PDF hack executes an embedded executable

Discussion in 'other security issues & news' started by mvario, Mar 30, 2010.

Thread Status:
Not open for further replies.
  1. mvario
    Offline

    mvario Registered Member

    http://blog.didierstevens.com/2010/03/29/escape-from-pdf/
  2. mvario
    Offline

    mvario Registered Member

    http://blogs.zdnet.com/security/?p=5929

  3. CloneRanger
    Offline

    CloneRanger Registered Member

    Confirmed with Foxit :(

    poc.gif
  4. mvario
    Offline

    mvario Registered Member

    Nuance PDF Reader and PDF-XChange Viewer give an error message and prevent it. SumatraPDF prevents it without error message.
  5. Rmus
    Offline

    Rmus Exploit Analyst

    Although he is correct that the exploit doesn't require a vulnerability, embedding binary executables in PDF files has been done before, and for the unpatched victim, there is no message box, so it's not a social engineering exploit, rather, simple remote code execution:

    Sophisticated, targeted malicious PDF documents exploiting CVE-2009-4324
    http://isc.sans.org/diary.html?storyid=7867
    I've not gotten any of these to work on my older version of the PDF Reader.

    Likewise, his PoC file doesn't work.

    From the article, regarding the social engineering part of his exploit:

    The answer is surely yes, for in an office situation, users receive PDF and MSOffice documents daily and are prone to open them, since some may be from prospective clients whose names are not recognizable. So, the usual "rule" about not opening attachments doesn't apply.

    What to do? I discussed this with Peter2150 some time ago and in his office, his solution is Sandboxie, so that any untoward malicious actions will be contained.

    Since these malicious PDF and MSWord documents all launch a embedded binary executable, Anti-executable solutions will prevent these exploits from succeeding, as I showed with a malicious RTF document exploit last summer, which requires the user to click in a message box:

    http://www.wilderssecurity.com/showthread.php?t=244726

    ----
    rich
  6. majoMo
    Offline

    majoMo Registered Member

    PDF-XChange Viewer - shows a warning icon "Show Broken Info" with the info:
    1. The attachment tab doesn't show files. :thumb:
    2. The document re-saved is without the warning . :thumb:
  7. MrBrian
    Offline

    MrBrian Registered Member

    In Adobe Reader, the setting Edit->Preferences->Trust Manager->'Allow opening of non-PDF file attachments with external applications' affects whether the command prompt executes or not.
  8. mvario
    Offline

    mvario Registered Member

  9. Jav
    Offline

    Jav Guest

    Yes, and this is the message you will get:
    Capture.JPG
  10. mvario
    Offline

    mvario Registered Member

  11. Jav
    Offline

    Jav Guest

    nice one, I used it for sometime.

    But I found it slow for large pdf files :(
  12. mvario
    Offline

    mvario Registered Member

    the story spreads...
  13. Sadeghi85
    Offline

    Sadeghi85 Registered Member

    Very handy, Thanks.
  14. aigle
    Offline

    aigle Registered Member

    PDFExchange viewer in Win 7.

    aa.jpg
    2 (2).jpg
    2 (1).jpg
    Last edited: Mar 31, 2010
  15. mvario
    Offline

    mvario Registered Member

    Last edited: Mar 31, 2010
  16. xxJackxx
    Offline

    xxJackxx Registered Member

    The gPDF is great! I have the entire office using it now.
  17. Pinga
    Offline

    Pinga Registered Member

  18. ronjor
    Offline

    ronjor Global Moderator

    Story
  19. Rasheed187
    Offline

    Rasheed187 Registered Member

    Of course this exploit didn´t work on my machine, since no app is allowed to launch any other app without my permission.

    However, this PDF attack is quite a simple one, so I do wonder if my HIPS still protects against more advanced attacks (see link). I have tried to post a comment asking to test a classical HIPS like Malware Defender or SSM against this exploit, but somehow my comment doesn´t appear on the site. Can perhaps someone else try it?

    http://pandalabs.pandasecurity.com/demonstrating-the-latest-ie-0-day-vulnerability/
  20. Anth-Unit
    Offline

    Anth-Unit Registered Member

    Does UAC stop this?
  21. Jav
    Offline

    Jav Guest

    Most likely no.
    Unless exploit will try to do that will require adminstrative rights.

    But simply opening cmd.exe dosent require it.
    So the pdf file which he gave as test file, will not trigger UAC warning.

    But at the same time, the malware which will be excuted may need admin rights, so it may trigger UAC...
    I think in this case it UAC will ask permission for PDF reader!? So User may be mislead...

    Similar thing goes to HIPS programms, most likely they will not warn when pdf file just wants to launch cmd.exe.
    Maybe they will, in this case it will mean that it's a bit sensative and warning on a a lot more things aswell.. :doubt:

    By what?
    adobe reader? SRP? AppLocker? AntiExacutable? Some HIPS programm? or any other software?
  22. Rmus
    Offline

    Rmus Exploit Analyst

    This is often the problem with using a PoC to test security measures.

    This PoC demonstrates that the PDF code can launch an executable. It uses a trusted executable, cmd.exe, so it is allowed to open.

    When this exploit becomes used in cybercriminal exploit kits, it's a pretty good guess that it will not launch cmd.exe or the calculator! So, a better test is to modify the PoC PDF file to open a non-approved (non-white listed) executable and then see what your security does:

    pdfPoC.gif


    ----
    rich
  23. Rmus
    Offline

    Rmus Exploit Analyst

    I would say yes.

    From the link:

    This is easy to test, since the TDSS trojan would be caught as an unauthorized (non-white listed) executable by most HIPS.

    Here I use an IE6 exploit to attempt to download the same non-approved executable I used in the PDF test above:

    ieAstro.gif

    These web-based remote code execution exploits that download trojans have no chance against any security that watches for non-approved (non-white listed) executables.

    ----
    rich
  24. Jav
    Offline

    Jav Guest

    That's what I meant.

    We can't really test this exploit and different security setups against it.

    As the exploit Template file which he gave us is harmless, so our testing security will not stop it. Otherwise it would have been False Positive!?

    Thank you for clarifying, Rmus
  25. Rmus
    Offline

    Rmus Exploit Analyst

    You are welcome.

    Here is a different PoC from Security-Labs.org that you can easily modify to test your security:

    http://seclabs.org/fred/docs/sstic09/samples/actions/launch/calc.pdf


    Open the file in a text editor and you see the command line to launch the the calculator, calc.exe:

    pdfCDROM3.gif

    Here is what I just helped someone do to test:

    1) Insert a CD with a setup.exe file

    2) In the PoC PDF file, replace the path to calc.exe with the path to the CD ROM setup file.

    3) Close and save the PDF file.

    4) Then open the PDF file and OK the prompt to run this test.

    pdfCDROM.gif

    Since the Setup file is not already installed and authorized on your computer, your security should alert when it attempts to open:

    pdfCDROM1.gif

    pdfCDROM2.gif

    This simulates what a cybercriminal would do with a malicious executable embedded in the PDF file and how your security would prevent the running of that executable.

    ----
    rich
    Last edited: Apr 8, 2010
Thread Status:
Not open for further replies.