Didier Stevens

Monday 11 October 2010

PDF, DEP, ASLR and Integrity Levels

Filed under: PDF,Vulnerabilities,Windows 7,Windows Vista — Didier Stevens @ 8:41

Frequently targeted document handling applications should be coded defensively and protect themselves with Windows security features like DEP, ASLR and Integrity Levels, just to name a few.

I tested a couple of PDF rendering applications: Adobe Reader, Foxit Reader and Sumatra PDF. If the application did not use DEP, ASLR or Integrity Levels, I changed some settings to make the application use these features. Setting DEP and ASLR is just setting a flag in the DllCharacteristics member of the Image Optional Header structure. You can do this with a hex editor, a PE-file editor, or a new tool (setdllcharacteristics) I’ll release soon. Using a Low Integrity Level is done by setting the appropriate ACE in the DACL of the application executable, see my post Integrity Levels and DLL Injection for details.

Adobe Reader 9 uses DEP and ASLR. It does not run with a Low Integrity Level by default. Configuring acrord32.exe to run with a Low Integrity Level fails, the application doesn’t run. It is said that the upcoming Adobe Reader 10 with sandboxing technology will run at a Low Integrity Level.

Sumatra PDF 1.1 uses DEP and ASLR. It does not run with a Low Integrity Level by default. Configuring SumatraPDF.exe to run with a Low Integrity Level succeeds, the application runs fine. Some preferences might get lost, but they are not important to me.

With version 4.2 of Foxit Reader released about a week ago, Foxit Software added support for DEP and ASLR. Setting Foxit Reader to use a Low Integrity Level results in a malformed opening dialog box:

Apart from this, Foxit Reader appears to work fine at Low Integrity Level, but don’t be fooled. At Low Integrity Level, Foxit Reader can’t read or set its preferences. For example, you won’t be able to disable JavaScript. Even if you disabled JavaScript with Foxit Reader running at Medium Integrity Level (the default), Foxit Reader running at Low Integrity Level will enable JavaScript. So you’re better off not using a Low Integrity Level for this version. I’ve talked to Foxit Software and they’ll fix this.

If your favorite application isn’t discussed here, you can easily check how it performs with Sysinternals’ Process Explorer. Just add columns DEP, ASLR and Integrity to Process Explorer’s main view and run your application.

6 Comments »

  1. It sounds like the difference between your tool and EMET from Microsoft (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c6f0a6ee-05ac-4eb6-acd0-362559fd2f04&displayLang=en) is support from changing Integrity Levels. Why didn’t they do Integrity levels? I’m sure they know how.

    Comment by larry seltzer — Monday 11 October 2010 @ 13:41

  2. @larry seltzer Not many complex application work fine at a low
    integrity level when they are not designed for it. I would think that
    this is not in EMET to improve the “experience” ;-)

    Comment by Didier Stevens — Monday 11 October 2010 @ 16:50

  3. […] van Windows ondersteunt. De Belgische beveiligingsonderzoeker Didier Stevens onderzocht drie populaire PDF-lezers en de manier waarop ze zich tegen aanvallen beschermen. Zowel Foxit […]

    Pingback by Plaats hier software gerelateerd nieuws! - Page 25 — Monday 11 October 2010 @ 17:29

  4. […] Researcher Didier Stevens, who famously focuses on the world of PDF files and the software which uses them, has tested some PDF readers after changing certain security parameters of the programs. […]

    Pingback by Forcing Security on Your PDF Reader- The Hackers Edge — Tuesday 12 October 2010 @ 1:42

  5. So, how does this play out for things like embedded flash objects in Excel spreadsheets, an item that needs a setting of sub-low so it can do even less damage.

    Comment by Sean — Wednesday 16 March 2011 @ 17:02

  6. @Sean Unless you use Office 2010 with an untrusted spreadsheet, you won’t run Excel in a sandbox.

    Comment by Didier Stevens — Thursday 17 March 2011 @ 15:15


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 244 other followers

%d bloggers like this: