0day: PDF pwns Windows
published: September 20th, 2007
I am closing the season with the following HIGH Risk vulnerability: Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one.
The issue is quite critical given the fact that PDF documents are in the core of today’s modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs. You have to take my word for it. The POCs will be released when an update is available.
A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected soon.
trackbacks
- ·¨-=[WHK]=-¨· » Archive » 0day en Adobe Reader descubierto en GNUCITIZEN
- Grosse faille dans le format PDF | Korben's Blog
- Ryan Naraine’s Zero Day mobile edition
- Info World » Blog Archive » Hacker bears bad news about PDF
- Business News Research » Hacker bears bad news about PDF
- PDF 0-Day Vulnerability | SYP
- a l e x f a l k e n b e r g » Blog Archive » PDFs can also be bad for you
- Sicherheitslücke im Adobe Reader : News & Schlagzeilen
- Another day, another Windows zero-day — Security Bytes
- PC-Firewall Security Blog » Blog Archiv » Kritische Sicherheitslücke in Acrobat Reader
- Grave vulnerabilità nei PDF di Adobe « APNIBI blog
- 0day: PDF pwns Windows at JohnFavorite.com
- Liquidmatrix Security Digest » 0Day: PDF Can Own Windows
- Adobe PDF file format has a major security vulnerability
- PDF Files Can Steal All Your Base
- El Adobe Reader tiene un serio agujero de seguridad :
- Grave vulnerabilidad en los archivos PDF » zona de software blog freeware programas shareware gratis internet pc windows bajar descargar utilidades multimedia programas gratis
- DigitMemo.com » Critical Zero-Day PDF Bug Compromises Windows PCs
- Hacking group alleges attack via PDF | xMoDx
- www.mohdrashidi.com ::: Blog ::: | World Of Mine » Blog Archive » Hacker Finds Serious Flaw In Adobe PDF
- Grave falla in Adobe « The Alexsandra Spaces
- 0day: alerte au PDF - Jean-Marc, XP Geek !
- Trovato un grosso problema di sicurezza su Acrobat Reader
- Descoberta falha de segurança nos Arquivos PDF da adobe | PLUGADOS
- 0day: PDF pwns Windows - Adobe pdf exploited « FreeUser - Binary People
- tech'blah
- Descubierto un agujero de seguridad en archivos PDF - FayerWayer
- Posible ejecución de código arbitrario a través de archivos PDF en Adobe Acrobat Reader « “Carpe diem quam minimum credula postero.”
- Critical Acrobat Reader security flaw exposes Windows to arbitrary exploits - Computer Help Forums
- Bouzo » Blog Archive » Possible High Risk Security breach due to Adobe Reader
- New Windows downloads » Blog Archive » Another PDF vulnerability found
- PDF’s altamente peligrosos con Adobe Reader
- Global Mass Media .com » Archive » Critical Acrobat Reader security flaw exposes Windows to arbitrary exploits
- Uploads Blog.com
- Vulnerabilità Adobe pdf e alternative | Manicalarga: notizie e consigli
- Ktulu.it » pdf che eseguono javascript
- Tim Said What? » Blog Archive » Critical Zero-Day PDF Bug Compromises Windows PCs
- electrobrain » Blog Archive » Sicherheitsleck in ‘Adobe Reader’
- i-Blog » Blog Archive » 0DAY:ADOBE PDF
- Agujero de seguridad en archivos PDF
- From Information to Intelligence » Blog Archive » Adobe acrobat PDF exploit in the wild
- After PDF spam « subatomico security
- Hacking group alleges attack via PDF
- Security Quest #3: Intellitxt and PDFs at The OS Quest
- Oh yay! PDF vulnerability marks possible beginning of Adobe-related woes - Noticias externas
- Unpatched Acrobat PDF Backdoor « Visible Procrastinations
- Tag Edge - Tech News, Venture Capital and Web 2.0 » Blog Archive » Adobe Confirms PDF Exploit
- Adobe, sbrigati a correggere la falla dei PDF, che è pericolosa!
