Disarming a PDF File

Discussion in 'other security issues & news' started by Pedro, May 2, 2009.

Thread Status:
Not open for further replies.
  1. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    http://blog.didierstevens.com/2009/04/29/quickpost-disarming-a-pdf-file/

    Originally it was a:
    PDFiD is now included in VirusTotal. Below PEInfo.
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Is this method of disabling Javascript in the Reader not effective?

    Adobe Reader and Acrobat JavaScript Vulnerabilities
    http://www.us-cert.gov/current/current_activity.html
    My earlier version of the Reader does not have those Preferences, but removing the script Plugin from the Plugin folder accomplishes the same thing. Here is the Sneaky_2.pdf test file posted in one of the comments in the PDFiD tool page you cited.

    With the Script Plugin removed:

    pdfSneaky-1.gif

    Replacing the Plugin, the demonstration works:

    pdfSneaky-2.gif

    You can test for yourself.

    Also remember, not all PDF exploits use Javascript:

    Adobe Acrobat pdf 0-day exploit, No JavaScript needed!
    http://isc.sans.org/diary.html?storyid=5926
    ----
    rich
     
  3. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    I use Foxit instead of Adobe, but in my experience IE8's behavior in this regard holds true for all plugins; see attached image.
     

    Attached Files:

  4. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I guess, but since this is scriptable, there's always some use to it. I'm just forwarding this.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    It's an interesting tool, but limited in what it can detect. A more effective scanner is Webpawnet, also mentioned in the comments, which is what I've used to look inside some of the exploit PDFs I've found. See this analysis. If you scroll to the bottom, you can see the URL to connect out for the malware:

    http://wepawet.iseclab.org/view.php?hash=334a732f5d026b20eb24b860b3723833&type=js

    It seems to me that the PDFiD tool could yield a false sense of security.

    ----
    rich
     
  6. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Thank you Rich for the link. Very interesting!
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi Eice,

    Can you explain how this alert was triggered? Were you attempting to open a PDF file on the web?

    thanks,

    ----
    rich
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi Pedro,

    In thinking through the idea behind the PDFiD tool some more, I'm wondering how this relates to the current PDF exploits.

    You have to have the PDF file on disk before you can scan. This limits protection to

    • the email attack vector, where you would scan the file before reading;

    • or downloading a PDF file from a web site, then scanning before reading.

    However, I just downloaded some PDF white papers and I didn't bother scanning them because I trust the source. And while I've never received a PDF by email from an unknown person, I wouldn't hesitate to delete it immediately.

    It seems to me that home users can get caught up in the media activity about malware attacks and lose reliance on their own judgment about these things and not trust anything. Do you really want to scan all PDF documents you download? If not, how do you choose which to scan? Will a scanner be any more reliable than your own judgment? Even the Webpawnet scanner is limited to Javascript exploits. What if the PDF file doesn't exploit a javascript vulnerability?

    On the other hand, in a Corporate environment where PDF and other document files are regularly sent/received by email, targeted attacks have been successful, and a scanner might be useful, subject to the above limitations, because evidently people regularly receive unsolicited document files -- product proposals and the like -- and will gladly open them.

    For the drive-by download attacks, a scanner would be of no help because the PDF file is loaded w/o user action, whereupon it executes code to connect out for a malware download.

    More basic preventative measures would nullify the attack at the outset, negating the need to "disarm" the PDF file: it would never gain access to the computer in the first place.

    ----
    rich
     
Loading...
Thread Status:
Not open for further replies.