.

PDF exploited without vulnerability

<<

Anquilas

User avatar

Full Member
Full Member

Posts: 169

Joined: Fri Mar 19, 2010 7:50 am

Location: Belgium

Post Wed Mar 31, 2010 5:03 am

PDF exploited without vulnerability

A researcher (from Belgium! ;) ) has found a way to exploit pdf files, without using a vulnerability. He created a pdf file with an embedded executable, which will start when the pdf file is opened.

http://blogs.zdnet.com/security/?p=5929

Pretty cool it seems, as far as my knowledge about the subject goes :)
Twitter: https://twitter.com/dietervds
Blog: https://synquell.wordpress.com (not much there yet)

The beginning of knowledge is the discovery of something we do not understand.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Wed Mar 31, 2010 7:16 am

Re: PDF exploited without vulnerability

That's a very cool exploit.  I can't wait to see to the PDF language behind it.
~~~~~~~~~~~~~~
Ketchup
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Wed Mar 31, 2010 7:19 am

Re: PDF exploited without vulnerability

Nice find! i like the part that Foxit Reader doesnt even give a warning! (it just executes the script without ant notification) A lot of people are switching to Foxit, so this proves that alternatives arent always better!
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

Anquilas

User avatar

Full Member
Full Member

Posts: 169

Joined: Fri Mar 19, 2010 7:50 am

Location: Belgium

Post Wed Mar 31, 2010 7:34 am

Re: PDF exploited without vulnerability

Idd :) Now let's hope that Adobe fixes it asap (for once)
Twitter: https://twitter.com/dietervds
Blog: https://synquell.wordpress.com (not much there yet)

The beginning of knowledge is the discovery of something we do not understand.
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Wed Mar 31, 2010 8:19 am

Re: PDF exploited without vulnerability

just read that foxit will fix the problem first thing next week:

http://forums.foxitsoftware.com/showthread.php?p=41323

lets see how Adobe will do...
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Thu Apr 01, 2010 12:48 am

Re: PDF exploited without vulnerability

Interesting, looking forward to more details on this.
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Thu Apr 01, 2010 12:54 am

Re: PDF exploited without vulnerability

So, metaphish uses this functionality only with javascript. I believe Dave Kennedy will be implementing into SET (the Social Engineering Toolkit) soon =)

So many ways to trick the user =(
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Thu Apr 01, 2010 2:25 am

Re: PDF exploited without vulnerability

here is the link to his blog:

http://blog.didierstevens.com/2010/03/29/escape-from-pdf/

and here is a direct link to a zip file with the malicious file inside. dont worry, it will only spawn a command prompt. maybe you can do some reverse engineering on it?

http://didierstevens.com/files/data/launch-action-cmd.zip

Don: Can i post this or is it out of bounds?
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

n1p

Jr. Member
Jr. Member

Posts: 89

Joined: Tue Mar 16, 2010 5:31 pm

Post Thu Apr 01, 2010 5:52 am

Re: PDF exploited without vulnerability

j0rDy wrote:
and here is a direct link to a zip file with the malicious file inside. dont worry, it will only spawn a command prompt. maybe you can do some reverse engineering on it?


Guys, since I had some spare time :), just a small write-up on this to demonstrate how it occurs in the PDF. Thought you all might be interested.

http://www.isolatedthreat.com/?p=214

As usual comments welcome.

n1p
Last edited by n1p on Thu Apr 01, 2010 5:53 am, edited 1 time in total.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Thu Apr 01, 2010 7:18 am

Re: PDF exploited without vulnerability

The cool thing about this one is that it doesn't rely on JavaScript being enabled in Adobe.  It must be using the built in language. 

Nice write-up btw n1p.
~~~~~~~~~~~~~~
Ketchup
<<

n1p

Jr. Member
Jr. Member

Posts: 89

Joined: Tue Mar 16, 2010 5:31 pm

Post Thu Apr 01, 2010 8:02 am

Re: PDF exploited without vulnerability

Yes, it is using the PDF language spec, but not in the way they intended :P

Malware uses a variety of techniques to embed in a PDF, so I will be interested to see how he has done it... And how vendors respond
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Thu Apr 01, 2010 9:22 am

Re: PDF exploited without vulnerability

Testing a /dev/tcp version atm that will send goodness over the wire in *nix =)

Return to News from the Outside World

Who is online

Users browsing this forum: No registered users and 2 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software