Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Method Could Hide Malware In PDFs, No Further Exploits Needed

Posted by timothy on from the deploy-linux-countermeasures dept.

Trailrunner7 writes "A security researcher has managed to create a proof-of-concept PDF file that executes an embedded executable without exploiting any other security vulnerabilities. The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file. With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this."

27 of 234 comments (clear)

  1. Re:PDF-XChange by abigor · · Score: 3, Funny

    Do you always refer to yourself with the royal "we"?

  2. With Foxit Reader by wiredog · · Score: 5, Interesting

    There's no warning at all. It just runs.

    --

    Best Slashdot Co
  3. Re:Sad by sopssa · · Score: 5, Insightful

    But for once Adobe is actually more secure than the better alternative Foxit. Adobe PDF Reader at least warns and asks your permission to run the file, but Fox It does neither one but just happily runs it. That fact made me uninstall Foxit for now at least.

  4. further proof D. Knuth was right by Anonymous Coward · · Score: 5, Insightful

    Who the hell thought it was a good idea to have dynamic content in a document description language?

    Notice you never hear about exploits-of-the-week like this for LaTeX !

    1. Re:further proof D. Knuth was right by TheRaven64 · · Score: 5, Insightful

      I can't decide if you're trying to be ironic, but there are no 'vulnerabilities' in LaTeX because the ability to interact with files and run arbitrary programs are part of the language. The reason LaTeX isn't often exploited is that it is very rare to run LaTeX programs from untrusted sources; you distribute the output from the program, not the program itself.

      On a slightly different topic, is there a competition going on in Adobe to see if the Flash or Acrobat teams can collect the most security advisories?

      --
      I am TheRaven on Soylent News
    2. Re:further proof D. Knuth was right by pclminion · · Score: 3, Interesting

      PDF has some superficial syntactic similarities to PostScript. Beyond that, it is not at all like PostScript. The reason the content stream language of PDF is PostScript-like is because it made it easy to print PDF by simply blowing the content stream out as PostScript, accompanied by the appropriate ProcSets. Such usage is deprecated these days -- ProcSets are no longer required to be declared, and modern PDFs can't be printed by blowing the content stream directly to the printer any more.

      Even in the areas where PDF looks like PostScript, it's fundamentally different. There is no operand stack. There are no control flow operators. If you start trying to create a PDF under the impression that it's just like PostScript, you'll fail miserably.

  5. Re:Sad by amicusNYCL · · Score: 4, Informative

    That fact made me uninstall Foxit for now at least.

    You shouldn't have to wait long.

    http://forums.foxitsoftware.com/showthread.php?t=18029

    this issue has been confirmed, and a maintenance version will be released within this week.

    --
    "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
  6. "This cannot be patched" by Manip · · Score: 4, Insightful

    "This cannot be patch because it isn't a vulnerability." Uhh yes it can, and sure it is. There are millions of bugs that were entirely by design and the designs adapted to eliminate them. I will grant that they might have to break the PDF spec' to fix it but frankly it is the right thing to do for everyone concerned.

  7. *nix vulnerable too? by cpuh0g · · Score: 3, Interesting

    What happens on *nix versions of Adobe Reader - OS/X, Solaris, Linux, etc?

    1. Re:*nix vulnerable too? by Onymous+Coward · · Score: 3, Interesting

      /OpenAction <<
         /F <<
           /DOS (C:\\\\WINDOWS\\\\system32\\\\calc.exe)
           /Unix (/usr/X11R6/bin/xcalc)
           /Mac (/Applications/Calculator.app)
           /TheAnswerIs (yeah\\\\i/think\\\\so)
         >>
         /S /Launch
      >>

    2. Re:*nix vulnerable too? by Dak+RIT · · Score: 3, Informative

      It can, although it doesn't mean that Mac and Linux are just as vulnerable as Windows.

      If you download this proof of concept which works on Linux, Windows and Mac:
      http://seclabs.org/fred/docs/sstic09/samples/actions/launch/calc.pdf

      you'll discover that although it works in Acrobat Reader on the Mac, the Mac Preview application, which I would hazard is used to open the vast majority of PDFs on Macs, does not support /Launch and thus isn't vulnerable to the attack.

  8. Re:Clever social engineering... by T+Murphy · · Score: 5, Funny

    The guys at Adobe heard about oscilloscopes with hidden games on them, and Word's flight simulator, so they incorporated "features" so they could make an easter egg of their own. They never got around to that easter egg, so now lots of people are kindly lending them a hand at it.

    --
    My webcomic
  9. Re:PDF-XChange by idontgno · · Score: 3, Funny

    I'm pretty sure a substantial minority of your eukaryotes actually prefer Adobe products.

    The "we" you're using is just your corporeal ruling elite talking, Man! It's just another example of your neurons keepin' your connective cells and fat tissue down!

    --
    Welcome to the Panopticon. Used to be a prison, now it's your home.
  10. Re:Sad by c-reus · · Score: 3, Insightful

    Of course, the average user is known to thoroughly read the warnings and definitely will not click "OK, just get this thing out of my face" within half a second after the dialog box has finished rendering.

