- This topic has 11 replies, 6 voices, and was last updated 10 years, 11 months ago by
Jhaddix.
-
AuthorPosts
-
-
March 31, 2010 at 10:03 am #4878
Anquilas
ParticipantA researcher (from Belgium! 😉 ) has found a way to exploit pdf files, without using a vulnerability. He created a pdf file with an embedded executable, which will start when the pdf file is opened.
http://blogs.zdnet.com/security/?p=5929
Pretty cool it seems, as far as my knowledge about the subject goes 🙂
-
March 31, 2010 at 12:16 pm #30693
Ketchup
ParticipantThat’s a very cool exploit. I can’t wait to see to the PDF language behind it.
-
March 31, 2010 at 12:19 pm #30694
j0rDy
ParticipantNice find! i like the part that Foxit Reader doesnt even give a warning! (it just executes the script without ant notification) A lot of people are switching to Foxit, so this proves that alternatives arent always better!
-
March 31, 2010 at 12:34 pm #30695
Anquilas
ParticipantIdd 🙂 Now let’s hope that Adobe fixes it asap (for once)
-
March 31, 2010 at 1:19 pm #30696
j0rDy
Participantjust read that foxit will fix the problem first thing next week:
http://forums.foxitsoftware.com/showthread.php?p=41323
lets see how Adobe will do…
-
April 1, 2010 at 5:48 am #30697
UNIX
ParticipantInteresting, looking forward to more details on this.
-
April 1, 2010 at 5:54 am #30698
Jhaddix
ParticipantSo, metaphish uses this functionality only with javascript. I believe Dave Kennedy will be implementing into SET (the Social Engineering Toolkit) soon =)
So many ways to trick the user =(
-
April 1, 2010 at 7:25 am #30699
j0rDy
Participanthere is the link to his blog:
http://blog.didierstevens.com/2010/03/29/escape-from-pdf/
and here is a direct link to a zip file with the malicious file inside. dont worry, it will only spawn a command prompt. maybe you can do some reverse engineering on it?
http://didierstevens.com/files/data/launch-action-cmd.zip
Don: Can i post this or is it out of bounds?
-
April 1, 2010 at 10:52 am #30700
n1p
Participant@j0rDy wrote:
and here is a direct link to a zip file with the malicious file inside. dont worry, it will only spawn a command prompt. maybe you can do some reverse engineering on it?
Guys, since I had some spare time :), just a small write-up on this to demonstrate how it occurs in the PDF. Thought you all might be interested.
http://www.isolatedthreat.com/?p=214
As usual comments welcome.
n1p
-
April 1, 2010 at 12:18 pm #30701
Ketchup
ParticipantThe cool thing about this one is that it doesn’t rely on JavaScript being enabled in Adobe. It must be using the built in language.Â
Nice write-up btw n1p.
-
April 1, 2010 at 1:02 pm #30702
n1p
ParticipantYes, it is using the PDF language spec, but not in the way they intended 😛
Malware uses a variety of techniques to embed in a PDF, so I will be interested to see how he has done it… And how vendors respond
-
April 1, 2010 at 2:22 pm #30703
Jhaddix
ParticipantTesting a /dev/tcp version atm that will send goodness over the wire in *nix =)
-
-
AuthorPosts
- You must be logged in to reply to this topic.