- Adobe confirma vulnerabilidad que permite comprometer Windows XP mediante un PDF « La Cromo Saturación y el Iris
- Confirmation d’une vulnérabilité critique dans Adobe Reader et Acrobat :: Nord-Africa
- Cert.fi tiedottaa Adobe-haavoittuvuuksista « Rantapuisto
- Geekotic · Un pdf puede infectar Windows XP
- Sicherheitslcke im Adobe Reader - wunderkessel.de - die Thermomix-Community
- Kevin Inscoe - The Morning Report » Blog Archive » Time to ditch Adobe(tm) Acrobat(tm) Writer
- Business News Research » Adobe Fixes Vulnerability In Reader And Acrobat — Adobe Reader
- Askancy’s blog » Blog Archive » Adobe rilascia patch per correggere un bug
- Adobe Reader and Acrobat Allow Attacks via PDFs « Bardissi Enterprises Blog
- Nochmal Sicherheitslcke im Adobe Reader - wunderkessel.de - die Thermomix-Community
- electrobrain » Blog Archive » Kritische Schwachstelle in ‘Adobe Reader’
- 新一代病毒感染途徑-PDF « Jiunn’s mind + information collection
- 0day vulnerability in PDF files could break your windows box | AXT Magazine
- V0lTr4n Bl0G » El Adobe Reader tiene un serio agujero de seguridad
- \-=[WHK]=-// » Archive » Explicación del comando de ejecución arbitraria en documentos PDF
- » Mozilla Firefox 2.0.0.8 Universal XSS Zayıflığı WWW~TR-SECURiTY~COM:
- Inking’s Blog » Google GMail E-mail Hijack Technique
- JohnFavorite.com » Blog Archive » 0day: PDF pwns Windows
- Adobe PDF 被發現零時差安全漏洞 | 大砲開講
GNUCITIZEN is one of the most influential organizations of its kind, reaching thousands of users every day and having a strong relationship with numerous printed and web-based media outlets. Part of our mission is to let others succeed the same way GNUCITIZEN did. Therefore, if you have a research or an interesting information you would like to share, 
comments
btw, the vulnerability is more severe then the QTL QuickTime issue.
Preview on OS X still OK then?
/not trying to be snarky
//really want to know
nigel mellish,
should be… I will try later when I have access to a Mac.
We love your POCs.
Why after update:)
Assuming that this impacts standalone PDF documents, not just those opened through a browser?
Can’t wait to see how this works, PDP. It seems like everyday you have a new concept or issue to present.
I wonder if this explains that strange password-protected pdf I got from some random person this morning. I did open it using Preview (running MacOS X 10.4 here), although using a guest account that wasn’t an administrator account. Turned out to be yet anther stupid pyramid scheme…
DaveOJ, it affects both… embeded and standalone.
If one views an altered Adobe file with an alternate reader (e.g. Fox-It), does this still work?
Grant, the exploit works although it is less severe.
I think you have gone the wrong way. If you have nothing else to publish then “please dont open PDF Docs”,but I cant tell you why, it would be a better choice shut up instead bringing no information.
I now know dont open PDF-Docs; why? You should give a little more information to the people, that is posible without compromising ADOBE.
So, what I should say to my customers WHY they don’t have to open any PDF-Doc “Please believe me I’m right” or “petko said it”…:S
have fun
jan
pdp, any way to block it prior to adobe releasing a patch? It took them 2 months to patch the one I found that resulted in 7.08, heck it could be christmas before they do yours.
Be nice if there was something we could do in the mean time to avoid being vuln to this.
Nice work, as always, pdp. Just one question: does it work if JavaScript is disabled in Acrobat Reader?
“Less Severe”
Either you own the box or you don’t, how is it “less severe?”
I too would be interested to hear how my preferred alternative PDF viewers hold up (Xpdf, Ghostscript, Kpdf et al.) ..? If there were a PoC I’d test myself, but in the circs I can only ask…
Nice… you’ve been on a tear lately! Can’t wait to see the details!
Billy (BK) Rios
Any of the open source PDF readers affected too? I hate the phone home-i-ness of Acrobat, so I went with Foxit instead.
Jan Heisterkamp -
It is very responsible that he posts this is a possibility and want’s Adobe to contact him RATHER than posting the exploit information and allowing a virus writer to author a nasty virus that can affect MILLIONS of Adobe customers.
He has probably talked to Adobe and gotten shot down, so the information was posted on the blog.
- Fly
3 of the last 4 releases have had “pwns” in the title. :S
Forgive me, but what the hell is the point of claiming a serious vulnerability in Adobe Reader (assume other versions like Pro etc are ‘vulnerable’ too?) without at least providing some information?
Statements like: “My advise (sic) for you is not to open any PDF files (locally or remotely)” don’t exactly help anyone really do they?
What am I supposed to do now when I turn up for work in the morning? What do I say to my users? “Sorry guys. Don’t open any PDFs for the foreseeable future until either Adobe patch their iffy product or PDP decides graciously to at least give us some clues as to where the problem is.”
Posts like this don’t really help anyone. If *you* have discovered this then do the decent thing - tell Adobe about it and then keep it to yourself *or* publish some details so us lesser mortals with businesses that rely on such products can make an informed decision on this? Are there any mitigations besides “don’t open any PDFs”?
Perhaps a start would be telling us whether this vulnerability upon exploitation means full compromise of systems where users run without admin privileges for example? Does ‘least user privilege’ help at all?
fatman.
@ Fly
yes, you are right! I never said pdp is inresponsible, what I said or try to say is; an advisory is worthless if it don’t get the comunity a littlebit deeper into it.
A hint, a little headline what it basicly describes.
If I only can say “hooray, I found an Exploit on this or that..” for what reasons ever, I would stay away from makin it public until I can really do it.
Maybe it’s a lack of english language on my side…
-Jan
The vulnerability affects Windows XP SP2 with IE7 and Adobe Reader 8.1, 8.0 and 7. Windows Vista users are not affected. Here is a harmless demonstration of the issue:
You can also download this video from here or here. The PDF issue is officially confirmed by Adobe’s team. Foxit is vulnerable as well, although the user is required to interact with the document in order to launch the exploit.
I don’t understands how it is applied !?
Thanks
@+
This seems to explain why a wide PDF-attached spam campain had spread around last month.
http://sophos.com/pressoffice/.....-spam.html
I, too, would be interested in learning whether certain alternatives are affected as well. In my case, Sumatra, as in the Portable Sumatra version available from portableapps.com
This is a little light on the details, but based on the video I would take a wild guess and think that you are using Object Codebase to launch the calculator and notepad.
http://www.greymagic.com/secur...../gm001-ie/ has a nice example of this that requires no scripting, but does require you to render the HTML inside the My Computer zone.
This would fit in well with Adobe Acrobat Reader being able to render HTML snippets and also not having set the FEATURE_LOCALMACHINE_LOCKDOWN flag.
A yes or no to the above would be nice, so I don’t have to reproduce this myself (lazy me ;)
Thor, this is not the issue although now when u r mentioning it, it might be a good idea to check it out.
This is very serious, I wont like a bit that opening my PDF format credit card statement ensures that $1000 is debited by an online transaction. This is scary, shucks!!
thanks pdp
Cmon fricken show us some code! or post that pdf file so we can reverse it
@ fatman >> “Forgive me, but what the hell is the point of claiming a serious vulnerability in Adobe Reader (assume other versions like Pro etc are ‘vulnerable’ too?) without at least providing some information?”
Well, to my opinion it’s good not to provide details, otherwise this exploit could be used before Adobe will fix this.
pdp,
remember to mention that it also works on win2k3 fully patched.
I can definitely see some administrators accessing a malicious PDF file from a shared folder which compromises the server when running it on the win2k3 box.
I don’t believe the idiots^H^H^H^H^H^H people above who get angry because you haven’t released the PoC or more gritty details. They are obviously just wanting to get hold of the details for themselves and their own selfish gains.
pdp, simple and very effective, nice.
Very nice that you found this bug.
I don’t open any PDF!
Ignorant, plain and simple. Your video proves nothing. You give no real information. This is useless. Work with the vendor to get a patch before releasing this junk. I understand not giving any information but then whats the point of saying anything at all.
Information is a bit sparse right now. Is IE the only browser affected?
Thanks,
Mark
James Kenderfield:
As pdp said, you’ll have to take his word for now.
It’s simply exciting to share what can be shared at this point (even if some people feel it’s not enough).
Believe me, you will get excited when you test it yourself and see how well it works :-)
James Kenderfield, its typically called “responsible disclosure”.
Could this vulnerability be propagated via a web page? E.g., a coupon page with code hidden it it, that gets the user to print to a pdf file, which when then opened triggers the vulnerability?
Two questions:
1) When a Adobe confirmed the bug, did they give a timeline for releasing the fix?
2) Can you please not release details until a week (or two) _after_ the Adobe update is available? This week or two gives corporate IT guys time to update, and stay ahead of game.
