PDF exploited without vulnerability

This topic contains 11 replies, has 6 voices, and was last updated by  Jhaddix 9 years, 5 months ago.

  • Author
    Posts
  • #4878
     Anquilas 
    Participant

    A researcher (from Belgium! πŸ˜‰ ) has found a way to exploit pdf files, without using a vulnerability. He created a pdf file with an embedded executable, which will start when the pdf file is opened.

    http://blogs.zdnet.com/security/?p=5929

    Pretty cool it seems, as far as my knowledge about the subject goes πŸ™‚

  • #30693
     Ketchup 
    Participant

    That’s a very cool exploit.Β  I can’t wait to see to the PDF language behind it.

  • #30694
     j0rDy 
    Participant

    Nice find! i like the part that Foxit Reader doesnt even give a warning! (it just executes the script without ant notification) A lot of people are switching to Foxit, so this proves that alternatives arent always better!

  • #30695
     Anquilas 
    Participant

    Idd πŸ™‚ Now let’s hope that Adobe fixes it asap (for once)

  • #30696
     j0rDy 
    Participant

    just read that foxit will fix the problem first thing next week:

    http://forums.foxitsoftware.com/showthread.php?p=41323

    lets see how Adobe will do…

  • #30697
     UNIX 
    Participant

    Interesting, looking forward to more details on this.

  • #30698
     Jhaddix 
    Participant

    So, metaphish uses this functionality only with javascript. I believe Dave Kennedy will be implementing into SET (the Social Engineering Toolkit) soon =)

    So many ways to trick the user =(

  • #30699
     j0rDy 
    Participant

    here is the link to his blog:

    http://blog.didierstevens.com/2010/03/29/escape-from-pdf/

    and here is a direct link to a zip file with the malicious file inside. dont worry, it will only spawn a command prompt. maybe you can do some reverse engineering on it?

    http://didierstevens.com/files/data/launch-action-cmd.zip

    Don: Can i post this or is it out of bounds?

  • #30700
     n1p 
    Participant

    @j0rdy wrote:

    and here is a direct link to a zip file with the malicious file inside. dont worry, it will only spawn a command prompt. maybe you can do some reverse engineering on it?

    Guys, since I had some spare time :), just a small write-up on this to demonstrate how it occurs in the PDF. Thought you all might be interested.

    http://www.isolatedthreat.com/?p=214

    As usual comments welcome.

    n1p

  • #30701
     Ketchup 
    Participant

    The cool thing about this one is that it doesn’t rely on JavaScript being enabled in Adobe.Β  It must be using the built in language.Β 

    Nice write-up btw n1p.

  • #30702
     n1p 
    Participant

    Yes, it is using the PDF language spec, but not in the way they intended πŸ˜›

    Malware uses a variety of techniques to embed in a PDF, so I will be interested to see how he has done it… And how vendors respond

  • #30703
     Jhaddix 
    Participant

    Testing a /dev/tcp version atm that will send goodness over the wire in *nix =)

You must be logged in to reply to this topic.

Copyright Β©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?