Didier Stevens

Tuesday 6 April 2010

Update: Escape From PDF

Filed under: Hacking,PDF,Update — Didier Stevens @ 0:01

Some new info after last week’s Adobe and Foxit escapes.

Foxit Software has release a new version to issue a warning when using a /Launch action, like Adobe Reader does:

The interesting thing about this fix is that it breaks my Foxit PoC, but that the Adobe PoC works for Foxit now!

This means that Foxit Software changed the way arguments are passed to the launched application (in the previous version, it didn’t work per the PDF standard, and that’s why I had to use a workaround). I draw some interesting conclusions from this:

  1. Nobody used the /Launch action in Foxit Reader with arguments. It didn’t work, and I assume Foxit would have received bug reports about this and fixed it by now.
  2. Nobody used the /Launch action in Foxit Reader with arguments via the workaround. Because this fix breaks the workaround, and I assume Foxit would not have broken a feature used by some of its users.
  3. From 1. and 2., I can say nobody used the /Launch action in Foxit Reader with arguments.

Adobe Reader has a Trust Manager setting to disable opening non-PDF attachments with external applications.

This setting also disables the /Launch action:

For more details about the PoC, I refer to my interview on the Eurotrash Security podcast.

Blog at WordPress.com.