Many thanks!
Based on the greymagic link [ http://www.greymagic.com/secur...../gm001-ie/ ] it is clear there is an exploit with Activex, though I am not sure it is the only one or the same one that pdp is reporting.
My result with the Greymagic POC on Windows 2000 was that the asp file, downloaded and opened locally, would start calc.exe when opened with IE but not when opened with Seamonkey. This is with Active X totally turned off in 4 IE zones but probably still on in the 5th zone which I have not made visible. (Note, i do not use browser plugins and do not have Adobe installed, so it was clearly the Active X.)
pdp, will you at least say whether what you’ve found is the same as or different than the greymagic POC? This would help with user protection.
Apologies, I see my question was already answered in the reply to Thor. So the new vuln is a different one.
packetracer, adobe confirmed the bug privately. the bug was also confirmed by several friends and well known security researchers who had access to the exploit.
swhx7, the bug is different.
This will still affect user accounts without administration privileges, I assume, but hopefully within the privileges range of the logged-in user? Only administrators will risk having their system taken over?
u said that Vista is not vulnerable, but in your video it seems u are running Vista with basic interface… am I wrong?
Also the attack sounds like the old “javascript inside PDF”…
LISP, patience is a virtue!
Why don’t you upload the pdf?
because I like controllable chaos…
I understand your reasons for not releasing details or a usable sample of this exploit, though it would sure be nice to have one for testing.
In your video, the demo launches claculator. Can this exploit be effectively neutralized with a HIPS and restricting parent-child dependency settings?
Rick
To all the people claiming pdp’s post is useless because it doesn’t provide a PoC, I think it would only make the situation worse to provide one based on Adobe’s poor patching history. At least, for now, there is proof that the exploit exists and that’s all that should matter. If your users complain, just show them the video ;)
Nice work as always, pdp.
Come on, you need to upload the POC.
It is the best way, similar to Malware.com
Droopy
Is the interaction required to launch the exploit in Foxit something that appears normal or not? In other words, is it something that doesn’t usually happen? A video of the interaction required would be nice if you can provide it.
Hahah what a owner
http://www.marketwatch.com/quotes/adbe
pdp, could you post a regex that can detect PDFs that contain the vulnerability at least? This would allow us to block incoming attachments and uploads without necessarily giving away the exploit itself…
Dear tools criticizing the disclosure method,
Think in scenarios for a change, rather than in moral indignation.
A) No disclosure at all, no leverage with the vendor, possibly no fix ever.
B) Full disclosure, rampant chaos and malicious abuse.
C) Concept and PoC disclosure without an exploit, pressure applied to vendor, public risk contained, much higher likelihood of a patch.
In conclusion, STFU.
The fact that it works in Foxit as well as Adobe reader implies that it relies on a flaw in Windows, not just Adobe’s reader.
I’m interpreting “interaction” in Foxit as something more than just opening a PDF. If this is correct, then Foxit can be a safe alternative for now if used with care.
The interaction referred to could be either something with Javascript or clicking a link (any other possibilities? form?). In my version of Foxit, at least up to v.2 I think, Javascript is an optional add-on, not installed by default.
I don’t believe this at all. Why keep it a secret? I’m certain every product has bugs or vulnerabilities just waiting to be found and/or exploited.
BTW, I found a vulnerability in Windows XP Professional. When a patch or fix is released by Microsoft, I’ll step up and take credit for discovering it. Yeah…right.
Give the a break.
He knows what he is doing.
so you think not disclosing now is good. I must assume you also think that pdp is brighter than all the spamers and botters and whatnot out there right? what makes you think that, if this as simple as pdp claims, it’s not known by somebody else out there?
How the fuck can I confgiure my ids and hips to filter bad pdfs without any details? I don’t know about you, but blocking pdfs in my organization is not an option. I may as well block html, and the net would be as useless as blocking pdfs
Does the exploit look for a local file path, a remote file path, or both?
At least knowing that much, I can write some IPS rules.
The demo video simply executes executables already existing on the local machine with no command line arguments. To me, this is more of a nuisance, than a security issue.
However, if an attacker could execute arbitrary commands with arbitrary command line arguments, then that would be interesting.
Does your exploit allow for arbitrary command line arguments? If so, could you post a PoC loading c:\boot.ini in notepad.exe to prove it?
