PDF exploited without vulnerability

This topic has 11 replies, 6 voices, and was last updated 10 years, 11 months ago by Jhaddix.

Viewing 11 reply threads

Author

Posts
- March 31, 2010 at 10:03 am #4878
  
  Anquilas
  Participant
  
  A researcher (from Belgium! 😉 ) has found a way to exploit pdf files, without using a vulnerability. He created a pdf file with an embedded executable, which will start when the pdf file is opened.
  
  http://blogs.zdnet.com/security/?p=5929
  
  Pretty cool it seems, as far as my knowledge about the subject goes 🙂
- March 31, 2010 at 12:16 pm #30693
  
  Ketchup
  Participant
  
  That’s a very cool exploit. I can’t wait to see to the PDF language behind it.
- March 31, 2010 at 12:19 pm #30694
  
  j0rDy
  Participant
  
  Nice find! i like the part that Foxit Reader doesnt even give a warning! (it just executes the script without ant notification) A lot of people are switching to Foxit, so this proves that alternatives arent always better!
- March 31, 2010 at 12:34 pm #30695
  
  Anquilas
  Participant
  
  Idd 🙂 Now let’s hope that Adobe fixes it asap (for once)
- March 31, 2010 at 1:19 pm #30696
  
  j0rDy
  Participant
  
  just read that foxit will fix the problem first thing next week:
  
  http://forums.foxitsoftware.com/showthread.php?p=41323
  
  lets see how Adobe will do…
- April 1, 2010 at 5:48 am #30697
  
  UNIX
  Participant
  
  Interesting, looking forward to more details on this.
- April 1, 2010 at 5:54 am #30698
  
  Jhaddix
  Participant
  
  So, metaphish uses this functionality only with javascript. I believe Dave Kennedy will be implementing into SET (the Social Engineering Toolkit) soon =)
  
  So many ways to trick the user =(
- April 1, 2010 at 7:25 am #30699
  
  j0rDy
  Participant
  
  here is the link to his blog:
  
  http://blog.didierstevens.com/2010/03/29/escape-from-pdf/
  
  and here is a direct link to a zip file with the malicious file inside. dont worry, it will only spawn a command prompt. maybe you can do some reverse engineering on it?
  
  http://didierstevens.com/files/data/launch-action-cmd.zip
  
  Don: Can i post this or is it out of bounds?
- April 1, 2010 at 10:52 am #30700
  
  n1p
  Participant
  
  @j0rDy wrote:
  
  and here is a direct link to a zip file with the malicious file inside. dont worry, it will only spawn a command prompt. maybe you can do some reverse engineering on it?
  
  Guys, since I had some spare time :), just a small write-up on this to demonstrate how it occurs in the PDF. Thought you all might be interested.
  
  http://www.isolatedthreat.com/?p=214
  
  As usual comments welcome.
  
  n1p
- April 1, 2010 at 12:18 pm #30701
  
  Ketchup
  Participant
  
  The cool thing about this one is that it doesn’t rely on JavaScript being enabled in Adobe. It must be using the built in language.
  
  Nice write-up btw n1p.
- April 1, 2010 at 1:02 pm #30702
  
  n1p
  Participant
  
  Yes, it is using the PDF language spec, but not in the way they intended 😛
  
  Malware uses a variety of techniques to embed in a PDF, so I will be interested to see how he has done it… And how vendors respond
- April 1, 2010 at 2:22 pm #30703
  
  Jhaddix
  Participant
  
  Testing a /dev/tcp version atm that will send goodness over the wire in *nix =)
Author

Posts