Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Method Could Hide Malware In PDFs, No Further Exploits Needed

Posted by timothy on from the deploy-linux-countermeasures dept.

Trailrunner7 writes "A security researcher has managed to create a proof-of-concept PDF file that executes an embedded executable without exploiting any other security vulnerabilities. The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file. With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this."

57 of 234 comments (clear)

  1. Re:PDF-XChange by abigor · · Score: 3, Funny

    Do you always refer to yourself with the royal "we"?

  2. Re:PDF-XChange by Monkeedude1212 · · Score: 2, Interesting

    He says that it works in other PDF Readers (well he mentioned one, Foxit) - because he's not exploiting a vulnerability in any of the applications, but the PDF Language itself.

    So, chances are, you are just as vulnerable. He also said he reported it to Adobe, without releasing his proof of concept to the public - so we'll see what comes out of it.

    It might just end up that Adobe products become more secure for reading PDFs than the others, and Adobe then has an upper hand.

    [tinfoil speculation]
    And if thats the case, why would they inform other PDF Readers. And unless the proof of concept is made public, how do we know there is actually a vulnerability besides the word of this hacker and Adobe?
    [/tinfoil speculation]

  3. With Foxit Reader by wiredog · · Score: 5, Interesting

    There's no warning at all. It just runs.

    --

    Best Slashdot Co
  4. Re:Sad by sopssa · · Score: 5, Insightful

    But for once Adobe is actually more secure than the better alternative Foxit. Adobe PDF Reader at least warns and asks your permission to run the file, but Fox It does neither one but just happily runs it. That fact made me uninstall Foxit for now at least.

  5. further proof D. Knuth was right by Anonymous Coward · · Score: 5, Insightful

    Who the hell thought it was a good idea to have dynamic content in a document description language?

    Notice you never hear about exploits-of-the-week like this for LaTeX !

    1. Re:further proof D. Knuth was right by TheRaven64 · · Score: 5, Insightful

      I can't decide if you're trying to be ironic, but there are no 'vulnerabilities' in LaTeX because the ability to interact with files and run arbitrary programs are part of the language. The reason LaTeX isn't often exploited is that it is very rare to run LaTeX programs from untrusted sources; you distribute the output from the program, not the program itself.

      On a slightly different topic, is there a competition going on in Adobe to see if the Flash or Acrobat teams can collect the most security advisories?

      --
      I am TheRaven on Soylent News
    2. Re:further proof D. Knuth was right by Chyeld · · Score: 2, Informative

      PDF is the evolved form of PostScript - http://en.wikipedia.org/wiki/PostScript and at the time PS came out, it wasn't that bad of an idea, especially since it enabled us to actually print IMAGES.

      Unfortunately, feature creep set in and instead of creating a language actually meant for publishing and sharing documents, Adobe just reimplemented PS in PDF and glossed over the fact that they were using an elephant gun to shoot mosquito. This is coming back around to bite them in their butt. But the actual origins of the language weren't as boneheaded as you make them out to be.

    3. Re:further proof D. Knuth was right by jirka · · Score: 2, Insightful

      Why don't you compile the following document with "tex --shell-escape" as root

      \write18{rm -fR /}

    4. Re:further proof D. Knuth was right by pclminion · · Score: 3, Interesting

      PDF has some superficial syntactic similarities to PostScript. Beyond that, it is not at all like PostScript. The reason the content stream language of PDF is PostScript-like is because it made it easy to print PDF by simply blowing the content stream out as PostScript, accompanied by the appropriate ProcSets. Such usage is deprecated these days -- ProcSets are no longer required to be declared, and modern PDFs can't be printed by blowing the content stream directly to the printer any more.

      Even in the areas where PDF looks like PostScript, it's fundamentally different. There is no operand stack. There are no control flow operators. If you start trying to create a PDF under the impression that it's just like PostScript, you'll fail miserably.

  6. Re:Sad by amicusNYCL · · Score: 4, Informative

    That fact made me uninstall Foxit for now at least.

    You shouldn't have to wait long.

    http://forums.foxitsoftware.com/showthread.php?t=18029

    this issue has been confirmed, and a maintenance version will be released within this week.

    --
    "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
  7. "This cannot be patched" by Manip · · Score: 4, Insightful

    "This cannot be patch because it isn't a vulnerability." Uhh yes it can, and sure it is. There are millions of bugs that were entirely by design and the designs adapted to eliminate them. I will grant that they might have to break the PDF spec' to fix it but frankly it is the right thing to do for everyone concerned.

    1. Re:"This cannot be patched" by Applekid · · Score: 2, Insightful

      Exactly. To execute code, at some point, the reader is branching into data created or loaded by the pdf. When is that ever a good idea? If it's part of the PDF spec then it's a pretty good part to break compatibility with.

      --
      More Twoson than Cupertino
    2. Re:"This cannot be patched" by plover · · Score: 2, Insightful

      One man's feature is another man's defect.

      In the case of security "features", one man's feature is EVERYONE's defect.

      --
      John
  8. Clever social engineering... by Chris+Burke · · Score: 2, Interesting

    You open the .pdf. On page 1 you see: "Hey you! Close this file, rename it to end with '.exe', and then double click it! There's, uh, boobs! Yeah lots of boobies."

    Okay so that's not entirely accurate, and at least one .pdf reader requires no social engineering at all other than getting them to open the pdf itself. Why would you make it so that you can't (normally) embed executables in the .pdf, but then allow .pdfs to launch arbitrary commands?

    --

    The enemies of Democracy are
    1. Re:Clever social engineering... by T+Murphy · · Score: 5, Funny

      The guys at Adobe heard about oscilloscopes with hidden games on them, and Word's flight simulator, so they incorporated "features" so they could make an easter egg of their own. They never got around to that easter egg, so now lots of people are kindly lending them a hand at it.

      --
      My webcomic
    2. Re:Clever social engineering... by idontgno · · Score: 2, Insightful

      If you design a sharp blade into an out-of-the-way spot of a hammer, don't be upset if you get cut while driving nails.

      Not every tool is proper for every job. Using PDF as a general-purpose computing language is either mistaken or willfully stupid.

      PDF is a document format. It's an output format. It's not a form-entry language. It's not the web. It's not an operating system. It sure as hell shouldn't be able to trigger any open-ended OS action. Its vocabulary of actions and action subjects should be limited...to just PDFs. Interpreted entirely internally.

      Any use case that involves running external programs from within the PDF interpreter is a broken use case, caused by misapplying a tool for a purpose it's not properly intended for.

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
    3. Re:Clever social engineering... by StoatBringer · · Score: 4, Insightful
      PDF is a document format. It's an output format. It's not a form-entry language. It's not the web. It's not an operating system. It sure as hell shouldn't be able to trigger any open-ended OS action.

      You've never dealt with a marketing department, clearly.

      "Hey, you know what would be cool? What if PDF documents could also play videos?"
      "Um.. well, it's technically possible but I don't think that-"
      "Great! WE MUST HAVE THIS FEATURE! NOW! DROP EVERYTHING AND GET TO IT!"

      --
      Cress, cress, lovely lovely cress
  9. Re:PDF-XChange by the_humeister · · Score: 2, Interesting

    Each of us is composed of trillions of eukaryotic cells and even more bacterial cells. Thus, we think it appropriate to use "we" when speaking for us.

  10. *nix vulnerable too? by cpuh0g · · Score: 3, Interesting

    What happens on *nix versions of Adobe Reader - OS/X, Solaris, Linux, etc?

    1. Re:*nix vulnerable too? by Onymous+Coward · · Score: 3, Interesting

      /OpenAction <<
         /F <<
           /DOS (C:\\\\WINDOWS\\\\system32\\\\calc.exe)
           /Unix (/usr/X11R6/bin/xcalc)
           /Mac (/Applications/Calculator.app)
           /TheAnswerIs (yeah\\\\i/think\\\\so)
         >>
         /S /Launch
      >>

    2. Re:*nix vulnerable too? by Dak+RIT · · Score: 3, Informative

      It can, although it doesn't mean that Mac and Linux are just as vulnerable as Windows.