Or could you explain the security implication of running calc.exe, notepad.exe, or any other common executable in Windows without command line arguments?
severity, arbitrary commands options can be passed but to be honest with you, don’t need them. There are ways attackers to execute far more dangerous things then simple commands.
Hice un video… no se si se parezca al tuyo pero de igual manera te permite la ejecución de archivos tanto atraves de Internet Explorer como en archivos PDF…
http://whk.sitehacking.net/wp-.....s/IE7-CER/
Talves esta vulnerabilidad se agregue a la lista de las tantas otras vulnerabilidades sin solucionar en Adobe Reader.
WHK, interesting video, but this is nothing close to the vulnerability that was discovered. From your video, I can see that you are using a file located on the local disc that contains WScript ActiveX controller to start a command. Yes, this will work if you approve the IE warning which you do :). This type of attack asks for specific permission to launch the URL from the Reader, you are warned one time here, and from the browser, another warning here.
Good work champ. It will work if you manage to social engineer the user to confirm twice.
The PDF vulnerability which I am half-disclosing here does not require from the user to confirm anything. It just opens and executes the calculator.
do you sell this sploit?
icq 76543
pdp is the facilitator, he starts something cool and create a hype. I definitely cant wait to see this.
Hi pdp, do you know when the patch will be out? The vulnerability that you discovered is vital to one of my demo. Would appreciate it if you know when the patch is out so that I can take a look at the POC.
Pdp, nice find! Interesting vulnerability and video.
Waiting for detailed information about it.
You said it works in Acrobat (as shown in video) and in browser. What difference and can you make video (in browser demonstration)? And what browsers are vulnerable (and what Acrobat/Reader/plugin versions except Adobe Reader 8.1).
About video: it is harmless one, but you can make harmful video :-). To show all possibility of this hole and to make people (and Adobe guys) to be more aware of danger of this vulnerability. You can make “format c:” demonstration ;-). Make it in VM environment (it will be harmless and easier for you and will be bright demonstration of the hole).
Any update from Adobe on a patch? I’d at least like to see a public acknowledgment that they are fixing it…
why did you steal the bug from the bugzilla and claim that it is your finding? bad boy, your mother didn’t spank you enough. In time I will tell all the story about your imposture, be assured.
MadScientist, the patch should be available some time later this month I believe.
the_truth, what bugzilla? you are hallucinating man!
hint: http://secunia.com/advisories/26201/
oincreijn :) heh, I expect from u guys two think in more then one dimension…
the_truth, is that the bugzilla you are talking about? How come? You have no any idea what my dealings with Adobe and Microsoft are…
“You have no any idea what my dealings with Adobe and Microsoft are…” what are you trying to say? oPENaCTION?! what? hrhrhr…
Hi guys,
Is The fix out already ?
It’s funny, but before I read about this PDF vulnerability, a while back, I was thinking is that possible ? maybe I was just being creatively thinking lol as no one really expect a “text file” be a vehicle for madness !
Note: I’ve been always PDP11 :) just a coincidence PDP
PDP11, not yet… according to my contacts in Adobe, the patch will be available at the end of this month.
Can you confirm if this work around will work?
http://www.adobe.com/support/s.....07-04.html
IMHO, with Adobe bulletin, it became obvious that this is an URI handler bug. Mitigation reg key (cDefaultLaunchURLPerms) speaks for itself :)
It seems like mailto: handler is by default set to “automatic” launch in Adobe Acrobat/Reader (reg value=2).
codepupil, I need to verify this. There are a few more issues that make the exploit functional and complete.
Hi, isn’t the point here that only pdf’s of unknown origib could be suspicious?
Most pdf’s are from legitimate providers and so you must mean spam that comes with a pdf. So can normal pdf’s even be infected with whatever the exploit is? Or are we talking abour PDF”S FROM SUSPICIOUS SOURCES ONLY HERE OR ALL PDF’S ?
PDP, Thanks I’ve deployed the workaround just in case.
Tigre: It would seem to me the bigger issue is someone embedding this pdf in webpages or in html emails but I may be wrong…
I have a hard time believing that “XP with IE7″ is the only vulnerable combination. Especially when you’re example video doesn’t seem to depend on IE at all.
