Hacker finds a way to exploit PDF files, without a vulnerability

Hacker finds a way to exploit PDF files, without a vulnerability

Summary: The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file.

SHARE:

A security researcher has managed to create a proof-of-concept PDF file that executes an embedded executable without exploiting any security vulnerabilities.

The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file.

Here's the skinny from researcher Didier Stevens.

I use a launch action triggered by the opening of my PoC PDF. With Adobe Reader, the user gets a warning asking for approval to launch the action, but I can (partially) control the message displayed by the dialog. Foxit Reader displays no warning at all, the action gets executed without user interaction.

follow Ryan Naraine on twitter

Although PDF viewers like Adobe Reader and Foxit Reader doesn't allow embedded executables (like binaries and scripts) to be extracted and executed, Stevens discovered another way to launch a command (/Launch /Action), and ultimately run an executable he embedded using a special technique.

Stevens said Adobe's PDF Reader will block the file from automatically opening but he warned that an attacker could use social engineering tricks to get users to allow the file to be opened.

With Foxit Reader, there is no warning whatsoever:

Stevens has not released the proof-of-concept file.  The issue has been reported to Adobe's security response team.

With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this (I don’t use JavaScript in my PoC PDF), and patching Adobe Reader isn’t possible (I’m not exploiting a vulnerability, just being creative with the PDF language specs).

Stevens tested his research on Adobe Reader 9.3.1 (Windows XP SP3 and Windows 7).

Topics: Security, Enterprise Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

60 comments
Log in or register to join the discussion
  • Semantics

    It seems like Didier has a narrow view of what the term "vulnerability" means. Just because a behavior is observed without violating specifications, that doesn't mean that it's not a vulnerability, or even sane.
    forrestgump2000@...
    • Yeah, my thought too.

      Kind of like "Its not a bug, its a feature"
      DevGuy_z
      • So it's basically a design flaw in the PDF specification?

        [b] [/b]
        AzuMao
        • it appears so

          WHO would have expected that PDF allows executables to be run.
          Ridiculous.
          The title of this article is flawed -- it is a vulnerability. It just isn't one due to lame ass coding, but one that uses the product's own features against the user.
          Any vulnerability requires an exploit, and this is no different in that respect.
          That it is different from things like buffer overlows giving security access, etc, does not mean it is NOT a vulnerability.
          seannj427
      • Don't forget this one

        "Don't confuse a bad feature for a flaw."

        --World of Ye :D
        klumper
        • Similar to...

          ...the recent pwn-to-own failure of IE8.

          Gee, IE8 did what it was supposed to do. Only the side door was left wide open.

          ;)
          still not nice
    • RE: Hacker finds a way to exploit PDF files, without a vulnerability

      lovely <<<3 thanks for sharing! <a href="http://www.discountuggs.biz">discount uggs</a>
      tank33
    • RE: Hacker finds a way to exploit PDF files, without a vulnerability

      Great, thanks a lot!! <a href="http://www.watch-replica.org.uk">replica watches</a>
      tank33
    • RE: Hacker finds a way to exploit PDF files, without a vulnerability

      Screencap psds are always welcome. Snagged. Will credit. Thank you! <a href="http://www.bootoutlet.us">ugg boots outlet</a>
      tank33
    • RE: Hacker finds a way to exploit PDF files, without a vulnerability

      <a href="http:///www.chanelhandbagsreplica.org">replica chanel bags</a>
      xiaodou
    • RE: Hacker finds a way to exploit PDF files, without a vulnerability

      <a href="http://www.replicacool.org">fake fendi bags</a>
      xiaodou
    • RE: Hacker finds a way to exploit PDF files, without a vulnerability

      including providing further earful about the committee???s longer-run plan objectives and about the factors that alter the committee???s policy decisions.??? The Committee also looked concernment <a href="http://www.superwatches.org.uk">imitation rolex watches</a>
      aqua08
  • RE: Hacker finds a way to exploit PDF files, without a vulnerability

    wtf! I thought FoxIT was safer. What are we supposed to use for reading pdf now? Ahh yes, ps viewer.
    myweirdopinion
    • PDF Reader

      I use Sumatra, it's skinny and low on resources.
      This sort of vulnerability would scare the crap
      outta me if I let it.
      cpt_slog@...
      • I also use Sumatra, too.

        I wonder how this will work with a Sumatra PDF reader that I currently have.
        Grayson Peddie
    • STDU Viewer is safe

      As far as I can tell, the STDU viewer (Scientific and Technical Document Utility) doesn't even launch the file or give you a dialog box asking you to launch it. Either that's a good thing because it won't be affected by the vulnerability, or it's a bad thing because it ignores the /Launch /Action function completely.

      I noticed that the Adobe Reader does have a check box that allows you to bypass the dialog box shown in the future, so if you've ever run a file that uses this legitimately, and you check that box, you're vulnerable against this flaw.
      BrewmanNH
    • Google Docs...

      ...I am a firm believer that if someone is going to offer me a chance to open documents remotely on their computers then why should I take the risk into my machine?
      ReadWryt (error)
  • it works only on windoze

    Linux is safe!
    Linux Geek
    • Sumatra works in Linux, though. Unless it doesn't follow the PDF specs, it

      is just as vulnerable to this as Adobe Reader.

      Although the attack would of course have to be specifically targeted at Linux and not Windows or OSX to run, and sandboxing Sumatra is trivial, so it wouldn't be able to do any real damage, but still.. not good.
      AzuMao
      • I think what he was saying is that...

        ... the program is vulnerable but the system isn't
        (unless you were to stupidly run Sumatra as root
        in which case you would deserve everything you
        got).
        gerrywastaken