Security response teams at Adobe and FoxIt are investigating ways to mitigate a new PDF hack that allows the execution of an embedded executable without exploiting any security vulnerabilities.
A demo of the PDF hack has been published to show how a hacker could employ social engineering techniques to launch code execution attacks if a user simply opens a rigged PDF file.
Didier Stevens' demo relies on functionality defined in the PDF specification, which is an ISO standard (ISO PDF 32000-1:2008). Section 220.127.116.11 of the specification defines the /launch command. This is an example of powerful functionality relied on by some users that also carries potential risks when used incorrectly. The warning message provided in Adobe Reader and Adobe Acrobat includes strong wording advising users to only open and execute the file if it comes from a trusted source. Adobe takes the security of our products and technologies very seriously; we are always evaluating ways to allow end-users and administrators to better manage and configure features like this one to mitigate potential associated risks.
The company did not say how it planned to mitigate the issue but it's likely a future Adobe Reader update will feature stricter warnings when dealing with embedded executables using the /launch command.
Foxit Software, which markets an alternative to Adobe's Reader, plans to ship a patch very soon to address this issue:
"Foxit takes every security concern seriously and we focus our engineering resources at determining the cause of the problem and coming up with a complete and safe solution. Upon hearing of a possible security concern, our development team went to work and a resolution was determined in less than 24 hours and an updated version of the Foxit Reader will be made public in the next 72 hours.
The problem was first discussed by researcher Didier Stevens who created a proof-of-concept PDF file showing how an executable file can be launched directly from Adobe Reader or FoxIt without the use of an actual software vulnerability.
Although PDF viewers like Adobe Reader and Foxit Reader doesn’t allow embedded executables (like binaries and scripts) to be extracted and executed, Stevens discovered another way to launch a command (/Launch /Action), and ultimately run an executable he embedded using a special technique.
With Adobe Reader, the user gets a warning asking for approval to launch the action, but I can (partially) control the message displayed by the dialog. Foxit Reader displays no warning at all, the action gets executed without user interaction.
Stevens said Adobe’s PDF Reader will block the file from automatically opening but he warned that an attacker could use social engineering tricks to get users to allow the file to be opened. With Foxit Reader, there is no warning whatsoever.
According to this note, this hacking technique is already in use in the pen-testing community.