VIA Root
VIARoot Security News Security alerts Business IT security Services Security Tools About VIARoot
PDF file exploited without using a vulnerability
Search
Security News
25% Of Malware Spread Via USB Drives
 security
Mathew J. Schwartz, InformationWeek
2010-08-27 14:11:17
Email and peer-to-peer networks also rank as significant venues for malware attacks, which have increased slightly in the U.S. but declined in Europe, according to Panda Security.
Intel Buys McAfee
 intel
Hugo Jean, Heptacube Inc.
2010-08-24 14:51:53
The motivation behind the $7.68 billion deal is unclear, but Intel says it wants to integrate computer security into its hardware.
IT Directory
Wiseleap Solutions Inc.
Founded in 2005, Wiseleap Solutions Inc.'s mission consists in providing companies with the information necessary to make cri [...]
IT Ration Consulting Inc.
IT-Ration Consulting inc has been a NetSuite Partner since 2005 and helps your enterprise grow by aligning your Information T [...]
HumanWare
Empowering People Focused on enhancing the lives of people with visual and learning disabilities, HumanWare provide [...]
By Hugo Jean, Heptacube Inc.
 adobe
2010-03-31 17:39:44

It is no secret that Adobe Reader and PDF files in general are a major attack vector for malicious users. Many exploits use Javascript to run malicious code like trojans, for instance. But security expert Didier Stevens demonstrated on Monday on his blog how his new Proof of Concept (PoC) can use a PDF file for running arbitrary code without retorting to a vulnerability of the PDF reader. The PoC has been shown to work with Adobe Reader as well as with Foxit Reader.

It works by simply launching a malicious executable file (.exe) from within a PDF file. However, neither of the two applications allow the launch of an executable file embedded in a PDF file, so it is not all that easy. Stevens had to "use a launch action triggered by the opening of [his] PoC PDF," which he specially crafted so that the Reader software would accept it.

While Foxit seamlessly lets that special file launch the embedded executable, Adobe Reader gives a warning and the user has to approve the launch of the embedded file:



Unfortunately, this would probably look suspicious to most users. But Stevens has also found a way to modify the text included in the text box of the warning window. As an example, he proposed using social engineering to lure the victim into accepting to run the executable file. The modified dialog box looks like this:



Stevens did not publish the PoC PDF file yet. However, he does provide a link for downloading a PDF that will launch cmd.ex in his blog post.

Furthermore, he says that he has shared his findings with Adobe's Response Team, but we do not know if they are looking for a way to counter his PoC. As a final note, he also provides a way of "preventing Adobe Reader from creating new processes," which effectively blocks this trick.

The PoC, tested with Adobe Reader 9.3.1 on Windows XP SP3 and Windows 7, is displayed in the following video, also coming from the same blog post:


Reference 1: http://www.net-security.org/secworld.php?id=9083


Reference 2: http://blog.didierstevens.com/2010/03/29/escape-from-pdf/


Reference 3: http://blog.didierstevens.com/2009/10/05/preventing-applications-from-starting-malicious-applications/
Tags
Adobe DLL exploit Foxit PDF PoC Reader 

© 2006-2010 Heptacube Inc.