Didier Stevens

Tuesday 6 April 2010

Update: Escape From PDF

Filed under: Hacking,PDF,Update — Didier Stevens @ 0:01

Some new info after last week’s Adobe and Foxit escapes.

Foxit Software has release a new version to issue a warning when using a /Launch action, like Adobe Reader does:

The interesting thing about this fix is that it breaks my Foxit PoC, but that the Adobe PoC works for Foxit now!

This means that Foxit Software changed the way arguments are passed to the launched application (in the previous version, it didn’t work per the PDF standard, and that’s why I had to use a workaround). I draw some interesting conclusions from this:

  1. Nobody used the /Launch action in Foxit Reader with arguments. It didn’t work, and I assume Foxit would have received bug reports about this and fixed it by now.
  2. Nobody used the /Launch action in Foxit Reader with arguments via the workaround. Because this fix breaks the workaround, and I assume Foxit would not have broken a feature used by some of its users.
  3. From 1. and 2., I can say nobody used the /Launch action in Foxit Reader with arguments.

Adobe Reader has a Trust Manager setting to disable opening non-PDF attachments with external applications.

This setting also disables the /Launch action:

For more details about the PoC, I refer to my interview on the Eurotrash Security podcast.

17 Comments »

  1. Do you know of a corresponding registry key for that option?

    Comment by PDFGuy — Tuesday 6 April 2010 @ 13:10

  2. @PDFGuy HKCU\Software\Adobe\Acrobat Reader\\Originals: bAllowOpenFile

    Comment by Didier Stevens — Tuesday 6 April 2010 @ 16:30

  3. [...] or PoC, code], but… the Adobe PoC works for Foxit now," said Stevens in an entry on his blog today.Oops, isn’t is a bitch when you fix something to be different, and then what makes you the same [...]

    Pingback by Safety From PDF Exploits? It’s Not Found In Foxit | Revelations From An Unwashed Brain — Wednesday 7 April 2010 @ 5:00

  4. Hi…with PDF-XChange PDF Viewer and STDU Viewer your “launch-action-cmd.pdf” can’t be open with “CMD”…only open the pdf document with the message hello world…

    This means they are safety???

    Sorry for the bad english :-)…

    Thanks.
    Fabricio Garcia (Brazil)

    Comment by Fabricio Garcia — Wednesday 7 April 2010 @ 10:51

  5. [...] Segundo Stevens, seu código de ataque, que utiliza a função /Launch, ainda funciona contra a última versão do Foxit Reader. “O interessante dessa atualização é que ela quebra meu método para o Foxit, mas agora posso utilizar o método do Adobe no Foxit”, afirmou Stevens em seu blog. [...]

    Pingback by Foxit Reader continua vulnerável mesmo depois de atualização @ — Wednesday 7 April 2010 @ 11:02

  6. @Fabricio Garcia: yes, they are safe, if you can’t launch cmd.exe, the PoC will not work.

    Comment by Didier Stevens — Wednesday 7 April 2010 @ 13:20

  7. [...] “The interesting thing about this fix is that it breaks my Foxit PoC, but that the Adobe PoC works for Foxit now! This means that Foxit Software changed the way arguments are passed to the launched application,” he wrote on his blog. [...]

    Pingback by Adobe Issues Advice To Avoid PDF Security Attack | eWEEK Europe UK — Wednesday 7 April 2010 @ 17:07

  8. Zemana also demonstrate download and exec poc based on yours poc.
    http://blog.zemana.com/2010/04/escape-from-pdf-modified-by-zemana.html

    Cumhur Kara (Turkey)

    Comment by Cumhur Kara — Thursday 8 April 2010 @ 7:54

  9. Thank you and thanks for your research…

    Comment by Fabricio Garcia — Thursday 8 April 2010 @ 8:22

  10. @Fabricio: PDF-XChange Viewer is not “safe”, in that it supports the /Launch commmand.

    Didier’s example PDF did not include a path. If it had, PDF-XChange Viewer would have opened the command prompt.

    You can use notepad to edit his PDF and change cmd.exe to C:\\\\WINDOWS\\\\system32\\\\calc.exe and try opening it it PDF-XChange Viewer.

    Comment by earthsound — Thursday 8 April 2010 @ 19:23

  11. To Catch a PDF Hacker, You Have To Think Like One…

    Despite the improvements Adobe has developed for Acrobat and Reader, it’s still tough to stay on top of creative hackers who love to use the PDF.   To that end, security researchers like Didier Stevens finds ways to hack into an application in ord…

    Trackback by Blog — Friday 9 April 2010 @ 23:36

  12. I make a simple tool in order to disable the Adobe Reader’s Launch Action & JavaScript option.

    => http://blog.naver.com/happyme9/130084033060

    Comment by yunsoul — Saturday 10 April 2010 @ 6:40

  13. [...] Update: Escape From PDF – didierstevens.com The interesting thing about this fix is that it breaks my Foxit PoC, but that the Adobe PoC works for Foxit now! [...]

    Pingback by Week 14 in Review – 2010 | Infosec Events — Monday 12 April 2010 @ 8:39

  14. My download and execute PoC -> http://vimeo.com/10883643

    Comment by juza — Tuesday 13 April 2010 @ 10:40

  15. Didier: I hope you didn’t mind us taking a crack at it. I was able to get a pretty crude version of your idea working after listening to your podcast. I am really interested to see how you did things!

    Check out the PoC I came up with at http://bit.ly/cR47tg

    Comment by Jeremy Allen — Tuesday 13 April 2010 @ 18:44

  16. [...] Didier Stevens blog Update-escape-from-pdf var a2a_config = a2a_config || {}; a2a_config.linkname="Kako se zavarovati pred vse bolj [...]

    Pingback by Kako se zavarovati pred vse bolj nevarnimi PDF dokumenti | Razmišljanja sistemca | Reflections of sysadmin — Wednesday 28 April 2010 @ 6:38

  17. [...] Most users think PDF format is highly secure document format, but in reality for some time now experts warn that this is not true anymore. PS: This is potential danger only in the Windows environment PPS: please application programmers to organize your applications that pdf file format can be opened by any reader, not just Adobe, which happens too often via Didier Stevens blog Update-escape-from-pdf [...]

    Pingback by How to protect from dangerous PDF files | Razmisljanja sistemca — Sunday 9 May 2010 @ 1:00


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 222 other followers

%d bloggers like this: