ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Hacker finds a way to exploit PDF files, without a vulnerability

By | March 30, 2010, 12:05pm PDT

Summary: The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file.

A security researcher has managed to create a proof-of-concept PDF file that executes an embedded executable without exploiting any security vulnerabilities.

The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file.

Here’s the skinny from researcher Didier Stevens.

I use a launch action triggered by the opening of my PoC PDF. With Adobe Reader, the user gets a warning asking for approval to launch the action, but I can (partially) control the message displayed by the dialog. Foxit Reader displays no warning at all, the action gets executed without user interaction.

follow Ryan Naraine on twitter

Although PDF viewers like Adobe Reader and Foxit Reader doesn’t allow embedded executables (like binaries and scripts) to be extracted and executed, Stevens discovered another way to launch a command (/Launch /Action), and ultimately run an executable he embedded using a special technique.

Stevens said Adobe’s PDF Reader will block the file from automatically opening but he warned that an attacker could use social engineering tricks to get users to allow the file to be opened.

With Foxit Reader, there is no warning whatsoever:

Stevens has not released the proof-of-concept file.  The issue has been reported to Adobe’s security response team.

With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this (I don’t use JavaScript in my PoC PDF), and patching Adobe Reader isn’t possible (I’m not exploiting a vulnerability, just being creative with the PDF language specs).

Stevens tested his research on Adobe Reader 9.3.1 (Windows XP SP3 and Windows 7).

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Adobe Systems Inc., Adobe PDF, Vulnerability, Adobe Acrobat Reader, Hacker, dThis, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

61
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Hacker finds a way to exploit PDF files, without a vulnerability
aqua08 13th Oct
including providing further earful about the committee???s longer-run plan objectives and about the factors that alter the committee???s policy decisions.??? The Committee also looked concernment imitation rolex watches
View in thread
0 Votes
+ -
Semantics
forrestgump2000@... 30th Mar 2010
It seems like Didier has a narrow view of what the term "vulnerability" means. Just because a behavior is observed without violating specifications, that doesn't mean that it's not a vulnerability, or even sane.
0 Votes
+ -
Yeah, my thought too.
DevGuy_z 30th Mar 2010
Kind of like "Its not a bug, its a feature"
0 Votes
+ -
So it's basically a design flaw in the PDF specification?
AzuMao Updated - 30th Mar 2010
0 Votes
+ -
it appears so
seannj427 31st Mar 2010
WHO would have expected that PDF allows executables to be run.
Ridiculous.
The title of this article is flawed -- it is a vulnerability. It just isn't one due to lame ass coding, but one that uses the product's own features against the user.
Any vulnerability requires an exploit, and this is no different in that respect.
That it is different from things like buffer overlows giving security access, etc, does not mean it is NOT a vulnerability.
0 Votes
+ -
Don't forget this one
klumper 30th Mar 2010
"Don't confuse a bad feature for a flaw."

--World of Ye grin
0 Votes
+ -
Similar to...
still not nice 31st Mar 2010
...the recent pwn-to-own failure of IE8.

Gee, IE8 did what it was supposed to do. Only the side door was left wide open.

