Discussion in 'other security issues & news' started by mvario, Mar 30, 2010.
Confirmed with Foxit
Nuance PDF Reader and PDF-XChange Viewer give an error message and prevent it. SumatraPDF prevents it without error message.
Although he is correct that the exploit doesn't require a vulnerability, embedding binary executables in PDF files has been done before, and for the unpatched victim, there is no message box, so it's not a social engineering exploit, rather, simple remote code execution:
Sophisticated, targeted malicious PDF documents exploiting CVE-2009-4324
I've not gotten any of these to work on my older version of the PDF Reader.
Likewise, his PoC file doesn't work.
From the article, regarding the social engineering part of his exploit:
The answer is surely yes, for in an office situation, users receive PDF and MSOffice documents daily and are prone to open them, since some may be from prospective clients whose names are not recognizable. So, the usual "rule" about not opening attachments doesn't apply.
What to do? I discussed this with Peter2150 some time ago and in his office, his solution is Sandboxie, so that any untoward malicious actions will be contained.
Since these malicious PDF and MSWord documents all launch a embedded binary executable, Anti-executable solutions will prevent these exploits from succeeding, as I showed with a malicious RTF document exploit last summer, which requires the user to click in a message box:
PDF-XChange Viewer - shows a warning icon "Show Broken Info" with the info:
1. The attachment tab doesn't show files.
2. The document re-saved is without the warning .
In Adobe Reader, the setting Edit->Preferences->Trust Manager->'Allow opening of non-PDF file attachments with external applications' affects whether the command prompt executes or not.
Someone asked about it on Foxit's forum:
Yes, and this is the message you will get:
an alternate .pdf viewing option:
nice one, I used it for sometime.
But I found it slow for large pdf files
the story spreads...
Very handy, Thanks.
PDFExchange viewer in Win 7.
My pleasure. I think I'll be defaulting to gPDF for .pdf files myself for the time being, at least on my XP box, all things considered...
The gPDF is great! I have the entire office using it now.
I've ditched Adober Reader in favour of super-configurable - and portable! - PDF-XChange Viewer and I've been very satisfied!
Of course this exploit didn´t work on my machine, since no app is allowed to launch any other app without my permission.
However, this PDF attack is quite a simple one, so I do wonder if my HIPS still protects against more advanced attacks (see link). I have tried to post a comment asking to test a classical HIPS like Malware Defender or SSM against this exploit, but somehow my comment doesn´t appear on the site. Can perhaps someone else try it?
Does UAC stop this?
Most likely no.
Unless exploit will try to do that will require adminstrative rights.
But simply opening cmd.exe dosent require it.
So the pdf file which he gave as test file, will not trigger UAC warning.
But at the same time, the malware which will be excuted may need admin rights, so it may trigger UAC...
I think in this case it UAC will ask permission for PDF reader!? So User may be mislead...
Similar thing goes to HIPS programms, most likely they will not warn when pdf file just wants to launch cmd.exe.
Maybe they will, in this case it will mean that it's a bit sensative and warning on a a lot more things aswell..
adobe reader? SRP? AppLocker? AntiExacutable? Some HIPS programm? or any other software?
This is often the problem with using a PoC to test security measures.
This PoC demonstrates that the PDF code can launch an executable. It uses a trusted executable, cmd.exe, so it is allowed to open.
When this exploit becomes used in cybercriminal exploit kits, it's a pretty good guess that it will not launch cmd.exe or the calculator! So, a better test is to modify the PoC PDF file to open a non-approved (non-white listed) executable and then see what your security does:
I would say yes.
From the link:
This is easy to test, since the TDSS trojan would be caught as an unauthorized (non-white listed) executable by most HIPS.
Here I use an IE6 exploit to attempt to download the same non-approved executable I used in the PDF test above:
These web-based remote code execution exploits that download trojans have no chance against any security that watches for non-approved (non-white listed) executables.
That's what I meant.
We can't really test this exploit and different security setups against it.
As the exploit Template file which he gave us is harmless, so our testing security will not stop it. Otherwise it would have been False Positive!?
Thank you for clarifying, Rmus
You are welcome.
Here is a different PoC from Security-Labs.org that you can easily modify to test your security:
Open the file in a text editor and you see the command line to launch the the calculator, calc.exe:
Here is what I just helped someone do to test:
1) Insert a CD with a setup.exe file
2) In the PoC PDF file, replace the path to calc.exe with the path to the CD ROM setup file.
3) Close and save the PDF file.
4) Then open the PDF file and OK the prompt to run this test.
Since the Setup file is not already installed and authorized on your computer, your security should alert when it attempts to open:
This simulates what a cybercriminal would do with a malicious executable embedded in the PDF file and how your security would prevent the running of that executable.
Separate names with a comma.