      If you download this proof of concept which works on Linux, Windows and Mac:
      http://seclabs.org/fred/docs/sstic09/samples/actions/launch/calc.pdf

      you'll discover that although it works in Acrobat Reader on the Mac, the Mac Preview application, which I would hazard is used to open the vast majority of PDFs on Macs, does not support /Launch and thus isn't vulnerable to the attack.

    3. Re:*nix vulnerable too? by the_womble · · Score: 2, Informative

      Okular and Evince on Linux also do not seem to support /Launch, and they are far more widely used than Acrobat Reader on Linux.

  11. Re:PDF-XChange by idontgno · · Score: 3, Funny

    I'm pretty sure a substantial minority of your eukaryotes actually prefer Adobe products.

    The "we" you're using is just your corporeal ruling elite talking, Man! It's just another example of your neurons keepin' your connective cells and fat tissue down!

    --
    Welcome to the Panopticon. Used to be a prison, now it's your home.
  12. Adobe misfeature by Animats · · Score: 2, Informative

    Explaination

    Video

    Demo PDF file (as .zip)

    PDF apparently has (stupidly) a capability to launch an executable program which is run when the PDF file is opened. There's a warning message. All the exploit does is put in some text like "To view the encrypted message in this PDF document, select "Do not show this message again" and click the Open button." into the warning dialog box.

    Incidentally, SumatraPDF doesn't do this, but that seems to be a bug; the test file produces "Synchronization file cannot be opened".

  13. Re:Sad by c-reus · · Score: 3, Insightful

    Of course, the average user is known to thoroughly read the warnings and definitely will not click "OK, just get this thing out of my face" within half a second after the dialog box has finished rendering.

  14. Hey Google, integrate this too! by Graham+J+-+XVI · · Score: 2, Funny

    Chrome integration of one buggy plugin deserves another, right?

  15. Seriously, just uninstall Reader already. by DrEldarion · · Score: 2, Informative

    For 98% of people, Reader is unnecessary and just opens up a ton of security holes.

    Easy replacement:
    1) Install Google Chrome
    2) Install this extension which opens up all PDFs in Google Docs.
    3) Enjoy your new, safe browsing and PDF-viewing environment.

    1. Re:Seriously, just uninstall Reader already. by Anonymous Coward · · Score: 2, Insightful

      Yeah, because Google doesn't have enough of your info already.

    2. Re:Seriously, just uninstall Reader already. by misterooga · · Score: 2, Insightful

      With the google doc extension, don't you need to be online? Also, that's assuming you don't mind google caching on the pdf you're opening, right?

    3. Re:Seriously, just uninstall Reader already. by evilviper · · Score: 2, Informative

      For 98% of people, Reader is unnecessary and just opens up a ton of security holes.

      While I still highly recommend any of the alternatives, I've seen several cases where websites are checking for that specific plug-in, and will not make any attempt to display the PDF, or offer any alternative links to the document, if Reader is not detected. Of course if more people dropped Adobe's crap, this would cease to be an acceptable way to display PDFs, but it should at least be noted that you might find just a few dark corners where the alternatives won't work for you.

      And let me take a moment to rant on about what a dog Acrobat Reader is. I've seen innumerable systems that had plenty of free memory, UNTIL Reader started up, and grabbed a fricking half GB, and caused serious system swapping. Replacing Reader with XPDF always brings the very same system from dog slow, to lightning fast...

      --
      Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
  16. Re:Sad by Romancer · · Score: 4, Informative

    From the author:

    " My PoC PDF requires some changes for Foxit Reader, because ultimately, the executable doesn't run. But that's probably due to some variation in the PDF language supported by Foxit Reader."

    Not really a proof of concept since the proof doesn't actually run the code currently. Not that it couldn't but there's no proof that Foxit is less secure since it doesn't actually run the code.

