Prev: Yes I felt it!
Next: "Antivirus Suite" malware
From: Virus Guy on 6 Apr 2010 22:30
-----------------
See also:

http://blog.didierstevens.com/2010/03/29/escape-from-pdf/

Provided is a proof-of-concept pfd file that opens a command shell when
opened.

This file does not function properly on win-98 running Acrobat 6.02
reader. Instead, this error message is displayed: "There was an error
opening this document. The file is damaged and could not be repaired."

Possible reason is that "cmd.exe" is an invalid command under win-98.
------------------

http://news.cnet.com/8301-27080_3-20001792-245.html

Portable Document Format (PDF) files could be used to spread malware to
clean PDF files stored on a target computer running Adobe Acrobat Reader
or Foxit Reader PDF software, a security researcher warned on Monday.

Jeremy Conway, product manager at NitroSecurity, created a proof of
concept for an attack in which malicious code is injected into a file on
a computer as part of an incremental update, but which could be used to
inject malicious code into any or all PDF files on a computer.

The attack requires the user of the computer to allow the code to be
executed by agreeing to it via a dialog box. However, the attacker could
at least partially control the content of the dialog box that appears to
prompt the user to launch the executable and thus use social engineering
to entice the computer user to agree to execute the malware, said
Conway.

Turning off JavaScript would not prevent the attack. It also does not
require that the attacker exploit a vulnerability in the PDF reader
itself.

The PDF reader incremental update capability "can be used as an
infection vector," said Conway. The attack "does not exploit a
vulnerability. No crazy Zero-Day (exploit) is needed to make this work."

Conway's proof of concept attack--detailed here with more information
here--takes advantage of the same weakness in PDF readers that security
researcher Didier Stevens of Belgium discovered a week ago and explained
on his blog.

Stevens was able to launch a command and run an executable within a PDF
file using a multi-part scripting process. As a result of that research
and blog post, researchers at Adobe and Foxit Software are investigating
ways to mitigate the risks from such attacks, according to CNET sister
site ZDNet.

An Adobe spokeswoman did not have a comment on Conway's hack, but ZDNet
posted Adobe's comment on Stevens':

"Didier Stevens' demo relies on functionality defined in the PDF
specification, which is an ISO standard (ISO PDF 32000-1:2008)," the
statement said. "Section 12.6.4.5 of the specification defines the
/launch command. This is an example of powerful functionality relied on
by some users that also carries potential risks when used incorrectly.
The warning message provided in Adobe Reader and Adobe Acrobat includes
strong wording advising users to only open and execute the file if it
comes from a trusted source. Adobe takes the security of our products
and technologies very seriously; we are always evaluating ways to allow
end-users and administrators to better manage and configure features
like this one to mitigate potential associated risks."

Foxit provided ZDNet this comment:

"Foxit takes every security concern seriously and we focus our
engineering resources at determining the cause of the problem and coming
up with a complete and safe solution. Upon hearing of a possible
security concern, our development team went to work and a resolution was
determined in less than 24 hours and an updated version of the Foxit
Reader will be made public in the next 72 hours."

The problem results from the PDF reader software allowing executable
files to be opened or launched from within the program, according to
Conway. "Most users don't use that additional functionality," he said.

He suggested that PDF software firms could provide a "minimalistic"
version of the PDF readers that do not allow other types of programs to
be launched and allow users to decide which specific types of
executables they want to be able to open within the program.

Update April 6 9:15 a.m. PDT: An Adobe spokeswoman replied Monday night
with the same statement above and this: "Users can also turn off this
functionality in the Adobe Reader and Adobe Acrobat Preferences by
selecting > Edit > Preferences > Categories > Trust Manager > PDF File
Attachments and clearing the box 'Allow opening of non-PDF file
attachments with external applications.'"
From: Virus Guy on 6 Apr 2010 22:37
Virus Guy wrote:

> Provided is a proof-of-concept pdf file that opens a command shell
> when opened.
>
> This file does not function properly on win-98 running Acrobat 6.02
> reader. Instead, this error message is displayed: "There was an
> error opening this document. The file is damaged and could not be
> repaired."
>
> Possible reason is that "cmd.exe" is an invalid command under win-98.

Apparently that's not the reason. I copied calc.exe to cmd.exe and
still got the same error.
From: Virus Guy on 7 Apr 2010 00:43
me(a)tadyatam.invalid wrote:

> What version is the PDF file?

I don't know. The first few characters of the file is %PDF-1.1.

> Some ver's of AR give "... error opening ..." because they
> can't handle later version(s) of .PDFs.

I have yet to encounter a pdf file that AR 6.x can't open.

Sure, I almost always get this message:

------------
The file appears to use a new format that this version of Acrobat does
not support. It may not open or display correctly. Adobe recommends
that you upgrade to the latest version of our acrobat products. yada
yada yada
------------

There is a "do not show this message again" check-box, but it only
applies to the particular pdf file that's being opened. The message
will appear again for the next new pdf file being opened.

I blow the message away and the file opens perfectly. It's a lot of
bullshit courtesy of Adobe.

I think there's a hack for AR 6.x where that message can be permanently
turned off.

By the way - will it blend?

http://www.liveleak.com/view?i=b07_1270575942
 | 
Pages: 1
Prev: Yes I felt it!
Next: "Antivirus Suite" malware