  11. Re:Sad by Romancer · · Score: 4, Informative

    From the author:

    " My PoC PDF requires some changes for Foxit Reader, because ultimately, the executable doesn't run. But that's probably due to some variation in the PDF language supported by Foxit Reader."

    Not really a proof of concept since the proof doesn't actually run the code currently. Not that it couldn't but there's no proof that Foxit is less secure since it doesn't actually run the code.

    --


    ) Human Kind Vs Human Creation
    ) It'd be interesting to see how many humans would survive to serve us.
  12. Re:PDF-XChange by natehoy · · Score: 3, Funny

    As Mark Twain once said, "Only kings, presidents, editors, and people with tapeworms have the right to use the editorial 'we.'"

    Peter does not appear to be a king, is unlikely to be a president, and he's probably not an editor...

    --
    "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
  13. Re:PDF-XChange by suomynonAyletamitlU · · Score: 4, Funny

    To be fair, my fatty tissue is an ass, and my connective tissues jerk me around all the time.

  14. Re:Sad by Spad · · Score: 3, Informative

    http://blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/

    He got it working in Foxit pretty quickly after the first post about the PoC.

  15. Old news. I got hacked 4 weeks ago by one of these by St.Creed · · Score: 4, Informative

    I was reading a technical forum (used by a few dozen people, I'm in a niche market) with Chrome, when a PDF popped up containing nonsense text.

    Ofcourse I wasn't happy about it, so I contacted the owner of the site and scanned my laptop with McAfee's antivirus. Didn't find anything, but 2 weeks later I received a mail that my passwords had been reset for my own website because of suspicious activity. As it turned out, someone had installed a virus similar to the one that got me, on my contact page. Great.

    This is with a laptop running Chrome, Windows Vista with UAC enabled, McAfee security suite. I didn't even get a warning.

    I used Malwarebytes' Anti-malware to find and remove the stuff that got installed. At least, I'm hoping it got removed - but nothing is certain :P The strange thing is now, that when i need to access a fishy site I use Internet Explorer because it caught the drive-by download the next time I visited. Sort of a complete reversal of policy for me.

    --
    Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
  16. Re:PDF-XChange by treeves · · Score: 3, Funny

    We recommend niclosamide or another anthelminthic for Pete.

    --
    ...the future crusty old bastards are already drinking the Kool-Aid.
  17. Re:Clever social engineering... by StoatBringer · · Score: 4, Insightful
    PDF is a document format. It's an output format. It's not a form-entry language. It's not the web. It's not an operating system. It sure as hell shouldn't be able to trigger any open-ended OS action.

    You've never dealt with a marketing department, clearly.

    "Hey, you know what would be cool? What if PDF documents could also play videos?"
    "Um.. well, it's technically possible but I don't think that-"
    "Great! WE MUST HAVE THIS FEATURE! NOW! DROP EVERYTHING AND GET TO IT!"

    --
    Cress, cress, lovely lovely cress
  18. Re:Sad by Pentium100 · · Score: 5, Informative

    Also the first comment there says how you can hex edit the .exe to disable this "feature".

    If you can live without the /Launch functionality (I can!), edit the executable:

    - search for “^@Launch^@” (^@ == null byte, file offset 7040965 in 3.13.1030) in Foxit Reader.exe,

    - change it to e.g. “L!unch” (no quotes),

    - save AS BINARY,

    done.

    Comment by Thomas — Wednesday 31 March 2010 @ 12:20

  19. A better test file. by DdJ · · Score: 4, Informative

    Someone came up with a better test file, here:

    http://seclabs.org/fred/docs/sstic09/samples/actions/launch/calc.pdf

    The first test file contained code essentially saying "if you're on a windows box, run cmd.exe". This one says "if you're on windows, run calc.exe, and if you're on Unix, run xcalc, and if you're on MacOS, run Calculator.app". So regardless of platform, if you load this PDF and see a calculator come up, well, you've learned something.

    As it happens, the PDF also contains real content that describes expected behaviors with a couple of readers. Apple's "Preview" isn't vulnerable because it doesn't implement the /Launch command at all! But Adobe's reader on MacOS is vulnerable.

  20. Re:PDF-XChange by PhxBlue · · Score: 4, Funny

    In all fairness, it's hard sometimes to separate the tapeworms from the editors on Slashdot. But generally, the tapeworms have better grammar. :)

    --
    !#@%*)anks for hanging up the phone, dear.
  21. Re:Sad by causality · · Score: 3, Informative

    I'm behind the times. Isn't the PDF format a document format, that contains only document markup and layout info? When did it start being able to have embedded code?

    Ever since Adobe perfected the basic PDF functionality and needed to keep adding features. Whether they are frills or not, whether they depart from the purpose of PDF or not, Adobe has to do this to justify its marketing. They want their customers to have reasons to keep wanting the latest version. Feature creep, in other words.

    --
    It is a miracle that curiosity survives formal education. - Einstein
  22. Only a warning? by Spykk · · Score: 3, Insightful

    With Adobe Reader, the only thing preventing execution is a warning.

    The only thing preventing your browser from executing a binary executable is a warning.

  23. Re:Sad by shutdown+-p+now · · Score: 3, Funny

    This is one reason open-source is generally better: when an open-source project is done, the developers leave it that way (unless any bugs are found), and go find something else productive to work on.

    One word: Emacs.