New PDF-Based Arbitrary Code Execution Technique Revealed

Can also be used to infect clean PDF documents

By on April 2nd, 2010 16:14 GMT
A security researcher has revealed a new method of launching executables embedded in PDF files, without exploiting any particular vulnerability. The technique, which employs a bit of social engineering, can also be used to infect previously clean PDF documents residing on the system.

Vulnerabilities that allow for arbitrary code execution are among the most common and dangerous types of flaws and are usually exploited to perform Web-based drive-by download attacks. Adobe Reader is one of the applications constantly probed for such bugs due to its popularity amongst regular and business users alike, giving attackers a larger pool of potential victims.

By default, security settings in popular PDF viewers such as Adobe Reader prevent binary files embedded in the document from being executed on the system. However, Didier Stevens, IT Security Consultant at Contraste Europe and developer of the very useful PDFiD analysis tool, claims to have found a way to do it without exploiting a vulnerability in the products themselves.

Instead, Mr. Stevens did it by abusing the legit (/Launch /Action) commands in the PDF specification, via a special technique, which he is not ready to reveal due to the obvious security implications. Even so, the method is not completely transparent to the user, at least in Adobe Reader, where a warning dialog box is shown.

This alert should normally display the file attempted to be executed and inform the user about the risks of opening it. However, the security researcher also found a way to alter its contents and insert a message that could distract the user from the alert and trick them into pressing "Open."

"With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this (I don’t use JavaScript in my PoC PDF), and patching Adobe Reader isn’t possible (I’m not exploiting a vulnerability, just being creative with the PDF language specs). I shared my PoC with Adobe’s PSIRT. Maybe they will come up with a solution to prevent this, should they consider that the protection offered by the warning dialog is not sufficient," Mr. Stevens explains on his blog.

With Foxit Reader, which is pointed to as a viable alternative to the constantly attacked Adobe Reader, things are actually worse. The viewer fails to display any security warning and proceeds directly to executing the potentially malicious file. For testing purposes, the researcher has made a rigged PDF available that should launch cmd.exe when opened (the warning window alteration trick has been left out on purpose).

Additionally, by working with Didier Stevens, an independent security researcher named Jeremy Conway has demonstrated that the same technique can be used to infect a clean PDF document already residing on the system. "I will not be disclosing the internal code that makes this possible nor will I be sharing out the PDFs within the proof of concept to the general public. Didier has already informed all of the relevant vendors about this issue and my proof of concept is just an expansion of his work, so there is no need for me to beat the vendors up with the same issue," said Conway.

Watch Didier Steven's video demonstration of the attack:


Watch Jeremy Conway's video demonstration of the attack's extension:

Comments