The real dangers of PDF executable trickery

Message

#1 Post by **Flash** » Sun 11 Apr 2010, 02:45

I can't tell from this article if the exploit only works on Adobe pdf readers for Windows.

The beauty of Didier’s proof of concept is that he discovered a method to execute an embedded executable within a PDF file without utilizing any JavaScript and without having to exploit any vulnerabilities.

#2 Post by **Pizzasgood** » Sun 11 Apr 2010, 04:06

It theoretically works in Linux. It depends on the PDF viewer. From what I understand, most Linux PDF viewers don't support the particular feature that was used. But there is no reason why they couldn't.

Of course, a PDF that was designed to attack a Windows machine would generally be harmless on a Linux machine, and vice versa.

What I don't understand is why PDF even has that feature. It's retarded. Documents don't need to be able to execute commands.

Thanks for posting this, by the way. In my network security class we have to do a number of lab additions where we add a section to the lab assignments. (It's "optional", but required for an A). We've been having bad luck making things work on the lab machines lately. I have a good feeling about this one though. (And we only need this last addition.)

DMcCunney · #3 Post by **DMcCunney** » Sun 11 Apr 2010, 16:39

Pizzasgood wrote: What I don't understand is why PDF even has that feature. It's retarded. Documents don't need to be able to execute commands.

Don't think of a PDF as a document. Think of it as a container. It's generally used for documents, but can be more broadly applied.

Adobe embeds a variant of JavaScript called ActionScript in PDF viewers, and it's possible to have interactivity rather than a static document. There are PDFs that can serve as "fill in the blanks" forms, where the user can open the PDF and use drop down selection boxes and text entry to fill out an electronic form which can then be submitted back the the originator.

As "rich media" becomes more pervasive, we'll see more of this. I'm waiting for the first ePub exploit.

I'm not as worried about this one as others might be, as it still requires action on the user's part to run the malicious code. (Yes, I know. There are lots of gullible users out there...) I can't do anything about other people's stupidity. I can be careful about what I download and open, and PDFs are on the list of "Only from trusted sources".
______
Dennis

8-bit · #4 Post by **8-bit** » Sun 11 Apr 2010, 17:04

Pizzasgood wrote:It theoretically works in Linux. It depends on the PDF viewer. From what I understand, most Linux PDF viewers don't support the particular feature that was used. But there is no reason why they couldn't.

Of course, a PDF that was designed to attack a Windows machine would generally be harmless on a Linux machine, and vice versa.

What I don't understand is why PDF even has that feature. It's retarded. Documents don't need to be able to execute commands.

Thanks for posting this, by the way. In my network security class we have to do a number of lab additions where we add a section to the lab assignments. (It's "optional", but required for an A). We've been having bad luck making things work on the lab machines lately. I have a good feeling about this one though. (And we only need this last addition.)

Well, I got a PDF file in Windows from a government agency that was a :""fill in the blanks" type".
It would come up with adobe reader in IE8 and you would fill it out and then Print it. You could not save the completed form.
But there are uses for PDF files with executables.

#5 Post by **Pizzasgood** » Sun 11 Apr 2010, 22:57

My point is that most documents don't need to be active, so they could use a static format. An active format with a different extension could be used by only the "documents" that actually need it. That way people would be naturally more paranoid, because before they even click on the file, they would see the icon (and maybe extension) and say, "Wait, that's one of them funny ones. Why does it need to be funny? What's it up to? Do I trust them?"

There should not be a requirement to trust the average document. It is just a document. The only threats it should pose are buffer overflows and boredom. Maybe epileptic seizures.

#6 Post by **Flash** » Mon 12 Apr 2010, 00:15

DMcCunney wrote:... I can be careful about what I download and open, and PDFs are on the list of "Only from trusted sources"...

If I understood the article correctly, one thing this "feature" could do is infect every pdf file visible to a computer, without the user's knowledge. If so, then an embedded executable could spread itself quickly throughout a "trusted" pdf repository from just one bad pdf file.

DMcCunney · #7 Post by **DMcCunney** » Mon 12 Apr 2010, 23:15

Flash wrote:
DMcCunney wrote:... I can be careful about what I download and open, and PDFs are on the list of "Only from trusted sources"...
If I understood the article correctly, one thing this "feature" could do is infect every pdf file visible to a computer, without the user's knowledge. If so, then an embedded executable could spread itself quickly throughout a "trusted" pdf repository from just one bad pdf file.

Unlikely. Remember, this isn't a "drive by install", like you can get running Internet Explorer in Windows and picking up a malicious Active-X control. The user must open the PDF and agree to the execution of the code. (Though they won't know precisely what they're agreeing to.)

"Trusted repositories" will be Internet facing servers, and probably running Linux. How is this execution supposed to occur?

I treat reports like this in the same way every time I see one, and say "Okay. This is an exploit. How likely is it to actually occur?" Most of them fall into the "Not likely enough for me to lose sleep over it" category until I see something that raises the threat level. I'm not especially worried about this one.
______
Dennis

(old)Puppy Linux Discussion Forum

(old)Puppy Linux Discussion Forum

The real dangers of PDF executable trickery

The real dangers of PDF executable trickery