Comments on: PDF Info Stealer PoC

By: All PDFs are not created Equal « The Journeyler

All PDFs are not created Equal « The Journeyler — Tue, 15 Mar 2011 21:12:46 +0000

[...] of todays major security loopholes is malformed file types, i.e. PDFs that are not really PDFs or PDFs with something malicious attached or [...]

By: Bruno Kerouanton » Failles PDF…

Bruno Kerouanton » Failles PDF… — Thu, 01 Apr 2010 06:49:42 +0000

[...] c’est quand Didier Stevens y intègre un programme pour voler des informations sensibles. Ce billet montre comment un « simple » fichier PDF est capable de chercher puis de transmettre [...]

By: GreenSquirrel

GreenSquirrel — Mon, 22 Mar 2010 19:57:57 +0000

Very interesting and somewhat disturbing for those tasked with preventing data leakage. Thank you for posting this.

(Its a shame people seem to have fixated on the mechanism you have used, PDF, rather than the more worrying concept it demonstrates).

At the moment it does seem like encryption is the only real mitigtion against this – assuming it can workout unexpected file names.

By: Didier Stevens

Didier Stevens — Wed, 17 Mar 2010 18:58:11 +0000

@Irgendwer No, I just call SHGetFolderPath with CSIDL_PERSONAL to get the absolute path to My Documents.

By: Irgendwer

Irgendwer — Wed, 17 Mar 2010 18:52:45 +0000

Interesting technique…
Is there a string in the dll looking for “My Documents”?

By: Didier Stevens

Didier Stevens — Sun, 14 Mar 2010 21:22:33 +0000

No, even if I call this a PoC, the payload is still an info stealer, I’m not publishing this. And the DLL can be adapted to collect several files.

By: Nazz

Nazz — Sat, 13 Mar 2010 20:14:25 +0000

Any way of releasing the payload itself, So it loads a certain dll into the memory to search for important files in which you gave it to search e.g. passwords.xls, secret.txt, http://ftp.txt could it search for more than one file or do you have to edit shellcode each time?

By: Frisky Solitaire – Another Info Stealer « Didier Stevens

Frisky Solitaire – Another Info Stealer « Didier Stevens — Tue, 09 Mar 2010 00:01:27 +0000

[...] people have asked me about de details of the vulnerability I exploited in my PDF Info Stealer PoC. But that’s not important. It’s not about the exploit, it’s about the payload: [...]

By: Didier Stevens

Didier Stevens — Mon, 08 Mar 2010 17:29:02 +0000

@Christoph Schmees It’s not about the vulnerability or the exploit, but about the payload. Like I wrote: I can do this with Office vulnerabilities too, or even without any vulnerability, just social-engineering you to open a spreadsheet and execute macros. I use an old Adobe Reader vulnerability (util.printf) to execute the info stealer payload, but like I said, that’s just because it’s easy for me to do so.

By: Christoph Schmees

Christoph Schmees — Mon, 08 Mar 2010 16:29:19 +0000

The exploit targets *Adobe* reader, right? What about other free PRF readers such as Foxit or PDF-XChange? Are they immune? If so, it should be pointed out that this is about an *Adobe* weakness, not a general PDF weaknes!