PDF hack executes an embedded executable

[mvario]

http://blog.didierstevens.com/2010/0...cape-from-pdf/

Quote:

Escape From PDF
This is a special PDF hack: I managed to make a PoC PDF to execute an embedded executable without exploiting any vulnerability!
I use a launch action triggered by the opening of my PoC PDF. With Adobe Reader, the user gets a warning asking for approval to launch the action, but I can (partially) control the message displayed by the dialog. Foxit Reader displays no warning at all, the action gets executed without user interaction.

[mvario]

http://blogs.zdnet.com/security/?p=5929

Quote:

A security researcher has managed to create a proof-of-concept PDF file that executes an embedded executable without exploiting any security vulnerabilities....

[CloneRanger]

Confirmed with Foxit

[mvario]

Nuance PDF Reader and PDF-XChange Viewer give an error message and prevent it. SumatraPDF prevents it without error message.

[Rmus]

Although he is correct that the exploit doesn't require a vulnerability, embedding binary executables in PDF files has been done before, and for the unpatched victim, there is no message box, so it's not a social engineering exploit, rather, simple remote code execution:

Sophisticated, targeted malicious PDF documents exploiting CVE-2009-4324
http://isc.sans.org/diary.html?storyid=7867

Quote:

From the analysis, we learn that the malicious executable is embedded in the PDF file, meaning that a connection out to another server is not required.

I've not gotten any of these to work on my older version of the PDF Reader.

Likewise, his PoC file doesn't work.

From the article, regarding the social engineering part of his exploit:

Quote:

Do you believe this could this mislead some of your users?

The answer is surely yes, for in an office situation, users receive PDF and MSOffice documents daily and are prone to open them, since some may be from prospective clients whose names are not recognizable. So, the usual "rule" about not opening attachments doesn't apply.

What to do? I discussed this with Peter2150 some time ago and in his office, his solution is Sandboxie, so that any untoward malicious actions will be contained.

Since these malicious PDF and MSWord documents all launch a embedded binary executable, Anti-executable solutions will prevent these exploits from succeeding, as I showed with a malicious RTF document exploit last summer, which requires the user to click in a message box:

http://www.wilderssecurity.com/showthread.php?t=244726

----
rich

[majoMo]

PDF-XChange Viewer - shows a warning icon "Show Broken Info" with the info:

Quote:

This document " ( ... ) " has errors.

Some problems were detected by application:
- Errors detected in the XREF table.

It is recomended you re-save this document.

1. The attachment tab doesn't show files.
2. The document re-saved is without the warning .

[MrBrian]

In Adobe Reader, the setting Edit->Preferences->Trust Manager->'Allow opening of non-PDF file attachments with external applications' affects whether the command prompt executes or not.

[mvario]

Someone asked about it on Foxit's forum:

Quote:

this issue has been confirmed, and a maintenance version will be released within this week.

http://forums.foxitsoftware.com//sho...07&postcount=3

Quote:

Originally Posted by MrBrian

In Adobe Reader, the setting Edit->Preferences->Trust Manager->'Allow opening of non-PDF file attachments with external applications' affects whether the command prompt executes or not.

Yes, and this is the message you will get:

[mvario]

an alternate .pdf viewing option:

Quote:

gPDF – Open PDF Links Directly In Google Docs Viewer

http://blog.arpitnext.com/gpdf

Quote:

Originally Posted by mvario

an alternate .pdf viewing option:

nice one, I used it for sometime.

But I found it slow for large pdf files

[mvario]

the story spreads...

Quote:

Mikko Hypponen, chief research officer at net security firm F-Secure, spurred on by this research, took a closer look at specifications for the PDF file format to see what kind of content was allowed. He discovered you can embed movies and songs, JavaScript, and forms that upload data a user inputs to a web server within PDFs. And there's no forgetting the function within PDF specs to launch executables.
"With specs like these, it's no wonder it takes ages for Adobe Reader to boot up and load all the plugins," Hyponnen writes. "It's no wonder there are regular security problems with PDF readers in general."

http://www.theregister.co.uk/2010/03/31/pdf_insecurity/

[Sadeghi85]

Quote:

Originally Posted by mvario

an alternate .pdf viewing option:

Quote:

Very handy, Thanks.

[aigle]

PDFExchange viewer in Win 7.

[mvario]

Quote:

Originally Posted by Sadeghi85

Very handy, Thanks.

My pleasure. I think I'll be defaulting to gPDF for .pdf files myself for the time being, at least on my XP box, all things considered...
http://www.theregister.co.uk/2010/03...eader_attacks/
http://www.blade-defender.org/eval-lab/

[xxJackxx]

The gPDF is great! I have the entire office using it now.

[Pinga]

Quote:

Does PDF stand for Problematic Document Format?

http://www.f-secure.com/weblog/archives/00001923.html

I've ditched Adober Reader in favour of super-configurable - and portable! - PDF-XChange Viewer and I've been very satisfied!

http://www.docu-track.com/product/pdf-xchange-viewer

[ronjor]

Quote:

Adobe, Foxit examine new no-bug-needed PDF hack

By Gregg Keizer

Computerworld - Adobe and Foxit Software are investigating attacks based on a new tactic that embeds attack code in rigged PDF documents, the two companies said today.

Only Foxit has promised to address the problem, however.

Story

[Rasheed187]

Of course this exploit didn´t work on my machine, since no app is allowed to launch any other app without my permission.

However, this PDF attack is quite a simple one, so I do wonder if my HIPS still protects against more advanced attacks (see link). I have tried to post a comment asking to test a classical HIPS like Malware Defender or SSM against this exploit, but somehow my comment doesn´t appear on the site. Can perhaps someone else try it?

http://pandalabs.pandasecurity.com/d...vulnerability/

[Anth-Unit]

Does UAC stop this?

Quote:

Originally Posted by Anth-Unit

Does UAC stop this?

Most likely no.
Unless exploit will try to do that will require adminstrative rights.

But simply opening cmd.exe dosent require it.
So the pdf file which he gave as test file, will not trigger UAC warning.

But at the same time, the malware which will be excuted may need admin rights, so it may trigger UAC...
I think in this case it UAC will ask permission for PDF reader!? So User may be mislead...

Similar thing goes to HIPS programms, most likely they will not warn when pdf file just wants to launch cmd.exe.
Maybe they will, in this case it will mean that it's a bit sensative and warning on a a lot more things aswell..

Quote:

Originally Posted by Rasheed187

Of course this exploit didn´t work on my machine, since no app is allowed to launch any other app without my permission.

By what?
adobe reader? SRP? AppLocker? AntiExacutable? Some HIPS programm? or any other software?

[Rmus]

Quote:

Originally Posted by Jav

So the pdf file which he gave as test file, will not trigger UAC warning.

This is often the problem with using a PoC to test security measures.

This PoC demonstrates that the PDF code can launch an executable. It uses a trusted executable, cmd.exe, so it is allowed to open.

When this exploit becomes used in cybercriminal exploit kits, it's a pretty good guess that it will not launch cmd.exe or the calculator! So, a better test is to modify the PoC PDF file to open a non-approved (non-white listed) executable and then see what your security does:

----
rich

[Rmus]

Quote:

Originally Posted by Rasheed187

Of course this exploit didn´t work on my machine, since no app is allowed to launch any other app without my permission.

However, this PDF attack is quite a simple one, so I do wonder if my HIPS still protects against more advanced attacks (see link).

I would say yes.

From the link:

Quote:

Yesterday, Microsoft issued a security advisory for an unpatched and actively exploited invalid reference pointer vulnerability in the Internet Explorer 6 and 7 web browsers. In the attack we observed, the exploit code will load the TDSS.CQ trojan, which is designed to steal personal and sensitive data.

This is easy to test, since the TDSS trojan would be caught as an unauthorized (non-white listed) executable by most HIPS.

Here I use an IE6 exploit to attempt to download the same non-approved executable I used in the PDF test above:

These web-based remote code execution exploits that download trojans have no chance against any security that watches for non-approved (non-white listed) executables.

----
rich

Quote:

Originally Posted by Rmus

This is often the problem with using a PoC to test security measures.

This PoC demonstrates that the PDF code can launch an executable. It uses a trusted executable, cmd.exe, so it is allowed to open.

That's what I meant.

We can't really test this exploit and different security setups against it.

As the exploit Template file which he gave us is harmless, so our testing security will not stop it. Otherwise it would have been False Positive!?

Thank you for clarifying, Rmus

[Rmus]

You are welcome.

Here is a different PoC from Security-Labs.org that you can easily modify to test your security:

http://seclabs.org/fred/docs/sstic09...aunch/calc.pdf


Open the file in a text editor and you see the command line to launch the the calculator, calc.exe:

Here is what I just helped someone do to test:

1) Insert a CD with a setup.exe file

2) In the PoC PDF file, replace the path to calc.exe with the path to the CD ROM setup file.

3) Close and save the PDF file.

4) Then open the PDF file and OK the prompt to run this test.

Since the Setup file is not already installed and authorized on your computer, your security should alert when it attempts to open:

This simulates what a cybercriminal would do with a malicious executable embedded in the PDF file and how your security would prevent the running of that executable.

----
rich