wink
0 Votes
+ -
RE: Hacker finds a way to exploit PDF files, without a vulnerability
lovedong 13th Sep
Thanks for the wonderful article 3! rolex watches
0 Votes
+ -
RE: Hacker finds a way to exploit PDF files, without a vulnerability
tank33 22nd Sep
lovely 3 thanks for sharing! discount uggs
0 Votes
+ -
RE: Hacker finds a way to exploit PDF files, without a vulnerability
tank33 22nd Sep
Great, thanks a lot!! replica watches
0 Votes
+ -
RE: Hacker finds a way to exploit PDF files, without a vulnerability
tank33 22nd Sep
Screencap psds are always welcome. Snagged. Will credit. Thank you! ugg boots outlet
0 Votes
+ -
RE: Hacker finds a way to exploit PDF files, without a vulnerability
xiaodou 26th Sep
replica chanel bags
0 Votes
+ -
RE: Hacker finds a way to exploit PDF files, without a vulnerability
xiaodou 26th Sep
fake fendi bags
0 Votes
+ -
RE: Hacker finds a way to exploit PDF files, without a vulnerability
aqua08 13th Oct
including providing further earful about the committee???s longer-run plan objectives and about the factors that alter the committee???s policy decisions.??? The Committee also looked concernment imitation rolex watches
0 Votes
+ -
RE: Hacker finds a way to exploit PDF files, without a vulnerability
sj2@... 30th Mar 2010
wtf! I thought FoxIT was safer. What are we supposed to use for reading pdf now? Ahh yes, ps viewer.
0 Votes
+ -
PDF Reader
cpt_slog@... 30th Mar 2010
I use Sumatra, it's skinny and low on resources.
This sort of vulnerability would scare the crap
outta me if I let it.
0 Votes
+ -
I also use Sumatra, too.
Grayson Peddie 30th Mar 2010
I wonder how this will work with a Sumatra PDF reader that I currently have.
0 Votes
+ -
STDU Viewer is safe
BrewmanNH 31st Mar 2010
As far as I can tell, the STDU viewer (Scientific and Technical Document Utility) doesn't even launch the file or give you a dialog box asking you to launch it. Either that's a good thing because it won't be affected by the vulnerability, or it's a bad thing because it ignores the /Launch /Action function completely.

I noticed that the Adobe Reader does have a check box that allows you to bypass the dialog box shown in the future, so if you've ever run a file that uses this legitimately, and you check that box, you're vulnerable against this flaw.
0 Votes
+ -
Google Docs...
ReadWryt (error) 1st Apr 2010
...I am a firm believer that if someone is going to offer me a chance to open documents remotely on their computers then why should I take the risk into my machine?
0 Votes
+ -
it works only on windoze
Linux Geek 30th Mar 2010
Linux is safe!
0 Votes
+ -
Sumatra works in Linux, though. Unless it doesn't follow the PDF specs, it
AzuMao Updated - 30th Mar 2010
is just as vulnerable to this as Adobe Reader.

Although the attack would of course have to be specifically targeted at Linux and not Windows or OSX to run, and sandboxing Sumatra is trivial, so it wouldn't be able to do any real damage, but still.. not good.
0 Votes
+ -
I think what he was saying is that...
gerrywastaken 31st Mar 2010
... the program is vulnerable but the system isn't
(unless you were to stupidly run Sumatra as root
in which case you would deserve everything you
got).
0 Votes
+ -
My bad. I just automatically assume everything he says is sarcasm. Based on
AzuMao 31st Mar 2010
prior encounters.
0 Votes
+ -
It is unlikely to work on Linux
tracy anne Updated - 31st Mar 2010
because the PDF is not marked as executable, therefore the system will not attempt to execute any code in the file.

BTW, most Linux users use the FOSS application Evince, the multi file format document reader that comes with many Linux distributions, and not Adobe or Sumatra or Foxit, all of which support Linux.

It's highly likely the code would be treated as broken text.
0 Votes
+ -
Not an application flaw, a specification flaw
nccastle@... 31st Mar 2010
Even though the pdf is not marked as executable, wouldn't the pdf application follow its own guidelines and specification? Unless Linux ignores the PDF file specification, as long as the executable is designed for linux, linux should be just as vulnerable.
0 Votes
+ -
Well
tracy anne 31st Mar 2010
I've just tried it using Evince on both Windows and Linux, the exploit doesn't work on either OS
0 Votes
+ -
Okular
tracy anne 1st Apr 2010
the KDE multi document type reader, seems to be safe as well.
0 Votes
+ -
so clever...
webstalkers@... 31st Mar 2010
"windoze"... is this really the extent of your elite title 'linux geek' vocabulary?

