Didier Stevens

Monday 11 January 2010

Adobe Reader JavaScript Blacklist Framework

Filed under: Malware,PDF,Vulnerabilities — Didier Stevens @ 1:51

The JavaScript Blacklist Framework is a security feature Adobe released with Adobe Reader and Acrobat versions 8.1.7 and 9.2.

When you’re in a case where you need to use Adobe Reader and you can’t disable JavaScript, the JavaScript Blacklist Framework can help you mitigate zero-days in JavaScript API functions by disabling the vulnerable functions.

I produced a video where I disable util.printf:

Notice that when I blacklist util.printf, the script still executes until the blacklisted function util.printf is called. At that moment, the script is cancelled and the user is warned.

On Windows, you can blacklist functions by adding them to registry value tBlackList (HKLM\SOFTWARE\Policies\Adobe\product\version\FeatureLockDown\cJavaScriptPerms\tBlackList). To blacklist more than one function, use the same registry value and separate the functions by the pipe-character (e.g. Util.printf|Collab.getIcon). Pay attention to the fact that the framework is case-sensitive (e.g. Util.printf is correct, util.printf is not correct).

The framework is impervious to bypassing with some basic obfuscation techniques found in malicious PDFs (eval(“util.printf… ; x = util.printf; x(“… ).

It’s too bad that blacklisting is limited to the JavaScript API; the functions to blacklist must be in the form <object-name>.<function-name>. Otherwise we would be able to blacklist some global functions of the JavaScript language that are often used in malicious PDF files, like unescape. According to the ECMAScript specification, unescape is a member function of the Global Object. I tried several ways to blacklist it (unescape, .unescape, this.unescape, Doc.unescape, …), but failed.

If you really want to disable unescape, you could do this by patching the JavaScript plugin EScript.api. Maybe I’ll post a method to do this in-memory with my basic process manipulation tool kit.

Adobe Reader JavaScript Blacklist Framework

6 Comments »

  1. […] die Adobe in Adobe Reader en Acrobat heeft aangebracht om bescherming tegen exploits te bieden, is volgens de Belgische PDF-expert Didier Stevens te beperkt. Veel van de exploits die in PDF-bestanden […]

    Pingback by Plaats hier software gerelateerd nieuws! - Page 16 — Monday 11 January 2010 @ 18:18

  2. […] a video tutorial on using the Adobe Reader JavaScript Blacklist Framework. Pretty nifty stuff. Adobe Reader JavaScript Blacklist Framework << Didier Stevens Tags: ( […]

    Pingback by Interesting Information Security Bits for 01/11/2010 | Infosec Ramblings — Tuesday 12 January 2010 @ 2:25

  3. Really interesting.
    Do you know an existing list of “dangerous” functions ? It would be useful data to share. And if there is some similarities between Adobe and html javascript, the blacklist could also be used in Firefox extension Noscript.

    More adobe registry in http://learn.adobe.com/wiki/download/attachments/52658564/acrobat_reader_security_9x.pdf?version=1

    Thanks for your work Didier.

    Comment by Julien — Tuesday 19 January 2010 @ 20:02

  4. No, if you use Adobe Reader, you should patch it. Only disable functions used in 0-days.

    Disabling unescape would be a good thing, but it seems impossible with the framework.

    Comment by Didier Stevens — Tuesday 19 January 2010 @ 20:52

  5. […] Didier Stevens has posted a video which illustrates the Adobe Reader JavaScript Blacklist Framework […]

    Pingback by Disable Acrobat Javascript « Aggressive Virus Defense — Sunday 24 January 2010 @ 17:51

  6. Nice attempt from adobe, BUT still not satisfactory.

    Comment by Constantine — Thursday 3 June 2010 @ 18:47


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 239 other followers

%d bloggers like this: