PDF hack executes an embedded executable

Discussion in 'other security issues & news' started by mvario, Mar 30, 2010.

Thread Status:
Not open for further replies.
  1. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    http://blog.didierstevens.com/2010/03/29/escape-from-pdf/
     
  2. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    http://blogs.zdnet.com/security/?p=5929

     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,692
    Confirmed with Foxit :(

    poc.gif
     
  4. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    Nuance PDF Reader and PDF-XChange Viewer give an error message and prevent it. SumatraPDF prevents it without error message.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,855
    Location:
    California
    Although he is correct that the exploit doesn't require a vulnerability, embedding binary executables in PDF files has been done before, and for the unpatched victim, there is no message box, so it's not a social engineering exploit, rather, simple remote code execution:

    Sophisticated, targeted malicious PDF documents exploiting CVE-2009-4324
    http://isc.sans.org/diary.html?storyid=7867
    I've not gotten any of these to work on my older version of the PDF Reader.

    Likewise, his PoC file doesn't work.

    From the article, regarding the social engineering part of his exploit:

    The answer is surely yes, for in an office situation, users receive PDF and MSOffice documents daily and are prone to open them, since some may be from prospective clients whose names are not recognizable. So, the usual "rule" about not opening attachments doesn't apply.

    What to do? I discussed this with Peter2150 some time ago and in his office, his solution is Sandboxie, so that any untoward malicious actions will be contained.

    Since these malicious PDF and MSWord documents all launch a embedded binary executable, Anti-executable solutions will prevent these exploits from succeeding, as I showed with a malicious RTF document exploit last summer, which requires the user to click in a message box:

    http://www.wilderssecurity.com/showthread.php?t=244726

    ----
    rich
     
  6. majoMo

    majoMo Registered Member

    Joined:
    Aug 31, 2007
    Posts:
    904
    PDF-XChange Viewer - shows a warning icon "Show Broken Info" with the info:
    1. The attachment tab doesn't show files. :thumb:
    2. The document re-saved is without the warning . :thumb:
     
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    In Adobe Reader, the setting Edit->Preferences->Trust Manager->'Allow opening of non-PDF file attachments with external applications' affects whether the command prompt executes or not.
     
  8. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
  9. Jav

    Jav Guest

    Yes, and this is the message you will get:
    Capture.JPG
     
  10. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
  11. Jav

    Jav Guest

    nice one, I used it for sometime.

    But I found it slow for large pdf files :(
     
  12. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    the story spreads...
     
  13. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    Very handy, Thanks.
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    10,832
    Location:
    Saudi Arabia/ Pakistan
    PDFExchange viewer in Win 7.

    aa.jpg
    2 (2).jpg
    2 (1).jpg
     
    Last edited: Mar 31, 2010
  15. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    Last edited: Mar 31, 2010
  16. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    3,604
    Location:
    USA
    The gPDF is great! I have the entire office using it now.
     
  17. Pinga

    Pinga Registered Member

    Joined:
    Aug 31, 2006
    Posts:
    1,415
    Location:
    Europe
  18. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    53,249
    Location:
    Texas
    Story
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    5,340
    Location:
    The Netherlands
    Of course this exploit didn´t work on my machine, since no app is allowed to launch any other app without my permission.

    However, this PDF attack is quite a simple one, so I do wonder if my HIPS still protects against more advanced attacks (see link). I have tried to post a comment asking to test a classical HIPS like Malware Defender or SSM against this exploit, but somehow my comment doesn´t appear on the site. Can perhaps someone else try it?

    http://pandalabs.pandasecurity.com/demonstrating-the-latest-ie-0-day-vulnerability/
     
  20. Anth-Unit

    Anth-Unit Registered Member

    Joined:
    Oct 13, 2006
    Posts:
    108
    Does UAC stop this?
     
  21. Jav

    Jav Guest

    Most likely no.
    Unless exploit will try to do that will require adminstrative rights.

    But simply opening cmd.exe dosent require it.
    So the pdf file which he gave as test file, will not trigger UAC warning.

    But at the same time, the malware which will be excuted may need admin rights, so it may trigger UAC...
    I think in this case it UAC will ask permission for PDF reader!? So User may be mislead...

    Similar thing goes to HIPS programms, most likely they will not warn when pdf file just wants to launch cmd.exe.
    Maybe they will, in this case it will mean that it's a bit sensative and warning on a a lot more things aswell.. :doubt:

    By what?
    adobe reader? SRP? AppLocker? AntiExacutable? Some HIPS programm? or any other software?
     
  22. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,855
    Location:
    California
    This is often the problem with using a PoC to test security measures.

    This PoC demonstrates that the PDF code can launch an executable. It uses a trusted executable, cmd.exe, so it is allowed to open.

    When this exploit becomes used in cybercriminal exploit kits, it's a pretty good guess that it will not launch cmd.exe or the calculator! So, a better test is to modify the PoC PDF file to open a non-approved (non-white listed) executable and then see what your security does:

    pdfPoC.gif


    ----
    rich
     
  23. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,855
    Location:
    California
    I would say yes.

    From the link:

    This is easy to test, since the TDSS trojan would be caught as an unauthorized (non-white listed) executable by most HIPS.

    Here I use an IE6 exploit to attempt to download the same non-approved executable I used in the PDF test above:

    ieAstro.gif

    These web-based remote code execution exploits that download trojans have no chance against any security that watches for non-approved (non-white listed) executables.

    ----
    rich
     
  24. Jav

    Jav Guest

    That's what I meant.

    We can't really test this exploit and different security setups against it.

    As the exploit Template file which he gave us is harmless, so our testing security will not stop it. Otherwise it would have been False Positive!?

    Thank you for clarifying, Rmus
     
  25. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,855
    Location:
    California
    You are welcome.

    Here is a different PoC from Security-Labs.org that you can easily modify to test your security:

    http://seclabs.org/fred/docs/sstic09/samples/actions/launch/calc.pdf


    Open the file in a text editor and you see the command line to launch the the calculator, calc.exe:

    pdfCDROM3.gif

    Here is what I just helped someone do to test:

    1) Insert a CD with a setup.exe file

    2) In the PoC PDF file, replace the path to calc.exe with the path to the CD ROM setup file.

    3) Close and save the PDF file.

    4) Then open the PDF file and OK the prompt to run this test.

    pdfCDROM.gif

    Since the Setup file is not already installed and authorized on your computer, your security should alert when it attempts to open:

    pdfCDROM1.gif

    pdfCDROM2.gif

    This simulates what a cybercriminal would do with a malicious executable embedded in the PDF file and how your security would prevent the running of that executable.

    ----
    rich
     
    Last edited: Apr 8, 2010
Thread Status:
Not open for further replies.