Didier Stevens

Thursday 29 April 2010

Update: PDFiD Version 0.0.11 to Detect /Launch

Filed under: My Software,PDF,Update — Didier Stevens @ 10:11

Now that malicious PDFs using the /Launch action become more prevalent, I release a new PDFiD version to detect (and disarm) the /Launch action.

Tuesday 13 April 2010

.NET Shellcode

Filed under: .NET,Shellcode — Didier Stevens @ 0:00

As it is easy to instantiate the CLR in a process and load an assembly from C-code, I developed shellcode to load a .NET assembly in the injected process.

This allows you to leverage the extended Framework Class Library in your penetration tests.

Tuesday 6 April 2010

Update: Escape From PDF

Filed under: Hacking,PDF,Update — Didier Stevens @ 0:01

Some new info after last week’s Adobe and Foxit escapes.

Foxit Software has release a new version to issue a warning when using a /Launch action, like Adobe Reader does:

The interesting thing about this fix is that it breaks my Foxit PoC, but that the Adobe PoC works for Foxit now!

This means that Foxit Software changed the way arguments are passed to the launched application (in the previous version, it didn’t work per the PDF standard, and that’s why I had to use a workaround). I draw some interesting conclusions from this:

  1. Nobody used the /Launch action in Foxit Reader with arguments. It didn’t work, and I assume Foxit would have received bug reports about this and fixed it by now.
  2. Nobody used the /Launch action in Foxit Reader with arguments via the workaround. Because this fix breaks the workaround, and I assume Foxit would not have broken a feature used by some of its users.
  3. From 1. and 2., I can say nobody used the /Launch action in Foxit Reader with arguments.

Adobe Reader has a Trust Manager setting to disable opening non-PDF attachments with external applications.

This setting also disables the /Launch action:

For more details about the PoC, I refer to my interview on the Eurotrash Security podcast.

Blog at WordPress.com.