Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.

 



Forgot your password?
typodupeerror
Security IT

New Method Could Hide Malware In PDFs, No Further Exploits Needed 234

Posted by timothy
from the deploy-linux-countermeasures dept.
Trailrunner7 writes "A security researcher has managed to create a proof-of-concept PDF file that executes an embedded executable without exploiting any other security vulnerabilities. The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file. With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this."
This discussion has been archived. No new comments can be posted.

New Method Could Hide Malware In PDFs, No Further Exploits Needed

Comments Filter:
  • Sad (Score:2, Troll)

    by 2.7182 (819680)
    If only some great pdf/security teacher would take these poor code monkeys who have no future and teach them how to fix this.
    • Re:Sad (Score:5, Insightful)

      by sopssa (1498795) * <sopssa@email.com> on Wednesday March 31, 2010 @01:56PM (#31691352) Journal

      But for once Adobe is actually more secure than the better alternative Foxit. Adobe PDF Reader at least warns and asks your permission to run the file, but Fox It does neither one but just happily runs it. That fact made me uninstall Foxit for now at least.

      • Re:Sad (Score:5, Informative)

        by amicusNYCL (1538833) on Wednesday March 31, 2010 @02:02PM (#31691456)

        That fact made me uninstall Foxit for now at least.

        You shouldn't have to wait long.

        http://forums.foxitsoftware.com/showthread.php?t=18029 [foxitsoftware.com]

        this issue has been confirmed, and a maintenance version will be released within this week.

      • Re:Sad (Score:4, Insightful)

        by c-reus (852386) on Wednesday March 31, 2010 @02:22PM (#31691758) Homepage

        Of course, the average user is known to thoroughly read the warnings and definitely will not click "OK, just get this thing out of my face" within half a second after the dialog box has finished rendering.

      • Re:Sad (Score:5, Informative)

        by Romancer (19668) <romancer@deaths d o o r .com> on Wednesday March 31, 2010 @02:28PM (#31691826) Journal

        From the author:

        " My PoC PDF requires some changes for Foxit Reader, because ultimately, the executable doesn't run. But that's probably due to some variation in the PDF language supported by Foxit Reader."

        Not really a proof of concept since the proof doesn't actually run the code currently. Not that it couldn't but there's no proof that Foxit is less secure since it doesn't actually run the code.

        • Re:Sad (Score:4, Informative)

          by Spad (470073) <slashdot@spad.YEATSco.uk minus poet> on Wednesday March 31, 2010 @02:39PM (#31692000) Homepage

          http://blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/ [didierstevens.com]

          He got it working in Foxit pretty quickly after the first post about the PoC.

          • Re:Sad (Score:5, Informative)

            by Pentium100 (1240090) on Wednesday March 31, 2010 @03:00PM (#31692366)

            Also the first comment there says how you can hex edit the .exe to disable this "feature".

            If you can live without the /Launch functionality (I can!), edit the executable:

            - search for “^@Launch^@” (^@ == null byte, file offset 7040965 in 3.13.1030) in Foxit Reader.exe,

            - change it to e.g. “L!unch” (no quotes),

            - save AS BINARY,

            done.

            Comment by Thomas — Wednesday 31 March 2010 @ 12:20

        • by bynary (827120)
          ...I was thinking PoC meant Piece of Crap which I thought was redundant when referring to a PDF.
          • Huh, where I work, it stands for "products of conception". I was a little confused when reading the article.

          • Re: (Score:3, Funny)

            by QRDeNameland (873957)

            ...I was thinking PoC meant Piece of Crap which I thought was redundant when referring to a PDF.

            In my experience, the proper industry acronym is BFPoC, for Big Fat Piece of Crap, a term allegedly coined by one Artemus Clyde Frog.

          • Re: (Score:3, Insightful)

            by Grishnakh (216268)

            PDF is (or was) a good format and standard; it lets you define documents so that they look the same on any platform, and can be printed on any printer and look identical.

            The only problem with it is that it was perfected for this purpose long ago, so Adobe kept adding more and more crap to it.

            This is one reason open-source is generally better: when an open-source project is done, the developers leave it that way (unless any bugs are found), and go find something else productive to work on. They don't try to

      • Re: (Score:3, Interesting)

        by Darinbob (1142669)
        I'm behind the times. Isn't the PDF format a document format, that contains only document markup and layout info? When did it start being able to have embedded code? I know it's massively changed since I last looked at internal, with things like permissions and editing added, but executables or scripting seems a bit far fetched. Maybe we need a document format that involves nothing at all except documents...
        • Re:Sad (Score:4, Informative)

          by causality (777677) on Wednesday March 31, 2010 @04:21PM (#31693618)

          I'm behind the times. Isn't the PDF format a document format, that contains only document markup and layout info? When did it start being able to have embedded code?

          Ever since Adobe perfected the basic PDF functionality and needed to keep adding features. Whether they are frills or not, whether they depart from the purpose of PDF or not, Adobe has to do this to justify its marketing. They want their customers to have reasons to keep wanting the latest version. Feature creep, in other words.

  • With Foxit Reader (Score:5, Interesting)

    by wiredog (43288) on Wednesday March 31, 2010 @01:56PM (#31691346) Journal

    There's no warning at all. It just runs. [zdnet.com]

  • by Anonymous Coward on Wednesday March 31, 2010 @02:02PM (#31691450)
    Who the hell thought it was a good idea to have dynamic content in a document description language?

    Notice you never hear about exploits-of-the-week like this for LaTeX !
    • What dynamic content? This has nothing to do with JavaScript.

      With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this ( I don’t use JavaScript in my PoC PDF ), and patching Adobe Reader isn’t possible (I’m not exploiting a vulnerability, just being creative with the PDF language specs).

      • by plover (150551) *

        What dynamic content? This has nothing to do with JavaScript.

        Dynamic content != JavaScript.

        Dynamic content is a generic name for all manner of executable things, including not only PDFs and JavaScript, but also LaTeX, ActiveX, VBScript, etc. JavaScript is simply one of many different implementations of dynamic content.

        In this case it's a "/Launch" command in the PDF syntax that's being exploited.

      • PostScript, the basis of PDF, is a full, turing-complete programming language! This has nothing to do with JavaScript!

      • What JavaScript? This has to do with dynamic content.

        You've heard of PostScript, right?
    • by TheRaven64 (641858) on Wednesday March 31, 2010 @02:10PM (#31691562) Journal

      I can't decide if you're trying to be ironic, but there are no 'vulnerabilities' in LaTeX because the ability to interact with files and run arbitrary programs are part of the language. The reason LaTeX isn't often exploited is that it is very rare to run LaTeX programs from untrusted sources; you distribute the output from the program, not the program itself.

      On a slightly different topic, is there a competition going on in Adobe to see if the Flash or Acrobat teams can collect the most security advisories?

      • "... competition going on in Adobe to see if the Flash or Acrobat teams can collect the most security advisories?"

        There seems to be a social breakdown at Adobe. There are a lot of issues that aren't being managed well. For example, we bought Adobe Creative Suite 3 (before CS4 was released). The CD had an old version. To get the newest version it was necessary to download a 320 Megabyte file, on the same week that Adobe shipped the CD.

        The new Acrobat takes longer to make .PDF files than the older versi
    • Re: (Score:3, Informative)

      by Chyeld (713439)

      PDF is the evolved form of PostScript - http://en.wikipedia.org/wiki/PostScript [wikipedia.org] and at the time PS came out, it wasn't that bad of an idea, especially since it enabled us to actually print IMAGES.

      Unfortunately, feature creep set in and instead of creating a language actually meant for publishing and sharing documents, Adobe just reimplemented PS in PDF and glossed over the fact that they were using an elephant gun to shoot mosquito. This is coming back around to bite them in their butt. But the actual origi

      • by TeknoHog (164938)
        PS is a full programming language, as witnessed by those web servers and fractal generators that, I imagine, take ages to run on a printer. Thus PDF was originally created as a simpler page description language, but have you ever heard of PS exploits?
        • by Chyeld (713439)

          Actually while I was a CS major one of our labs was half NeXTSTEP (http://en.wikipedia.org/wiki/NeXTSTEP) and was aware of graduate students who pranked each other on the lab computers using the fact that the computers used postscript as a display engine.

      • by pclminion (145572) on Wednesday March 31, 2010 @06:30PM (#31695088)

        PDF has some superficial syntactic similarities to PostScript. Beyond that, it is not at all like PostScript. The reason the content stream language of PDF is PostScript-like is because it made it easy to print PDF by simply blowing the content stream out as PostScript, accompanied by the appropriate ProcSets. Such usage is deprecated these days -- ProcSets are no longer required to be declared, and modern PDFs can't be printed by blowing the content stream directly to the printer any more.

        Even in the areas where PDF looks like PostScript, it's fundamentally different. There is no operand stack. There are no control flow operators. If you start trying to create a PDF under the impression that it's just like PostScript, you'll fail miserably.

    • Re: (Score:2, Insightful)

      by jirka (1164)

      Why don't you compile the following document with "tex --shell-escape" as root

      \write18{rm -fR /}

    • by Chester K (145560)

      Who the hell thought it was a good idea to have dynamic content in a document description language?
      Notice you never hear about exploits-of-the-week like this for LaTeX !

      That's a good question. Someone should be asking the people who put Javascript in Netscape the same thing! I mean, there's absolutely no use cases for having dynamic documents!

  • by Manip (656104) on Wednesday March 31, 2010 @02:07PM (#31691514)

    "This cannot be patch because it isn't a vulnerability." Uhh yes it can, and sure it is. There are millions of bugs that were entirely by design and the designs adapted to eliminate them. I will grant that they might have to break the PDF spec' to fix it but frankly it is the right thing to do for everyone concerned.

    • Re: (Score:3, Insightful)

      by Applekid (993327)

      Exactly. To execute code, at some point, the reader is branching into data created or loaded by the pdf. When is that ever a good idea? If it's part of the PDF spec then it's a pretty good part to break compatibility with.

  • by Chris Burke (6130) on Wednesday March 31, 2010 @02:08PM (#31691528) Homepage

    You open the .pdf. On page 1 you see: "Hey you! Close this file, rename it to end with '.exe', and then double click it! There's, uh, boobs! Yeah lots of boobies."

    Okay so that's not entirely accurate, and at least one .pdf reader requires no social engineering at all other than getting them to open the pdf itself. Why would you make it so that you can't (normally) embed executables in the .pdf, but then allow .pdfs to launch arbitrary commands?

    • Being able to run external programs does make sense for some use-cases of PDFs. For example, a PDF form might contain some JavaScript logic for validating a form and then an action to submit it via some custom mechanism. You probably wouldn't distribute PDFs like this in the wild, but you might use them inside a company. A time sheet might be an example of this - you'd fill in the data in Adobe Reader and then submit it into the corporate accounts system. It's a bit of a stretch, but this feature was pr
      • Re: (Score:3, Insightful)

        by idontgno (624372)

        If you design a sharp blade into an out-of-the-way spot of a hammer, don't be upset if you get cut while driving nails.

        Not every tool is proper for every job. Using PDF as a general-purpose computing language is either mistaken or willfully stupid.

        PDF is a document format. It's an output format. It's not a form-entry language. It's not the web. It's not an operating system. It sure as hell shouldn't be able to trigger any open-ended OS action. Its vocabulary of actions and action subjects should be limited.

        • by StoatBringer (552938) on Wednesday March 31, 2010 @02:56PM (#31692300)
          PDF is a document format. It's an output format. It's not a form-entry language. It's not the web. It's not an operating system. It sure as hell shouldn't be able to trigger any open-ended OS action.

          You've never dealt with a marketing department, clearly.

          "Hey, you know what would be cool? What if PDF documents could also play videos?"
          "Um.. well, it's technically possible but I don't think that-"
          "Great! WE MUST HAVE THIS FEATURE! NOW! DROP EVERYTHING AND GET TO IT!"

        • by Dishevel (1105119) *
          But it IS all of those things. Maybe it should not be.

          It surely should not be.

          But it is. Since that is what it is then maybe we should just not be using it at all. If the only thing your company can send me is a fucking PDF then you can print it and mail it to me.

    • by T Murphy (1054674) on Wednesday March 31, 2010 @02:19PM (#31691706) Journal
      The guys at Adobe heard about oscilloscopes with hidden games on them, and Word's flight simulator, so they incorporated "features" so they could make an easter egg of their own. They never got around to that easter egg, so now lots of people are kindly lending them a hand at it.
      • The guys at Adobe heard about oscilloscopes with hidden games on them, and Word's flight simulator, so they incorporated "features" so they could make an easter egg of their own. They never got around to that easter egg, so now lots of people are kindly lending them a hand at it.

        I honestly don't know whether to mod this +1 Funny or +1 Insightful.

  • *nix vulnerable too? (Score:4, Interesting)

    by cpuh0g (839926) on Wednesday March 31, 2010 @02:12PM (#31691586)
    What happens on *nix versions of Adobe Reader - OS/X, Solaris, Linux, etc?
  • Adobe misfeature (Score:3, Informative)

    by Animats (122034) on Wednesday March 31, 2010 @02:21PM (#31691740) Homepage

    Explaination [didierstevens.com]

    Video [didierstevens.com]

    Demo PDF file (as .zip) [didierstevens.com]

    PDF apparently has (stupidly) a capability to launch an executable program which is run when the PDF file is opened. There's a warning message. All the exploit does is put in some text like "To view the encrypted message in this PDF document, select "Do not show this message again" and click the Open button." into the warning dialog box.

    Incidentally, SumatraPDF doesn't do this, but that seems to be a bug; the test file produces "Synchronization file cannot be opened".

    • by qoncept (599709)
      My biggest problem with Reader has been that it's a horribly slow piece of garbage with 3rd party alternatives that work great. I'd call this "strike 2" but it's already way beyond "out."
  • Chrome integration of one buggy plugin deserves another, right?

  • by DrEldarion (114072) on Wednesday March 31, 2010 @02:25PM (#31691786)

    For 98% of people, Reader is unnecessary and just opens up a ton of security holes.

    Easy replacement:
    1) Install Google Chrome [google.com]
    2) Install this extension [google.com] which opens up all PDFs in Google Docs.
    3) Enjoy your new, safe browsing and PDF-viewing environment.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Yeah, because Google doesn't have enough of your info already.

      • by SOdhner (1619761)
        No, it's that Google already has SO MUCH of my info that I just don't care anymore. Trying to keep any of my information from Google at this point is like closing the barn doors after the cows are out.
    • Re: (Score:2, Insightful)

      by misterooga (1172837)

      With the google doc extension, don't you need to be online? Also, that's assuming you don't mind google caching on the pdf you're opening, right?

    • Re: (Score:3, Informative)

      by evilviper (135110)

      For 98% of people, Reader is unnecessary and just opens up a ton of security holes.

      While I still highly recommend any of the alternatives, I've seen several cases where websites are checking for that specific plug-in, and will not make any attempt to display the PDF, or offer any alternative links to the document, if Reader is not detected. Of course if more people dropped Adobe's crap, this would cease to be an acceptable way to display PDFs, but it should at least be noted that you might find just a few

    • The joke here is step number 4-

      4) Click on the 'print' link

      In Google Docs, a dialogue prompts you to download the PDF to your local computer to either be opened by a helper application or saved to your hard drive.

      Seth
  • by MagicM (85041) on Wednesday March 31, 2010 @02:40PM (#31692004)

    If you're really a nerd, you'll want to scroll through the PDF Reference [adobe.com] section 8.5 ("Actions"). Be careful though, as it may hurt a little.

    Instead of simply jumping to a destination in the document, an annotation or outline item can specify an action (PDF 1.1) for the viewer application to perform, such as launching an application, playing a sound, or changing an annotation's appearance state. [...] In addition, the optional OpenAction entry in a document's catalog (Section 3.6.1, "Document Catalog") may specify an action to be performed when the document is opened.

    It's actually very well-defined, and creating a document that implements this part of the specification should be trivial.

    • So it appears that you have found the bug in the spec.

      • Re-reading what you quoted, I see no requirement that an implementation be willing to execute any part of the content of the document: just run an "application" that is already installed on the machine. It also seems reasonable that an implemention could refuse to execute code located in the user's home directory.

  • by St.Creed (853824) on Wednesday March 31, 2010 @02:40PM (#31692010)

    I was reading a technical forum (used by a few dozen people, I'm in a niche market) with Chrome, when a PDF popped up containing nonsense text.

    Ofcourse I wasn't happy about it, so I contacted the owner of the site and scanned my laptop with McAfee's antivirus. Didn't find anything, but 2 weeks later I received a mail that my passwords had been reset for my own website because of suspicious activity. As it turned out, someone had installed a virus similar to the one that got me, on my contact page. Great.

    This is with a laptop running Chrome, Windows Vista with UAC enabled, McAfee security suite. I didn't even get a warning.

    I used Malwarebytes' Anti-malware to find and remove the stuff that got installed. At least, I'm hoping it got removed - but nothing is certain :P The strange thing is now, that when i need to access a fishy site I use Internet Explorer because it caught the drive-by download the next time I visited. Sort of a complete reversal of policy for me.

    • by T Murphy (1054674)

      The strange thing is now, that when i need to access a fishy site I use Internet Explorer because it caught the drive-by download the next time I visited. Sort of a complete reversal of policy for me.

      That's because to attack a Chrome user's system, you have to find a way to circumvent security. With IE, you can pop up a message "This program will steal your computer, continue?" and the user will run the malware to make the message go away.

      NB: this is just a lame joke, I mean no harm.

  • but it's a PDF...
  • by MobyDisk (75490) on Wednesday March 31, 2010 @03:13PM (#31692570) Homepage

    There is a command in the PDF language that says "execute the following command-line!" I thought having that ability in the scripting language was dumb. But it's actually available in the document description format? What possible purpose could that server? I don't want a message box added, or a security setting -- just remove that command entirely from the implementation!

    How did this come about when they were designing the PDF format?
          "Let's make it support bold, italic, underline, and execute."
    One of the above does not fit with the others.

  • A better test file. (Score:5, Informative)

    by DdJ (10790) on Wednesday March 31, 2010 @03:17PM (#31692640) Homepage Journal

    Someone came up with a better test file, here:

    http://seclabs.org/fred/docs/sstic09/samples/actions/launch/calc.pdf [seclabs.org]

    The first test file contained code essentially saying "if you're on a windows box, run cmd.exe". This one says "if you're on windows, run calc.exe, and if you're on Unix, run xcalc, and if you're on MacOS, run Calculator.app". So regardless of platform, if you load this PDF and see a calculator come up, well, you've learned something.

    As it happens, the PDF also contains real content that describes expected behaviors with a couple of readers. Apple's "Preview" isn't vulnerable because it doesn't implement the /Launch command at all! But Adobe's reader on MacOS is vulnerable.

    • by mikem170 (698970)
      I tried your link, and xpdf-3.02_12 did not appear to be vulnerable. I tested on FreeBSD 7.2 and make a symbolic link from /usr/bin/xcalc.
    • by Tim C (15259)

      Windows XP, Adobe Reader 8; clicking on that link I get an error popup (not a warning) and no calculator.

      The original proof of concept PDF does give me the expected warning.

    • Funny, noscript blocked the whole thing for me.
    • Doesn't work on Debian/Sid with Iceweasel (Firefox) 3.5.6 and xpdf 3.02.

  • by 0232793 (907781)
    see http://blog.didierstevens.com/2010/03/29/escape-from-pdf/ [didierstevens.com] for more information and screenshots
  • Only a warning? (Score:4, Insightful)

    by Spykk (823586) on Wednesday March 31, 2010 @04:38PM (#31693796)

    With Adobe Reader, the only thing preventing execution is a warning.

    The only thing preventing your browser from executing a binary executable is a warning.

  • by bmajik (96670) <matt@mattevans.org> on Wednesday March 31, 2010 @10:28PM (#31696996) Homepage Journal

    So I work for Microsoft.. most hated software company, right?

    Not always, apparently. Thanks to competition like Adobe, we're going to have to up our game.

    Without going into too many details, a friend of mine was a Microsoft developer that was in a position where he was trading email with an extenal ISV as part of a formal MS program. So there was this stream of question and answer emails between them about how to use what we were working on to address this ISV's particular business problems. Anyway, at the end of one of this ISV's emails back to us, he says

    "PS: Can you guys somehow crush Adobe Corporation? I honesly and truly hate them."

    So there you go. That day, we lost. Adobe was the more hated company. We resolved to work harder to be #1 again.

No user-servicable parts inside. Refer to qualified service personnel.

Working...