    --


    ) Human Kind Vs Human Creation
    ) It'd be interesting to see how many humans would survive to serve us.
  17. Re:No *buggy* executable required? by Chris+Burke · · Score: 2, Informative

    It means "exploit" a reader as in "take advantage of a bug in", not "make use of in any way". In other words, a perfectly coded pdf reader with zero bugs whatsoever would still be vulnerable. So the answer to which executables is "All of them" At least if they're implemented correctly, which is a very different circumstance than usual and worth making note of.

    By your usage of exploit, then they'd have to say this: "This method exploits a PDF reader, a computer operating system, a computer, the electrical grid, the planet earth and its star, Sol, and the laws of physics."

    Oh but it does make some difference which reader you are using. Some throw up a warning dialogue (whose content can apparently be controlled to an extent) and at least one doesn't. Foxit is apparently a reader you should avoid.

    --

    The enemies of Democracy are
  18. Re:PDF-XChange by natehoy · · Score: 3, Funny

    As Mark Twain once said, "Only kings, presidents, editors, and people with tapeworms have the right to use the editorial 'we.'"

    Peter does not appear to be a king, is unlikely to be a president, and he's probably not an editor...

    --
    "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
  19. Re:PDF-XChange by suomynonAyletamitlU · · Score: 4, Funny

    To be fair, my fatty tissue is an ass, and my connective tissues jerk me around all the time.

  20. Re:Sad by Spad · · Score: 3, Informative

    http://blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/

    He got it working in Foxit pretty quickly after the first post about the PoC.

  21. Yup, part of the PDF spec by MagicM · · Score: 2, Interesting

    If you're really a nerd, you'll want to scroll through the PDF Reference section 8.5 ("Actions"). Be careful though, as it may hurt a little.

    Instead of simply jumping to a destination in the document, an annotation or outline item can specify an action (PDF 1.1) for the viewer application to perform, such as launching an application, playing a sound, or changing an annotation's appearance state. [...] In addition, the optional OpenAction entry in a document's catalog (Section 3.6.1, "Document Catalog") may specify an action to be performed when the document is opened.

    It's actually very well-defined, and creating a document that implements this part of the specification should be trivial.

  22. Old news. I got hacked 4 weeks ago by one of these by St.Creed · · Score: 4, Informative

    I was reading a technical forum (used by a few dozen people, I'm in a niche market) with Chrome, when a PDF popped up containing nonsense text.

    Ofcourse I wasn't happy about it, so I contacted the owner of the site and scanned my laptop with McAfee's antivirus. Didn't find anything, but 2 weeks later I received a mail that my passwords had been reset for my own website because of suspicious activity. As it turned out, someone had installed a virus similar to the one that got me, on my contact page. Great.

    This is with a laptop running Chrome, Windows Vista with UAC enabled, McAfee security suite. I didn't even get a warning.

    I used Malwarebytes' Anti-malware to find and remove the stuff that got installed. At least, I'm hoping it got removed - but nothing is certain :P The strange thing is now, that when i need to access a fishy site I use Internet Explorer because it caught the drive-by download the next time I visited. Sort of a complete reversal of policy for me.

    --
    Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
  23. Re:PDF-XChange by treeves · · Score: 3, Funny

    We recommend niclosamide or another anthelminthic for Pete.

    --
    ...the future crusty old bastards are already drinking the Kool-Aid.
  24. Re:Sad by Pentium100 · · Score: 5, Informative

    Also the first comment there says how you can hex edit the .exe to disable this "feature".

    If you can live without the /Launch functionality (I can!), edit the executable:

    - search for “^@Launch^@” (^@ == null byte, file offset 7040965 in 3.13.1030) in Foxit Reader.exe,

    - change it to e.g. “L!unch” (no quotes),

    - save AS BINARY,

    done.

    Comment by Thomas — Wednesday 31 March 2010 @ 12:20

  25. Worst security flaw of the decade by MobyDisk · · Score: 2, Funny

    There is a command in the PDF language that says "execute the following command-line!" I thought having that ability in the scripting language was dumb. But it's actually available in the document description format? What possible purpose could that server? I don't want a message box added, or a security setting -- just remove that command entirely from the implementation!

