Didier Stevens

Wednesday 31 March 2010

“Escape From Foxit Reader”

Filed under: Hacking,PDF — Didier Stevens @ 0:00

Thanks to a tip from @riotz, I got my PoC PDF working on Foxit Reader. Remember, Foxit Reader issues no warning when launching a command! So I get to execute an embedded .EXE without any user interaction (except for the opening of the PDF document).

28 Comments »

  1. If you can live without the /Launch functionality (I can!), edit the executable:

    – search for “^@Launch^@” (^@ == null byte, file offset 7040965 in 3.13.1030) in Foxit Reader.exe,

    – change it to e.g. “L!unch” (no quotes),

    – save AS BINARY,

    done.

    Comment by Thomas — Wednesday 31 March 2010 @ 12:20

  2. Thanks for the tip Thomas. I use Foxit (and recommend it to others) because I *thought* it was safe! Trust Didier (aka PDF guru) to come up with something to prove that everything can be exploited … if you know how!

    Comment by Iain — Wednesday 31 March 2010 @ 16:20

  3. Anwendungsübergreifender PDF-Exploit: SumatraPDF nicht betroffen!…

    Didier Stevens hat ein PDF-Dokument entwickelt, das – ohne eine konkrete Sicherheitslücke eines bestimmten Programmes auszunutzen – einen PC infizieren könnte. Alleine das Öffnen einer entsprechend modifizierten PDF-Datei genügt um Opfer des An……

    Trackback by Eviltux. IT & Gesellschaft — Wednesday 31 March 2010 @ 16:23

  4. Hi,

    @ Thomas: please, do tell us which program you used for doing that!

    Cheers
    SoerenB

    Comment by SoerenB — Wednesday 31 March 2010 @ 19:07

  5. @SoerenB I’m not sure which tool he’s using, but I use xvi32.exe for hex editing. Simple and free.

    Comment by Ron — Wednesday 31 March 2010 @ 20:10

  6. [...] Escape From Foxit Reader [...]

    Pingback by Un fisier PDF poate executa cod malitios — Wednesday 31 March 2010 @ 21:16

  7. I’ve played around with the launch command before since seeing a metasploit module that used it, and I can understand how you got it to work with adobe reader, but in my tests with foxit reader I wasn’t able to get launch to work with parameters as is written in the pdf spec. Did you do this without parameters or did you figure out a way to pass parameters?

    Comment by Anon — Wednesday 31 March 2010 @ 22:48

  8. Has the test file been updated for Foxit?

    Comment by ...... — Wednesday 31 March 2010 @ 23:04

  9. How about ghostview? Is it affected too?

    Comment by SJ — Thursday 1 April 2010 @ 1:45

  10. @Anon Actually, @riotz found out how to pass parameters in Foxit, and then I updated my PoC for Foxit.

    Comment by Didier Stevens — Thursday 1 April 2010 @ 8:18

  11. @….. No, the test file already worked for Foxit.

    Comment by Didier Stevens — Thursday 1 April 2010 @ 8:19

  12. Like another commentator here, I also went in to the “Foxit Reader.exe” file with a hex editor and altered the only reference to the word. “Launch” and changed it to something else.

    Could Didier or someone who has access to the test exploit confirm that this actually protects against this vulnerability?

    Thanks.

    Comment by booty — Thursday 1 April 2010 @ 10:48

  13. @booty You can test it yourself. Download the test PDF from this post and see if you still get a cmd.exe. The first step in the PoC is also cmd.exe. If this fails, the whole PoC fails.

    Comment by Didier Stevens — Thursday 1 April 2010 @ 13:30

  14. @Didier – Perhaps I am being blind, but I don’t see any PDF linked to this post. I do see one on the previous posting but that doesn’t appear to do anything on an un-patched fox it reader.

    Comment by booty — Thursday 1 April 2010 @ 16:54

  15. @booty No, there is no file linked to in this post. OK, then there’s something different with your Foxit version/installion/configuration, because the file from the previous post works with Adobe and Foxit.

    Comment by Didier Stevens — Thursday 1 April 2010 @ 18:00

  16. Okay, I’m still not certain whether the hex-edit works. I would expect it to, but without verification or me being able to replicate the original vulnerability its hard to know..

    I don’t know whether somehow the patched version is staying resident in memory as I ran that version first or whether the version I have or my PC configuration isn’t vulnerable.

    Just in case it helps any of your work with fox it, etc, I am running version 3.1.4.1125 on windows XP sp3 x86. I also have kaspersky internet security, which sometimes pops-up warnings about one program launching another, but in this case it didn’t warn of anything. I also have javascript and internet search disabled in fox-it preferences.

    keep up the great work.

    Comment by booty — Thursday 1 April 2010 @ 18:30

  17. Foxit Corporation takes every security concern seriously and we focus our engineering resources on determining the cause of each issue and coming up with a complete and safe solution.

    After receiving word of a recent security concern, the Foxit development team immediately looked into the issue, confirmed the risk and resolved the situation quickly. Foxit expects to release a new version of Foxit Reader with this fix on April 2, 2010.

    To address the specific problems outlined, Foxit has added a warning dialog box that will pop up when a PDF file is opened with Foxit Reader, asking the user to agree to execute or not. This solution adds a layer of safety yet maintains Foxit Reader’s compliance with current PDF standards.

    Foxit is committed to adhering to and advancing current PDF standards; as such, we have developed a safer, easier and more widely accepted PDF document reader.

    Comment by Alex Alexander — Thursday 1 April 2010 @ 21:32

  18. FoxitReader321_en_Setup.exe is comeing and resolve the issue.

    Comment by scz — Friday 2 April 2010 @ 5:21

  19. [...] Reader will not prompt the user before an application is launched with a Launch action. It is also reported that the Launch Action can be used to launch an executable that is included in the PDF document, [...]

    Pingback by Open Systems Journal » Blog Archive » VU#570177: Foxit Reader vulnerable to arbitrary command execution — Friday 2 April 2010 @ 23:21

  20. u do not need pass parameters

    http://hi.baidu.com/allyesno/blog/item/66b7ab501418bf14367abed8.html

    Comment by allyesno — Saturday 3 April 2010 @ 12:53

  21. @allyesno Yes if you include an exe with it but this was about using an exe embedded in the pdf so there is no warning. To do this you need to be able to pass arguments. Still haven’t figured out how he pulled it off thought, I tried the method in the spec as well as trying to break up the execution with various invalid characters but that hasn’t worked. It’s gotta be something really wacky that I’m not thinking of.

    Comment by Anon — Sunday 4 April 2010 @ 6:24

  22. [...] PDF, Update — Didier Stevens @ 0:01 Some new info after last week’s Adobe and Foxit [...]

    Pingback by Update: Escape From PDF « Didier Stevens — Tuesday 6 April 2010 @ 0:03

  23. [...] ciekawe, Foxit Reader uważany za bezpieczniejszą alternatywę dla Acrobat Readera w ogóle nie pokaże ostrzeżenia, od razu uruchamiając plik. Warto również zauważyć, że w przeciwieństwie do wielu [...]

    Pingback by » Ciekawa dziura w PDF – przykład ataku -- Niebezpiecznik.pl -- — Wednesday 7 April 2010 @ 6:01

  24. [...] 这样只要不是畸形文件格式搞溢出,/Launch这个漏洞就无效了。 [...]

    Pingback by Foxit PDF漏洞山寨版补丁 — Wednesday 7 April 2010 @ 10:56

  25. [...] Как это возможно? Примерно как в анекдоте про обезьян и «Войну и мир»: миллионы исследователей каждый день трудятся над поиском новых уязвимостей в популярных программах. Многие из этих исследователей настолько удачливы, что найденная уязвимость позволяет запускать вредоносный код в обход самой актуальной защиты, иногда – из файлов неожиданного формата: (Источники: Habrahabr.ru и Блог Didier Stevens) [...]

    Pingback by Отчёт о семинаре «Безопасность без антивирусов…» « Блог команды eSage Lab — Thursday 22 April 2010 @ 16:27

  26. [...] Didier Stevens сообщает, что встроенный механизм запуска команд в PDF формате (/Launch /Action) небезопасно обрабатывается в Foxit Reader, и позволяет запускать внедренный в PDF исполняемый файл без всяких запросов и эксплуатирования какой-либо уязвимости. [...]

    Pingback by Foxit Reader — уязвимость с запуском внедренного в PDF исполняемого файла без предупреждений « Безопасность операционных систем — Thursday 17 June 2010 @ 16:35


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 231 other followers

%d bloggers like this: