Members
  • Total Members: 12816
  • Latest: t114563
Stats
  • Total Posts: 28524
  • Total Topics: 8240
  • Online Today: 900
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)












Author Topic: Adobe PDF exploit discovered, bypasses all security measures  (Read 1109 times)

0 Members and 1 Guest are viewing this topic.

Samker

  • SCF Administrator
  • *****
  • Posts: 7206
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum


The only thing blocking a PDF file  written by security researcher Didier Stevens from harming your system is a warning dialog: http://blog.didierstevens.com/2010/03/29/escape-from-pdf/
With some slight tweaking of the warning, and some crafty social engineering, your system is a sitting duck for whatever program is embedded in that PDF.

"With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this (I don’t use JavaScript in my PoC PDF), and patching Adobe Reader isn’t possible (I’m not exploiting a vulnerability, just being creative with the PDF language specs)."

The culprit here is simply an alternative way of launching commands in a PDF (/launch /action). With some further technique applied to surreptitiously embed the executable (Stevens understandably doesn't go into detail about this part), the PDF is able to launch any program its creator embeds as long as the user clicks OK at the warning. Since the warning can be modified with some more clever hacking, this isn't a very big hurdle to overcome. Simply change the warning to an encouraging message convincing the user to open the file, and you're in. Foxit PDF Reader doesn't even display the warning message, making this threat even worse.

Adobe responded to the issue, according to Threatpost, by saying:

"Didier Stevens’ demo relies on functionality defined in the PDF specification, which is an ISO standard (ISO PDF 32000-1:2008). Section 12.6.4.5 of the specification defines the /launch command. This is an example of powerful functionality relied on by some users that also carries potential risks when used incorrectly. The warning message provided in Adobe Reader and Adobe Acrobat includes strong wording advising users to only open and execute the file if it comes from a trusted source. Adobe takes the security of our products and technologies very seriously; we are always evaluating ways to allow end-users and administrators to better manage and configure features like this one to mitigate potential associated risks."

(NW)

Samker's Computer Forum - SCforum.info





 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising