Disarming a PDF File

http://blog.didierstevens.com/2009/04/29/quickpost-disarming-a-pdf-file/

Originally it was a:

PDFiD is now included in VirusTotal. Below PEInfo.

 

Is this method of disabling Javascript in the Reader not effective?

Adobe Reader and Acrobat JavaScript Vulnerabilities
http://www.us-cert.gov/current/current_activity.html

My earlier version of the Reader does not have those Preferences, but removing the script Plugin from the Plugin folder accomplishes the same thing. Here is the Sneaky_2.pdf test file posted in one of the comments in the PDFiD tool page you cited.

With the Script Plugin removed:

​

Replacing the Plugin, the demonstration works:

​

You can test for yourself.

Also remember, not all PDF exploits use Javascript:

Adobe Acrobat pdf 0-day exploit, No JavaScript needed!
http://isc.sans.org/diary.html?storyid=5926

----
rich

 

I use Foxit instead of Adobe, but in my experience IE8's behavior in this regard holds true for all plugins; see attached image.

 

I guess, but since this is scriptable, there's always some use to it. I'm just forwarding this.

 

It's an interesting tool, but limited in what it can detect. A more effective scanner is Webpawnet, also mentioned in the comments, which is what I've used to look inside some of the exploit PDFs I've found. See this analysis. If you scroll to the bottom, you can see the URL to connect out for the malware:

http://wepawet.iseclab.org/view.php?hash=334a732f5d026b20eb24b860b3723833&type=js

It seems to me that the PDFiD tool could yield a false sense of security.

----
rich

 

Thank you Rich for the link. Very interesting!

 

Hi Eice,

Can you explain how this alert was triggered? Were you attempting to open a PDF file on the web?

thanks,

----
rich

 

Hi Pedro,

In thinking through the idea behind the PDFiD tool some more, I'm wondering how this relates to the current PDF exploits.

You have to have the PDF file on disk before you can scan. This limits protection to

• the email attack vector, where you would scan the file before reading;
  
  
• or downloading a PDF file from a web site, then scanning before reading.

However, I just downloaded some PDF white papers and I didn't bother scanning them because I trust the source. And while I've never received a PDF by email from an unknown person, I wouldn't hesitate to delete it immediately.

It seems to me that home users can get caught up in the media activity about malware attacks and lose reliance on their own judgment about these things and not trust anything. Do you really want to scan all PDF documents you download? If not, how do you choose which to scan? Will a scanner be any more reliable than your own judgment? Even the Webpawnet scanner is limited to Javascript exploits. What if the PDF file doesn't exploit a javascript vulnerability?

On the other hand, in a Corporate environment where PDF and other document files are regularly sent/received by email, targeted attacks have been successful, and a scanner might be useful, subject to the above limitations, because evidently people regularly receive unsolicited document files -- product proposals and the like -- and will gladly open them.

For the drive-by download attacks, a scanner would be of no help because the PDF file is loaded w/o user action, whereupon it executes code to connect out for a malware download.

More basic preventative measures would nullify the attack at the outset, negating the need to "disarm" the PDF file: it would never gain access to the computer in the first place.

----
rich