Thanks to a tip from @riotz, I got my PoC PDF working on Foxit Reader. Remember, Foxit Reader issues no warning when launching a command! So I get to execute an embedded .EXE without any user interaction (except for the opening of the PDF document).
Wednesday 31 March 2010
Monday 29 March 2010
Escape From PDF
This is a special PDF hack: I managed to make a PoC PDF to execute an embedded executable without exploiting any vulnerability!
I use a launch action triggered by the opening of my PoC PDF. With Adobe Reader, the user gets a warning asking for approval to launch the action, but I can (partially) control the message displayed by the dialog. Foxit Reader displays no warning at all, the action gets executed without user interaction.
PDF viewers like Adobe Reader and Foxit Reader don’t allow embedded executables (like binaries and scripts) to be extracted and executed:
But I found another way to launch a command (/Launch /Action), and ultimately run an executable I embedded using a special technique. With Adobe Reader, a launch action needs to be approved by the user:
But I can partially control the message displayed by this dialog box:
I can use this to social-engineer users to “Open” the file:
Do you believe this could this mislead some of your users? Or maybe you can come up with a better message to fool your users.
With Foxit Reader, no warning is displayed:
I’m not publishing my PoC PDF yet, but you can download a PDF that will just launch cmd.exe here. Use it to test your PDF reader.
With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this (I don’t use JavaScript in my PoC PDF), and patching Adobe Reader isn’t possible (I’m not exploiting a vulnerability, just being creative with the PDF language specs).
I shared my PoC with Adobe’s PSIRT. Maybe they will come up with a solution to prevent this, should they consider that the protection offered by the warning dialog is not sufficient. BTW, preventing Adobe Reader from creating new processes blocks this trick.
In this case, Foxit Reader is probably worse than Adobe Reader, because no warning gets displayed to prevent the launch action. My PoC PDF requires some changes for Foxit Reader, because ultimately, the executable doesn’t run. But that’s probably due to some variation in the PDF language supported by Foxit Reader.
Tested with Adobe Reader 9.3.1 on Windows XP SP3 and Windows 7.
Wednesday 17 March 2010
Tuesday 9 March 2010
Frisky Solitaire – Another Info Stealer
Marcus Murray gave a great talk at TechEd Berlin 2009: “Hack-Proofing Your Clients Using Windows 7 Security”. In one of his demos, he showed a trojaned Excel spreadsheet. The spreadsheet was a simple text-based game, but it had a malicious component that executed surreptitiously while the game was played.
As I’ve done several hacks with Excel macros in the past, this made me realize that social engineering is a key element to get people to run macros from a spreadsheet of unknown origin.
Several people have asked me about de details of the vulnerability I exploited in my PDF Info Stealer PoC. But that’s not important. It’s not about the exploit, it’s about the payload: the info stealer. As I’ve written in my previous post, I don’t even need an exploit to get users to execute the info stealer. If I put the info stealer inside an Excel spreadsheet and social engineer the targeted users to execute the macros, I’ve achieved my goal without exploiting a software vulnerability.
I present you Frisky Solitaire:
Frisky solitaire is more compelling than text-based Excel games, because of the graphics. I took Solitaire from ReactOS, turned it into a DLL and embedded it with my memory loading shellcode into Excel macros (the same technique as I developed for cmd.dll and regedit.dll). I imagine that a simple game like Solitaire in Excel can go viral inside a company, when you know that many corporations disable standard Windows games on their desktops and Terminal Servers.
But in a crude attempt at social engineering the male population of a targeted company, I added an element of nudity to the game. The implied message of the game’s title is that winning games increases nudity. I know, I’m talking about basic instincts here, but it still does the trick…
So I imagine that this game can become popular with a large part of the male employees of a targeted company. And that they wouldn’t question the fact you have to execute Excel macros to play a game. Sounds plausible, no?
Of course, you guessed it: Frisky Solitaire is trojaned with an info stealer… No need to exploit a software vulnerability to steal info. Given that here too, everything is done in memory, detection is unlikely.
Monday 8 March 2010
PDF Info Stealer PoC
An info stealer is malware that steals credentials or files from its victims.
Info stealers don’t require admin rights to perform their task, and can be designed to evade or bypass AV, HIPS, DLP and other security software.
I helped out a friend testing his environment with a PoC PDF info stealer I designed (I will not publish it).
This PDF document exploits a known vulnerability, and executes shellcode to load a DLL (embedded inside the PDF document) from memory into memory. This way, nothing gets written to disk (except the PDF file). The DLL searches the My Documents folder of the currect user for a file called budget.xls, and uploads it to Pastebin.com.
My PDF info stealer was succesful: file budget.xls was posted to Pastebin.com
Preventing an info stealer from operating is not easy. The Windows operating system is designed to give user processes unrestricted access to the user’s data. It’s only starting with the Windows Vista kernel and Windows Integrity Control that a process can be assigned a lower level than user data and be restricted from accessing it. Lowering the Integrity Level of Acrobat Reader will help us in this case, but if I exploit an Excel vulnerability (or just use macros, without exploiting a vulnerability), the integrity levels will not protect us.
Neither is preventing data egress easy. OK, you can decide to block Pastebin.com. But can you block all sites that can be posted to? Like Wikipedia? And if you can, do you block ICMP packets?
To protect confidential data, don’t let it be accessed by systems with Internet access. That’s not very practical, but it’s reliable. Or use strong encryption with strong passwords (not the default RC4 Excel encryption). The info stealer will have the extra difficulty to steal the password too.
I know this is obvious advice, but it’s not easy protecting data from carefully designed info stealers on Windows.
Monday 1 March 2010
Quickpost: NetworkMashup.xls
NetworkMashup.xls is a spreadsheet with VBA macros I scraped from the Internet to execute pings and name/address resolution from within Excel with WIN32 API calls.
Not only is it handy when you need to do some network mapping in a restricted environment, but also if you’ve just a list of machines to monitor.
The spreadsheet contains several sheets. One sheet to perform a single ping:
One sheet to ping/resolve a list:
One sheet to list the IP addresses of the current machine:
And last, a sheet with settings:
Download here.
Didier Stevens 