    How did this come about when they were designing the PDF format?
          "Let's make it support bold, italic, underline, and execute."
    One of the above does not fit with the others.

  26. A better test file. by DdJ · · Score: 4, Informative

    Someone came up with a better test file, here:

    http://seclabs.org/fred/docs/sstic09/samples/actions/launch/calc.pdf

    The first test file contained code essentially saying "if you're on a windows box, run cmd.exe". This one says "if you're on windows, run calc.exe, and if you're on Unix, run xcalc, and if you're on MacOS, run Calculator.app". So regardless of platform, if you load this PDF and see a calculator come up, well, you've learned something.

    As it happens, the PDF also contains real content that describes expected behaviors with a couple of readers. Apple's "Preview" isn't vulnerable because it doesn't implement the /Launch command at all! But Adobe's reader on MacOS is vulnerable.

  27. Re:Sad by aardwolf64 · · Score: 2, Informative

    Ummm... Adobe already warns you about it. So less than zero days.

  28. screenshots of messages by 0232793 · · Score: 2, Informative

    see http://blog.didierstevens.com/2010/03/29/escape-from-pdf/ for more information and screenshots

  29. Management breakdown at Adobe? by Futurepower(R) · · Score: 2, Interesting

    "... competition going on in Adobe to see if the Flash or Acrobat teams can collect the most security advisories?"

    There seems to be a social breakdown at Adobe. There are a lot of issues that aren't being managed well. For example, we bought Adobe Creative Suite 3 (before CS4 was released). The CD had an old version. To get the newest version it was necessary to download a 320 Megabyte file, on the same week that Adobe shipped the CD.

    The new Acrobat takes longer to make .PDF files than the older versions. When we talked to people at Adobe about that, we got evasive replies.

  30. Re:PDF-XChange by 99BottlesOfBeerInMyF · · Score: 2, Informative

    Yes, that is the summary of what it does, but the spec I'm read ing (1.5) says it is to be implemented via a URI, not call a specific application. That is to say, hand the URI for a .exe file to the OS and let it decide what is registered to open it. The spec lists the variable type as "File" which in turn requires URI and a file location.The only option listed is a new window or not a new window. So if they implemented "Launch" to launch a specific application, it looks like a violation of the spec, or at very least something not included in the spec.

    Of course if Adobe goes beyond the spec it is easy to see why sometimes third parties copy them for compatibility.

  31. Re:PDF-XChange by PhxBlue · · Score: 4, Funny

    In all fairness, it's hard sometimes to separate the tapeworms from the editors on Slashdot. But generally, the tapeworms have better grammar. :)

    --
    !#@%*)anks for hanging up the phone, dear.
  32. Re:Sad by Darinbob · · Score: 2, Interesting

    I'm behind the times. Isn't the PDF format a document format, that contains only document markup and layout info? When did it start being able to have embedded code? I know it's massively changed since I last looked at internal, with things like permissions and editing added, but executables or scripting seems a bit far fetched. Maybe we need a document format that involves nothing at all except documents...

  33. Re:Sad by causality · · Score: 3, Informative

    I'm behind the times. Isn't the PDF format a document format, that contains only document markup and layout info? When did it start being able to have embedded code?

    Ever since Adobe perfected the basic PDF functionality and needed to keep adding features. Whether they are frills or not, whether they depart from the purpose of PDF or not, Adobe has to do this to justify its marketing. They want their customers to have reasons to keep wanting the latest version. Feature creep, in other words.

    --
    It is a miracle that curiosity survives formal education. - Einstein
  34. In other news... by Dupedupeshakur · · Score: 2, Insightful

    ...with a bit of clever social engineering I can get you to open my malware executable directly.

  35. Only a warning? by Spykk · · Score: 3, Insightful

    With Adobe Reader, the only thing preventing execution is a warning.

    The only thing preventing your browser from executing a binary executable is a warning.

  36. Re:Sad by QRDeNameland · · Score: 2, Funny

    ...I was thinking PoC meant Piece of Crap which I thought was redundant when referring to a PDF.

