14 DAY TRIAL // A freelance penetration tester and security researcher at SecRecon has published a tool designed to integrate various exploits into PDF files.
The utility is useful for testing activities, but it could also cause a lot of damage among users working with unpatched versions of Adobe Reader and Acrobat, if fallen in the wrong hands.
According to Darren Pauli from The Register, the tool is fully functional “against Adobe Reader and Acrobat versions 8.x prior to 8.2.1 and 9.x before 9.3.1.”
Although it can be used with old exploits for vulnerabilities that have been addressed in the latest updates for the two products, there may still be plenty of victims left, considering that the majority of the users do not apply the security patches.
The tool is dubbed PDF Exploit Generator and it supports inserting URL pointers in order to provide an exploited PDF file.
The developer is Claes Spett, security researcher at SecRecon. He makes the exploit generator available and advises responsible usage. This does not prevent malicious actions to be carried out with its help, though.
Another usage of the utility could be for raising internal security awareness in a company. Since it exploits a PDF file, it is suitable for phishing and social engineering testing of the personnel.