Yes Adobe really blows on security and if they don't get it together soon this is going to be their downfall.
0 Votes
+ -
I beg your pardon...?
Cayble 30th Mar 2010
I see its already been said, but I had to say it myself; when something is exploited it pretty much means it was a vulnerability that was exploited. Think about it chum.

The very nature of the term exploited indicates the abuse of a vulnerability in whatever was exploited.

Mind you, seeing the title I was dieing to see what a title like that could even mean so I checked in. I guess its a way to build readership.
0 Votes
+ -
Exploit just denotes doing something. Not necessarily..
AzuMao 30th Mar 2010
..something bad, nor something that wasn't intended to be doable.


Also, just FYI, it's spelled "dying".
0 Votes
+ -
Foxit is fixing this
dougsyo@... 31st Mar 2010
This bug was posted to Foxit's forum, is confirmed, and they're working on it.

http://forums.foxitsoftware.com/showthread.php?t=18029
0 Votes
+ -
Yep!..
JCitizen Updated - 3rd Apr 2010
Just got it today! Quick! Thanks Foxit team! However it still bothers me that it needs Admin privileges after an update. How do I know it is just the application needed to update on the standard account as well?

It could be anything asking for that. I just click Cancel to the UAC until I am pretty sure my limited account is clean.(hopefully)
0 Votes
+ -
RE: Hacker finds a way to exploit PDF files, without a vulnerability
Norm76 Updated - 31st Mar 2010
I get that this is a 'feature' that is part of the PDF specifications.

My question is, why do I (or the file) have to run anything (other than the PDF viewing program itself) to just view a PDF document?

And in a related vein:

Where is the 'off' switch?

If there isn't one, why not?
0 Votes
+ -
If it opens a dialog, its NOT a security hole ...
George Mitchell 31st Mar 2010
Social engineering does NOT equal a security hole. One can achieve literally anything with social engineering. There is no way to protect dumb people or even those of us who have dumb moments. If I have to give the OK, its not the hacker who is in control of my system, its me ... until of course I give my system to the hacker by pressing "OK". So calling this an "exploit" is a stretch. Foxit DOES need to fix their reader and other vendors, including open source, need to scrutinize this.
0 Votes
+ -
Perhaps more profound than intended
mcswan454 Updated - 31st Mar 2010
This is why there's an information security industry making billions of dollars per year. From the beginning, viruses and other exploits, generally needed the end user to do something: d/l a file, run a script, open a file, share floppies, etc., even when sensibility might make the hair on the neck stand up.

Social engineering is a 'politically correct' term to describe how to manipulate human stupidity and stupid moments.

Why do you think we have all the warnings on products these days? A person can be smart; people are dumb, dangerous members of the animal kingdom and we all know it.

Every one of us has had a DUH moment. And collectively? Let's see: Anti-virus, anti-malware... The list continues.

Just like the car, I can design all the safety features into something I believe you'll ever need. You, on the other hand, can -- for gits and shiggles -- test to see if I designed it for "THIS" circumstance.

Unfortunately, you may pay with your data (or life, in the car analogy) for that discovery. Famous Last Words apply here -- "Hey, watch this!"

Myself, I'll fix the flaw you found. You? Well, you're probably not going to get to try THAT again.

"If I have to give the OK, its not the hacker who is in control of my system, its me ... until of course I give my system to the hacker by pressing "OK". "

Perhaps much more profound than intended.
0 Votes
+ -
People are not 'dumb'...
Lerianis10 2nd Apr 2010
Too trusting in some cases, yes, but not dumb. This is more a case of 'too trusting sapzilla who doesn't adhere to the convential wisdom of "Never run something even from a close friend, unless they are just giving you a link to the main website of the thing in question OR it is on a known good downloading website!"'

That is what I keep on hammering into my parents: No downloading stuff unless it's from Download.com, a known good vendor's website, or I approve it first.
0 Votes
+ -
There's nothing wrong with running something from a close friend.
AzuMao 2nd Apr 2010
Knowing if it's from a close friend or not is the tricky part.