    In my experience, the proper industry acronym is BFPoC, for Big Fat Piece of Crap, a term allegedly coined by one Artemus Clyde Frog.

    --
    Momentarily, the need for the construction of new light will no longer exist.
  37. Re:PDF-XChange by HiThere · · Score: 2, Informative

    PDF is basically a specialized subset of Forth. Unlike Postscript, it was presumed to be safe. This, however, may show otherwise.

    Postscript is essentially a specialized dialect (not subset) of Forth. It is clearly Turing complete, so a Postscript program might do nearly anything. PDF had been presumed to have been safely neutered. This calls that into question.

    P.S.: No, I didn't read the original article. This is all basic background stuff, with a few of my speculations about what this "exploit" means. I tried to indicate where I was speculating.

    --

    I think we've pushed this "anyone can grow up to be president" thing too far.
  38. Re:Sad by Grishnakh · · Score: 2, Insightful

    PDF is (or was) a good format and standard; it lets you define documents so that they look the same on any platform, and can be printed on any printer and look identical.

    The only problem with it is that it was perfected for this purpose long ago, so Adobe kept adding more and more crap to it.

    This is one reason open-source is generally better: when an open-source project is done, the developers leave it that way (unless any bugs are found), and go find something else productive to work on. They don't try to keep justifying their existence by adding more and more bloat to something, to try to make it useful for tasks that other tools are better for. TeX is a good example of this.

  39. Re:Sad by FlyingBishop · · Score: 2, Insightful

    Foxit is just as bloated as Adobe. Use Sumatra.

  40. Re:Sad by shutdown+-p+now · · Score: 3, Funny

    This is one reason open-source is generally better: when an open-source project is done, the developers leave it that way (unless any bugs are found), and go find something else productive to work on.

    One word: Emacs.

  41. Obligatory Adobe Story by bmajik · · Score: 2, Interesting

    So I work for Microsoft.. most hated software company, right?

    Not always, apparently. Thanks to competition like Adobe, we're going to have to up our game.

    Without going into too many details, a friend of mine was a Microsoft developer that was in a position where he was trading email with an extenal ISV as part of a formal MS program. So there was this stream of question and answer emails between them about how to use what we were working on to address this ISV's particular business problems. Anyway, at the end of one of this ISV's emails back to us, he says

    "PS: Can you guys somehow crush Adobe Corporation? I honesly and truly hate them."

    So there you go. That day, we lost. Adobe was the more hated company. We resolved to work harder to be #1 again.

    --
    My opinions are my own, and do not necessarily represent those of my employer.
  42. Re:PDF-XChange by 99BottlesOfBeerInMyF · · Score: 2, Interesting

    While details are hard to come by I think this may run deeper than pdf.

    Clearly security issues go beyond this single flaw in PDF and to some of the primary assumptions of OS's in mainstream computing.

    The whole idea of "opening a file in a way determined by the OS for that type of file" is poor from a security point of view.

    I disagree. That is to say, can't think of any better way. The OS determining what to use makes for a smaller exposure to exploitation because an attacker cannot specify or know what will be used to open a particular data type in most instances.

    Opening a file can mean anything from viewing an image in an image viewer (safe unless there is a bug in the image viewer) through opening something like an office document (may or may not be safe depending on office security settings) though to running an executable (unsafe by design).

    You provide three examples, but all three could be made quite safe if OS's were designed to do that. Sandbox every application and give it access to only what it needs. Monitor the integrity of the sandbox. In my opinion an average user should be able to run a random .exe file from an unknown, untrusted source and the OS should appropriately restrict that executable to prevent harm. That's not to say the user should not be able to override the OS's decision, but only when made aware of exactly what the executable is trying to do and being given the choice of doing it in a safe environment instead.

    Heck, I can do it today. Send me a random .exe file and I can put it into one of my premade windows VMs, run it, only granting explicit access to my real data as needed, and reverting the VM back to it's original state or saving it as a one-off for using that executable. The problem is, this task is far too difficult for the normal user. The whole process could be streamlined and automatic though, if the market was responsive to the needs of users.