Didier Stevens

Wednesday 29 April 2009

Quickpost: Disarming a PDF File

Filed under: My Software,PDF,Quickpost — Didier Stevens @ 16:52

This is a beta release of my new version of PDFiD tool because Adobe recommends disabling JavaScript to protect yourself against the new vulnerabilities in JavaScript functions getAnnots() and spell.customDictionaryOpen().

PDFiD version 0.0.6 has several new features which I’ll explain in a later post. Now I want to explain the disarm feature. Disarm will disable JavaScript inside the PDF document.

Command “PDFiD -d document.pdf ” will analyze the PDF document and generate a new version called document.disarmed.pdf.

In this new version, names /AA, /OpenAction, /JS and /JavaScript have their case swapped (/aa, /oPENaCTION, /jsand /jAVAsCRIPT). As the PDF language is case sentitive, these new names have no meaning and therefor the automatic actions and scripts are effectively disabled. All PDF readers I’ve used just ignore unknown names, they don’t generate and error or stop rendering the document.

This substitution trick will not work if the actions and scripts are hidden in object streams (/ObjStm) and could render a document unreadable if encryption is used.

Quickpost info

1 Comment »

  1. […] has added a feature to disable scripts in a suspected or even a not-suspected PDF. Thanks Didier! Quickpost: Disarming a PDF File << Didier Stevens Tags: ( pdf […]

    Pingback by Interesting Information Security Bits for 04/29/2009 | Infosec Ramblings — Wednesday 29 April 2009 @ 21:14


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.