Slashdot Mirror
New Method Could Hide Malware In PDFs, No Further Exploits Needed
Trailrunner7 writes "A security researcher has managed to create a proof-of-concept PDF file that executes an embedded executable without exploiting any other security vulnerabilities. The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file. With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this."
*reads the article* It sounds like it'll run automatically with no warning in Foxit.
So. Not sure if the alternatives even stop this since it's not an exploit in the pdf reader but an exploit in the PDF file type or something. He gets it to run code somehow anyway.
That fact made me uninstall Foxit for now at least.
You shouldn't have to wait long.
http://forums.foxitsoftware.com/showthread.php?t=18029
this issue has been confirmed, and a maintenance version will be released within this week.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Explaination
Video
Demo PDF file (as .zip)
PDF apparently has (stupidly) a capability to launch an executable program which is run when the PDF file is opened. There's a warning message. All the exploit does is put in some text like "To view the encrypted message in this PDF document, select "Do not show this message again" and click the Open button." into the warning dialog box.
Incidentally, SumatraPDF doesn't do this, but that seems to be a bug; the test file produces "Synchronization file cannot be opened".
For 98% of people, Reader is unnecessary and just opens up a ton of security holes.
Easy replacement:
1) Install Google Chrome
2) Install this extension which opens up all PDFs in Google Docs.
3) Enjoy your new, safe browsing and PDF-viewing environment.
From the author:
" My PoC PDF requires some changes for Foxit Reader, because ultimately, the executable doesn't run. But that's probably due to some variation in the PDF language supported by Foxit Reader."
Not really a proof of concept since the proof doesn't actually run the code currently. Not that it couldn't but there's no proof that Foxit is less secure since it doesn't actually run the code.
) Human Kind Vs Human Creation
) It'd be interesting to see how many humans would survive to serve us.
It means "exploit" a reader as in "take advantage of a bug in", not "make use of in any way". In other words, a perfectly coded pdf reader with zero bugs whatsoever would still be vulnerable. So the answer to which executables is "All of them" At least if they're implemented correctly, which is a very different circumstance than usual and worth making note of.
By your usage of exploit, then they'd have to say this: "This method exploits a PDF reader, a computer operating system, a computer, the electrical grid, the planet earth and its star, Sol, and the laws of physics."
Oh but it does make some difference which reader you are using. Some throw up a warning dialogue (whose content can apparently be controlled to an extent) and at least one doesn't. Foxit is apparently a reader you should avoid.
The enemies of Democracy are
http://blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/
He got it working in Foxit pretty quickly after the first post about the PoC.
I was reading a technical forum (used by a few dozen people, I'm in a niche market) with Chrome, when a PDF popped up containing nonsense text.
Ofcourse I wasn't happy about it, so I contacted the owner of the site and scanned my laptop with McAfee's antivirus. Didn't find anything, but 2 weeks later I received a mail that my passwords had been reset for my own website because of suspicious activity. As it turned out, someone had installed a virus similar to the one that got me, on my contact page. Great.
This is with a laptop running Chrome, Windows Vista with UAC enabled, McAfee security suite. I didn't even get a warning.
I used Malwarebytes' Anti-malware to find and remove the stuff that got installed. At least, I'm hoping it got removed - but nothing is certain :P The strange thing is now, that when i need to access a fishy site I use Internet Explorer because it caught the drive-by download the next time I visited. Sort of a complete reversal of policy for me.
Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
From TFA:
"In this case, Foxit Reader is probably worse than Adobe Reader, because no warning gets displayed to prevent the launch action. My PoC PDF requires some changes for Foxit Reader, because ultimately, the executable doesn’t run. But that’s probably due to some variation in the PDF language supported by Foxit Reader."
So apparently it *DOESN'T* "just run". Yet, at least.
PDF is the evolved form of PostScript - http://en.wikipedia.org/wiki/PostScript and at the time PS came out, it wasn't that bad of an idea, especially since it enabled us to actually print IMAGES.
Unfortunately, feature creep set in and instead of creating a language actually meant for publishing and sharing documents, Adobe just reimplemented PS in PDF and glossed over the fact that they were using an elephant gun to shoot mosquito. This is coming back around to bite them in their butt. But the actual origins of the language weren't as boneheaded as you make them out to be.
Also the first comment there says how you can hex edit the .exe to disable this "feature".
If you can live without the /Launch functionality (I can!), edit the executable:
- search for “^@Launch^@” (^@ == null byte, file offset 7040965 in 3.13.1030) in Foxit Reader.exe,
- change it to e.g. “L!unch” (no quotes),
- save AS BINARY,
done.
Comment by Thomas — Wednesday 31 March 2010 @ 12:20
Someone came up with a better test file, here:
http://seclabs.org/fred/docs/sstic09/samples/actions/launch/calc.pdf
The first test file contained code essentially saying "if you're on a windows box, run cmd.exe". This one says "if you're on windows, run calc.exe, and if you're on Unix, run xcalc, and if you're on MacOS, run Calculator.app". So regardless of platform, if you load this PDF and see a calculator come up, well, you've learned something.
As it happens, the PDF also contains real content that describes expected behaviors with a couple of readers. Apple's "Preview" isn't vulnerable because it doesn't implement the /Launch command at all! But Adobe's reader on MacOS is vulnerable.
Ummm... Adobe already warns you about it. So less than zero days.
see http://blog.didierstevens.com/2010/03/29/escape-from-pdf/ for more information and screenshots
Yes, that is the summary of what it does, but the spec I'm read ing (1.5) says it is to be implemented via a URI, not call a specific application. That is to say, hand the URI for a .exe file to the OS and let it decide what is registered to open it. The spec lists the variable type as "File" which in turn requires URI and a file location.The only option listed is a new window or not a new window. So if they implemented "Launch" to launch a specific application, it looks like a violation of the spec, or at very least something not included in the spec.
Of course if Adobe goes beyond the spec it is easy to see why sometimes third parties copy them for compatibility.
Ever since Adobe perfected the basic PDF functionality and needed to keep adding features. Whether they are frills or not, whether they depart from the purpose of PDF or not, Adobe has to do this to justify its marketing. They want their customers to have reasons to keep wanting the latest version. Feature creep, in other words.
It is a miracle that curiosity survives formal education. - Einstein
PDF is basically a specialized subset of Forth. Unlike Postscript, it was presumed to be safe. This, however, may show otherwise.
Postscript is essentially a specialized dialect (not subset) of Forth. It is clearly Turing complete, so a Postscript program might do nearly anything. PDF had been presumed to have been safely neutered. This calls that into question.
P.S.: No, I didn't read the original article. This is all basic background stuff, with a few of my speculations about what this "exploit" means. I tried to indicate where I was speculating.
I think we've pushed this "anyone can grow up to be president" thing too far.
It can, although it doesn't mean that Mac and Linux are just as vulnerable as Windows.
If you download this proof of concept which works on Linux, Windows and Mac:
http://seclabs.org/fred/docs/sstic09/samples/actions/launch/calc.pdf
you'll discover that although it works in Acrobat Reader on the Mac, the Mac Preview application, which I would hazard is used to open the vast majority of PDFs on Macs, does not support /Launch and thus isn't vulnerable to the attack.
Okular and Evince on Linux also do not seem to support /Launch, and they are far more widely used than Acrobat Reader on Linux.