the name of the application that will be executed, but instead can be caused to display an arbitrary message.

This is abuse of the launch action to get unintended results -- without exploiting a flaw in a particular reader, but (apparently) one implied by the specification itself.

Re:Yup, part of the PDF spec

[John+Hasler]

Re-reading what you quoted, I see no requirement that an implementation be willing to execute any part of the content of the document: just run an "application" that is already installed on the machine. It also seems reasonable that an implemention could refuse to execute code located in the user's home directory.

Re:Yup, part of the PDF spec

[MagicM]

You're right. There's a big difference between running a program that already exists on the User's computer after getting approval to do so, and running arbitrary code embedded in the PDF after showing the user an arbitrary message.

Re:Yup, part of the PDF spec

You're right. There's a big difference between running a program that already exists on the User's computer after getting approval to do so, and running arbitrary code embedded in the PDF after showing the user an arbitrary message.

The exploit does something in between: it runs its choice of program residing on your computer after displaying a misleading warning dialog whose content it controls.

Invoking a command shell or a delete or upload program or something else more imaginative already on your computer can still do plenty of damage.

Re:Yup, part of the PDF spec

I don't understand why Adobe are making the same, old mistakes all over again. Way, way back in the 1990s when Display Postscript (Adobe) came out on NeXT workstations it had lots of operators to do file manipulations and other system operations. While nice as features, people quickly realized this was a terrible security hole. It became standard practice to always disable these operators in whatever context a Postscript file was being displayed in (basically you nulled them out), especially if the files might be received from elsewhere (e.g., in e-mail) because it meant that a Postscript file could theoretically do whatever it wanted with the privileges of the user.

Here we are more than a decade later and they put the same kind of flaws in the PDF format specification while knowing and hoping that PDF would be extensively used for exchange of files over the network. What in !#%!%$! were they thinking by having this feature turned on by default? I'd understand if this was a new type of flaw, but it categorically isn't. They've seen this exact issue before in one of their own products but obviously forgotten about it. It's pathetic.

Old news. I got hacked 4 weeks ago by one of these

[St.Creed]

I was reading a technical forum (used by a few dozen people, I'm in a niche market) with Chrome, when a PDF popped up containing nonsense text.

Ofcourse I wasn't happy about it, so I contacted the owner of the site and scanned my laptop with McAfee's antivirus. Didn't find anything, but 2 weeks later I received a mail that my passwords had been reset for my own website because of suspicious activity. As it turned out, someone had installed a virus similar to the one that got me, on my contact page. Great.

This is with a laptop running Chrome, Windows Vista with UAC enabled, McAfee security suite. I didn't even get a warning.

I used Malwarebytes' Anti-malware to find and remove the stuff that got installed. At least, I'm hoping it got removed - but nothing is certain :P The strange thing is now, that when i need to access a fishy site I use Internet Explorer because it caught the drive-by download the next time I visited. Sort of a complete reversal of policy for me.

Anonymous Coward

Does anyone know if Sumatra PDF is vulnerable?

Re:Anonymous Coward

I'm sure someone knows.

Tried to read the article

[rewt66]

but it's a PDF...

Sumatra appears to be OK

[sbeener]

Sumatra appears to not support this "feature". Windows only sadly.

It's not a form-entry language...

[Jeffrey_Walsh+VA]

But it is a likely choice for those who have the pdf creation software, are familiar with using it, and want the flexibility of a single form that can be: printed blank and filled out on paper; filled out on screen then printed; or filled out and submitted online.

This isn't news..

This isn't new, hiding viruses in .pdf files have been going on for years, maybe even a full decade. I remember doing this with Subseven a long time ago. Nothing new.

So Sandboxie for my Web Browser and pdf files?

So Sandboxie for my Web Browser and pdf files?

!Exploit

[MikaelC]

Okay. So the PDF standard has the potential for launching external (or even embedded) files. In Adobe Reader this will create a warning dialog with the following text: "The file and its viewer application are set to be launched by this PDF file. The file may contain programs, macros, or viruses that could potentially harm your computer. Only open the file if you are sure it is safe. If this file was placed by a trusted person or program, you can click Open to view the file." That seems perfectly clear to me. There is really no reason to change this behavior. This is not an exploit.

Sumatra?

[mordejai]

Does anyone know if Sumatra PDF is vulnerable?

I stopped using Foxit because of its frequent crashes and annoying updater, and I only use Acrobat for printing.

Worst security flaw of the decade

[MobyDisk]

There is a command in the PDF language that says "execute the following command-line!" I thought having that ability in the scripting language was dumb. But it's actually available in the document description format? What possible purpose could that server? I don't want a message box added, or a security setting -- just remove that command entirely from the implementation!

How did this come about when they were designing the PDF format?
      "Let's make it support bold, italic, underline, and execute."
One of the above does not fit with the others.

Re:Worst security flaw of the decade

[thegrassyknowl]

"Let's make it support bold, italic, underline, and execute."
One of the above does not fit with the others.

Um... italic. That doesn't fit.

I have to laugh that Adobe touts PDF as a nice document exchange format that will exchange everywhere. I guess it's not too bad. PostScript was good too and there are many other open formats that could have been cross platform if someone had bothered to port the interpreter.

What good is including a "run this external program" in the spec when:

1. The user might not have said external program installed.
b. The external program might not run because the pesky user isn't running Windows.

How useful is that!

How is this new??

[Stan92057]

How is this new?? Since he couldn't find a vulnerability he just uses an old one and uses social engineering as the final key in,wow,just wow.

A better test file.

[DdJ]

Someone came up with a better test file, here:

http://seclabs.org/fred/docs/sstic09/samples/actions/launch/calc.pdf

The first test file contained code essentially saying "if you're on a windows box, run cmd.exe". This one says "if you're on windows, run calc.exe, and if you're on Unix, run xcalc, and if you're on MacOS, run Calculator.app". So regardless of platform, if you load this PDF and see a calculator come up, well, you've learned something.

As it happens, the PDF also contains real content that describes expected behaviors with a couple of readers. Apple's "Preview" isn't vulnerable because it doesn't implement the /Launch command at all! But Adobe's reader on MacOS is vulnerable.

Re:A better test file.

[woodsworth]

Apple's "Preview" isn't vulnerable because it doesn't implement the /Launch command at all! But Adobe's reader on MacOS is vulnerable.

Somehow, I always knew it was a good idea to refuse installing any other PDF reader on my Mac...

Re:A better test file.

[Tim+C]

Windows XP, Adobe Reader 8; clicking on that link I get an error popup (not a warning) and no calculator.

The original proof of concept PDF does give me the expected warning.

Re:A better test file.

[Voltageaav]

Funny, noscript blocked the whole thing for me.

Re:A better test file.

[F.Ultra]

Didn't work with Document Viewer in Ubuntu, but then it uses poppler which according to the document does not support the "launch" command. I hope poppler never implements it :)

Re:A better test file.

[John+Hasler]

Doesn't work on Debian/Sid with Iceweasel (Firefox) 3.5.6 and xpdf 3.02.

Re:A better test file.

[dr2chase]

Skim.app (1.3.5) also fails to implement the /Launch command. Yay!

Re:A better test file.

[OnlyJedi]

Tried it on my Mac running Snow Leopard. Using Preview, nothing happened. Same thing with the Firefox PDF Plugin.
Using Adobe Reader, I got a warning that the pdf "...may contain programs, macros, or viruses that could potentially harm [my] computer." In the dialog was a list of files/programs (i.e. Calculator.app) that the pdf wanted to open. Clicking "open" launched Calculator.app, clicking "do not open" just opened the pdf without launching any external programs.
In sum, yes this is a security problem, especially if someone clicks the "do not warn again" check box to disable warnings. But it isn't so critical that I'm rushing to remove Reader from my own computer. Now, for the average user that clicks OK blindly without reading the dialog box....

Re:A better test file.

I just opened this test-file with SumatraPDF (on Windows XP) and it seems like it isn't affected.

Re:A better test file.

[GF678]

Windows 7 Enterprise 64-bit with UAC entirely disabled, Adobe Reader 9.3, file opens with no warning and no calc.exe.

Re:A better test file.

Win XP, Firefox 3.6 Adobe 9.1

Document opens fine in a Firefox tab, but no popup.

I checked my settings (Page Display Preferences > Trust Manager).

I do not have the box checked that says "Allow opening of non-PDF file attachments with external applications".

You shouldn't either.

Re:A better test file.

[Stray7Xi]

WinXP, FoxIT (in sandboxie):
No warning, got the calc popup (still within sandbox)

Scary stuff, noscript blocks pdf's for me but I'll be more careful with whitelisting until this is fixed. It's always been a good rule of thumb to never open untrusted PDF's. I think this weekend I'll configure my firefox to run in sandbox by default.

Re:A better test file.

[OverTheGeicoE]

I tried it in Linux using Evince and saw no xcalc, even though my system has it. According to the text of the PDF, poppler (which is used by Evince) doesn't support the Launch command used in this exploit. Conclusions about the relative security of Linux and Windows are left as an exercise for the reader.

Re:A better test file.

[dissy]

Windows 7 64bit Enterprise, UAC enabled.

Using IE 8 with adobe plugin, calc opens but running in the sandbox.

Here in firefox with foxit, noscript first caught it, but then i allowed it and calc opened with no warnings or anything and it is running in my user account.

This is so horribly bad.

Re:A better test file.

[Culture20]

pdfedit and pdfcube with Ubuntu 9.10 also appear to be immune (also tested evince and xpdf). pdfedit should get an honorable mention for clearly showing the commands in the edit fields

Re:A better test file.

[mrmeval]

Does not work with xpdf though some sort of window does pop up.

Re:A better test file.

[adolf]

Tried it in Windows 7 x64, with some recent version of Adobe Reader. The PDF opened fine, but there no popup, nor any calculator.

The example posted a few threads up worked fine, though, and was successful at launching cmd.exe, after prompting me that it would do so.

Re:A better test file.

[megabunny]

OK, I bit.

I have xcalc and it runs from a command line fine. But not from this PDF.

Document Viewer 2.26.1
using poppler 0.15.5 cairo
from evince.

)P
MB

Re:A better test file.

[lahvak]

Tried it with Adobe Reader 9 on OpenSUSE 11.1. I got a popup with a very clear warning that the reader is about to open a file that can damage my computer blah blah blah, it even said which file it is, and asked if I want to open it or cancel. After selecting "Open", it did not actually open the file, it offered to save it instead.

I don't have any problem with this, as long as it is not possible to bypass the warning somehow.

I have used the "Launch" functionality in Adobe Reader before, the TeXLive installer is actually a PDF file, that contains instructions for installation, and buttons that launch the actual installer programs.

Re:A better test file.

[perryizgr8]

noscript blocks you from downloading files?

Re:A better test file.

[rwiggers]

Just adding, tested it on windows, firefox and adobe reader plugin.
If opened by the plugin, nothing is done. I need to save the file and open it from the file system.

screenshots of messages

[0232793]

see http://blog.didierstevens.com/2010/03/29/escape-from-pdf/ for more information and screenshots

Management breakdown at Adobe?

[Futurepower(R)]

"... competition going on in Adobe to see if the Flash or Acrobat teams can collect the most security advisories?"

There seems to be a social breakdown at Adobe. There are a lot of issues that aren't being managed well. For example, we bought Adobe Creative Suite 3 (before CS4 was released). The CD had an old version. To get the newest version it was necessary to download a 320 Megabyte file, on the same week that Adobe shipped the CD.

The new Acrobat takes longer to make .PDF files than the older versions. When we talked to people at Adobe about that, we got evasive replies.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Old news. I got hacked 4 weeks ago by one of th

[T+Murphy]

The strange thing is now, that when i need to access a fishy site I use Internet Explorer because it caught the drive-by download the next time I visited. Sort of a complete reversal of policy for me.

That's because to attack a Chrome user's system, you have to find a way to circumvent security. With IE, you can pop up a message "This program will steal your computer, continue?" and the user will run the malware to make the message go away.

NB: this is just a lame joke, I mean no harm.

What about the alternative alternatives?

[selven]

Are Evince, Okular and the like vulnerable, or do they not implement the full PDF standard that is being exploited here?

In other news...

[Dupedupeshakur]

...with a bit of clever social engineering I can get you to open my malware executable directly.

Only a warning?

[Spykk]

With Adobe Reader, the only thing preventing execution is a warning.

The only thing preventing your browser from executing a binary executable is a warning.

Re:Only a warning?

[Onymous+Coward]

Though this warning could be more forcefully worded, and not subject to equivocation / showing-up by the perpetrator's text.

http://didierstevens.files.wordpress.com/2010/03/20100329-211313.png

Re:Only a warning?

That, yes, and also the fact that my browser doesn't execute downloaded binaries in the first place.

Choose better software.

Evince to the rescue

[ghee22]

Evince does not open cmd.exe. Evince runs on Windows.

Re:Old news. I got hacked 4 weeks ago by one of th

If you got nailed by the PDF, IE vs chrome should be irrelevant. Once the PDF is handed off to the external viewer, the browser stops having anything to do with it.

Docu-Track.com's PDF-Xchange Viewer warns

[Fencepost]

I use Docu-Track.com's PDF-Xchange viewer as the default PDF app (including embedded in browser) and it warns that the PDF is attempting to run a program.

always the same thing ...

[jobst]

Microsoft, Adobe etc are all guilty of this, they create applications, they add some useful and lots of not so useful stuff, they turn on all features by default and then system administrator run around like mad to fix security holes, disable features, explain to users that that "oh so good feature" is bad, patch, update instead of doing work that would make some dollars.

Re:always the same thing ...

[perryizgr8]

Microsoft, Adobe etc are all guilty of this, they create applications, they add some useful and lots of not so useful stuff, they turn on all features by default and then system administrator run around like mad to fix security holes, disable features, explain to users that that "oh so good feature" is bad, patch, update instead of doing work that would make some dollars.

you forgot itunes

Metasploit

[supernothing]

has had this functionality for months now...
http://www.metasploit.com/modules/exploit/windows/fileformat/adobe_pdf_embedded_exe

Now, it's entirely possible that he found this on his own. But it's not exactly a new development...

Also, before anyone goes and claims to have found a way to get Java applets to execute arbitrary code as well:
http://www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/multi/browser/java_signed_applet.rb

doesn't work with KPDF, eVince, GhostView

[KWTm]

I verified that Acrobat Reader on Linux has this vulnerability, but none of KPDF, eVince, or GhostView have this flaw, probably because they all derive from the Poppler library. (So does Okular but I haven't tested it.)

What kind of dumb PDF keyword is "Launch" anyway? Why would anyone implement such a feature? That's almost as retarded as Microsoft's "Your Email Reader Will Launch Any Software On Command" Outlook feature, way back when we were telling all the non-geeks that there is no such thing as an email virus and "Good Times" is a hoax. Good job, Adobe. What's next in your newest PDF spec, the Format Hard Drive feature?

PDF-XChange Viewer

[khaledh]

Another alternative to Adobe Reader and Foxit Reader is PDF-XChange Viewer:

http://www.docu-track.com/product/pdf-xchange-viewer

It behaves like Adobe Reader in that it shows you a warning, unlike Foxit. Given this fact I recommend switching to it from Foxit (at least for the time being).

It's lightweight, fast, and has lots of nice features. It even allows you to save filled forms!

Re:No *buggy* executable required?

[algormortis]

It means "exploit" a reader as in "take advantage of a bug in", not "make use of in any way".

In other words, a perfectly coded pdf reader with zero bugs whatsoever would still be vulnerable..

You contradicted yourself from one sentence to the next. I'm not trying to be a Grammar Nazi here, I'm just honestly wondering if it was intentional, because the only thing I've gathered from your comment is "don't use Foxit." The rest doesn't make much sense.

Obligatory Adobe Story

[bmajik]

So I work for Microsoft.. most hated software company, right?

Not always, apparently. Thanks to competition like Adobe, we're going to have to up our game.

Without going into too many details, a friend of mine was a Microsoft developer that was in a position where he was trading email with an extenal ISV as part of a formal MS program. So there was this stream of question and answer emails between them about how to use what we were working on to address this ISV's particular business problems. Anyway, at the end of one of this ISV's emails back to us, he says

"PS: Can you guys somehow crush Adobe Corporation? I honesly and truly hate them."

So there you go. That day, we lost. Adobe was the more hated company. We resolved to work harder to be #1 again.

Works for Foxit 3.0 as well

[justthinkit]

I found two occurences of "Launch" and changed both and Foxit 3.0 fired up and read PDFs just fine.

Re:Old news. I got hacked 4 weeks ago by one of th

[St.Creed]

IE doesn't hand off the PDF to the viewer just without asking. Chrome does. That's in this case the difference between "download?? what download? CANCEL" or "what just happened on my screen? OMG!".

Doesn't work in Evince PDF reader...

Doesn't work on Linux and on Windows - and yes, Evince runs on Windows

Adobe Fix

Heres the registry keys to fix this issue for Reader, Standard and Pro
for both versiond 8 and 9.

Enjoy.

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\Originals
Name: bAllowOpenFile
Type: REG_DWORD
Data: 0

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\Originals
Name: bSecureOpenFile
Type: REG_DWORD
Data: 1

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Originals
Name: bAllowOpenFile
Type: REG_DWORD
Data: 0

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Originals
Name: bSecureOpenFile
Type: REG_DWORD
Data: 1

HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\8.0\Originals
Name: bAllowOpenFile
Type: REG_DWORD
Data: 0

HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\8.0\Originals
Name: bSecureOpenFile
Type: REG_DWORD
Data: 1

HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\9.0\Originals
Name: bAllowOpenFile
Type: REG_DWORD
Data: 0

HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\9.0\Originals
Name: bSecureOpenFile
Type: REG_DWORD
Data: 1