I think the best way to do this is to exchange keys offline and encrypt your messages with them.
0 Votes
+ -
Dumb people? Did you read the article?
AzuMao 31st Mar 2010
The dialog can be made to say anything the attacker wants.

Like, "This program may damage your computer, do you want to close it?".

Would you really click "No" if Adobe Reader gave you a dialog like that? I don't think so.
0 Votes
+ -
RE: If it opens a dialog, its NOT a security hole ...
BrewmanNH 31st Mar 2010
Unless you're using Foxit viewer, then there is no dialog box so it IS a security hole in the PDF file spec.
0 Votes
+ -
Holy cow
TxM2xTx 31st Mar 2010
No ... not Foxit, it was so much quicker and nicer than Adobe.

I guess it's time to stop using software all together, nothing's safe anymore these days. What are we paying for ?
0 Votes
+ -
Sumatra works fine.
AzuMao 31st Mar 2010
0 Votes
+ -
Sumatra
BrewmanNH 31st Mar 2010
Except for one thing, it's a horrible PDF reader in my opinion. Good for basic PDF reading, but lacking a boatload of features that I look for in a document viewer.
0 Votes
+ -
Try Evince then.
AzuMao 31st Mar 2010
0 Votes
+ -
RE: Hacker finds a way to exploit PDF files, without a vulnerability
mggardner 31st Mar 2010
WHEN, WHEN, WHEN are we going to stop allowing ANY
downloaded file to do ANYTHING on its own? PDFs should be
about displaying a document - nothing more, nothing less. All
this functionality that is built in to do "cool things" get used as
hacker leverage - and most of it we don't even know "is in the
spec".
0 Votes
+ -
When the masses stop demanding "cool things".
AzuMao 31st Mar 2010
0 Votes
+ -
Too true
kingttx 1st Apr 2010
Where most everyone wants immediate satisfaction and gratification without consequence, that kind of attitude doesn't work well when sewer rats are just drooling at the chance to pwn your computer.
0 Votes
+ -
One could be fooled to allow executable
athenacgy 1st Apr 2010
While it is true that normally, most of the time we should only allow PDFs to display documents, sometimes they are used as Forms (at least in my work environment). In that scenario, I could be fooled and would allow an executable thinking that it might be part of the form processing as well. So it's not just "cool things" and easy "social engineering" that could take advantage of people but even things that one often does for work purposes.

Thanks to the writer of this post for the warning!
0 Votes
+ -
then read it
erik.soderquist 1st Apr 2010
if you don't know what is in the spec, look it up and read it some time. it is quite interesting what the PDF spec includes... as in the old curse, "May you live in interesting times"
0 Votes
+ -
Most people don't have the time.
AzuMao 1st Apr 2010
0 Votes
+ -
RE: Hacker finds a way to exploit PDF files, without a vulnerability
Slrman 31st Mar 2010
I never use Adobe or Foxit, I have an iMac ans use Preview to open all PDF, .jpg. and other file types. I wonder if there is a vulnerability there. I know that Macs are more difficult to infect, but that doesn't mean "impossible" so I have virus protection and exhibit the same care with web sites and unknown files I do with a PC.

I've used both side-by-side for decades and have never had a virus on a Mac and only one or two on a PC. Both of those were easily managed by my protection software.
0 Votes
+ -
Compare Acrobat Reader with Apple Preview
TheMountDiablo Updated - 31st Mar 2010
http://searchsecurity.techtarget.com.au/articles/39752-Dozens-of-flaws-found-in-products-from-Apple-Microsoft-and-Adobe

"...after examining 3 million PDF files, Adobe Acrobat had between three to 10 possible exploitable files. Apple Preview, a PDF reader, had 30 to 60 exploitable files."

From his presentation in Vancouver:
- 0.9% of corrupted files triggered a Acrobat Reader crash
- Compared to 5.6% of files that crashed Apple Preview
- 87% of starting files (that were then randomly corrupted for testing) never triggered a crash at all in Acrobat Reader
- The comparable number for Apple Preview was only 12%

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix