Malicious PDF Example

This is a POC !

Not sure how many people would get caught out with this ? Maybe not you but regular Jo's might !





Deny =



Permit =



If you want the Demo PDF link you can PM me for it

 

thanks @CloneRanger for sharing this
but adobe reader 10 cant stop this kind of exploits !!!!
i believe xencare can block any kind of this attack just like appgurad
btw.. pmed u

PS : aha u r using foxit ...i heard it's vulnerable and seems like u r using old version ...sorry if this out of subject ..i am just wondering

 

It,s interesting!

 

On any Windows OS, the very first blocking HIPS rule I make is to block access to cmd.exe or command.com. This one, more than any other, is the system component to which access must be restricted. I'd be interested to see if this demo is any different from an older POC that I have. Could you PM me the link? Thanks.

 

@ SUPERIOR

You're right i was, thanks

@ aigle & noone_particular

Done

*

Upgraded to the latest version and launched the POC, clicking NO to this prompt



Launched the POC again



Also saw This is a secure PDF. as before

Enabled SRM and launched the POC again



This time Script Defender jumped in, wonder why it didn't before ?



Executing or Aborting showed This is a secure PDF. as before, but i noticed nothing else ?

ProcessGuard alerted me several times as before with the .cmd alert

Couldn't see anything with Autoruns/ProcessExplorer ? As i'm in Shadow Defender mode, rebooting would flush anything that "might be there. If someone could try it in VM or with imaging

 

Interesting POC (thanks again CloneRanger!) but strange that in my case it is looking for cmd.exe in my user's appdata folder?? PDFXchange warns about it. Three shots posted, including the details...

*EDIT* maybe it's because the user's appdata directory is a candidate target to write to in a standard account?

 

Have you tested the PoC against Adobe Reader 10?

-edit-

Wouldn't disabling the option in Preferences - Trust Manager - PDF File Attachments - "Allow opening of non-PDF file attachments with external applications" stop this?

 

I believe this possibly was discussed back in 2010 at Wilders. Reference: http://blog.didierstevens.com/2010/03/29/escape-from-pdf/.

 

very strange is it related to windows or program itself
i dont think it's about standard account ...correct me if i am wrong


@CloneRanger
tested it in VM ...nothing serious ....by parsing this file, it only run cmd with command

@MrBrian
i think so ...it's kinda an old exploit (like overflow exploit i believe)

@m00nbl00d
adobe 10 tested ..and the execution was blocked

enlabling or disabling this option will block "cmd" from running ...maybe because it's an old exploit
try this on 0day exploits

 

Which is why I don't care for PoCs. In all cases, if upon a real exploit (0-day, for example), it would first need to get out of Adobe Reader 10 sandbox, then EMET, then Sandboxie, then a few other restrictions I've applied. If it succeeded , then I would retreat myself from computers.

 

my avast blocks it from download. So, disabled and tested adobe reader 9.4.2

its successfully blocked and an alert is fired up as shown in the attachment.
PS. Not a single peep from comodo. Guess as adobe prevented it, no pop-ups from comodo...

Thanks,
Harsha.

 

@ wat0114

You're welcome Good to see that PDFXchange warns about it

@ MrBrian

Thanks it is similar, but not the same. I believe the DS one didn't involve VBS either.

@ SUPERIOR

Thanks for testing it in VM

@ harsha_mic

Yes Avira initially blocked for me too.

It says Blocked by SysAdmin which could mean several things i presume. If Adobe has an option to allow such things, as Foxit does, as shown in one of my screenies, you might allow it and see if Comodo bites