Has anyone tested on Win2K? XP w/ IE 6? other
I’m with thorin - a whole shitload of companies who aren’t running IE7 have just removed all their mitigations based on that announcement, but I’m not convinced. pdp, can you please confirm that Adobe’s workaround really solved the problem that you found? Thanks.
MadScientist the workaround works. Btw it is a Windows bug and not an acrobat one, do you have s*** in your eyes? check the advisory: http://secunia.com/advisories/26201/ that’s the bug, not pdf related, if ShellExecute() wasn’t f****d up after IE7 installation (user32.dll) then it wouldn’t be any problem. So just f****n M$ do your f****n job and 3rd party vendors stop thinking you have something to patch, because you don’t, it’s microsoft’s bug/problem. pdp fcuk (:)) y** for contributing to make the situation even more unclear.
oincreijn, :) don’t talk s*** when u don’t know jack about this issue. chill!
maybe you think that using WSH to execute .js locally is an issue, but in fact the problem is only that IE7 changed the way it handled registered handles (i.e. mailto:), through ShellExecute(). So you think that a /OpenAction /URI (mailto:etc) is a PDF bug (because it auto executes something, and the handle mailto: is registered to execute directly without warning the user that a 3rd party program (*** the mail client if ShellExecute() wasn’t bugged *** got it?)), like when I read this blog entry at the begin, you said it was a PDF format bug, then you removed that statement (what a stupid statement btw). After that it was written affects vista, you removed it too, you don’t know a shit about reverse engineering and research ;) Nothing exceptional for a f*** w****. Next time, try to keep your PoC instead of giving it to so many people ;)
oincreijn, you talk s*** again :) first of all I haven’t removed anything from this post. check your RSS feeds and verify before making stupid statements. Second, since you have the POC, which was released to small group of people anyway, try to convert it into fully functional exploit. You have problems? The POC is nothing but POC… completely harmless. There are a lot more issues then just that. Making it into an exploit is the trick.
Again, chill dude! :) Take a deep breath, listen to some relaxing song and just chill. I believe you can get a lot more productivity out of yourself by just not fighting for the wrong cause.
in time my friend you will see an elite exploit, which runs whatever you want, without requiring extra connection, extra file, doesn’t rely on WSH scripting, etc. ;) I will release new tricks and my batch skills, but in time :) Yours will look like a big JOKE, don’t try to make us believe that a 0day is *how to exploit a bug through a vector* ;) the 0day is *the ShellExecute() bug*, period.
:) uh, ok
@ oincreijn
Wow you’re quite the drama queen. I love your huge ego boost about doing something better someday somehow. Good one! I’m sure pdp and the rest of us a truely waiting your big someday with angst.
@ pdp
Can you confirm or deny whether this really is just another manifestation of: http://secunia.com/advisories/26201/
As secunia and oincreijn seem to think. (Secunia has added CVE 5020 to the references on that page). Note MS also seems to think it’s their issue as they published a Sec Advisory on the 10th (http://www.microsoft.com/technet/security/advisory/943521.mspx).
More information on the issue can be found here and here. Adobe has released advisory over here. Successful exploitation of the PDF issue relays on a few other things.
Microsoft has no other choice but to patch up the issue just to satisfy the community, even though this may not by entirely their problem. First of all developers should not really trust the user input and pass it to a function that they don’t fully understand. Now, some of you may criticize me for this statement, but do we blame PHP or ASP for the SQL Injections that your software has? No! Why should anyone pass something that does not look like a URL into a function that expects URLs?
Thanks pdp that technet blog article was great.
Thanks.
For those who are against the idea of publishing this vulnerability. Their concerns are understood. People just don’t like being helpless. To make an analogy, I would imagine that we shouldn’t talk about AIDS because we didn’t find a cure for it; we shouldn’t broadcast news of Burma because we can’t help the people there.
Adrian: not the best analogy since AIDS is rampant in the wild and many people are working on stopping it, so we need to talk about it. With the PDF vulnerability, it is still contained.
I’m a big fan of full disclosure *if the vendor is unresponsive* as a means to increase pressure for a solution. If I can find a vulnearbility, so can many others, so we need a fix. But if the vendor has acknowledged and is working towards a ‘cure’, give them time before unleashing the madness.
Why can’t we have an example of this vurnerability ?
because of reasons explained above
This is really stupid thing to do such a “half-disclosure” and claiming it’s “responsible discolure”. What is the damn logic behind this ?
You freely work for capitalism and you are proud of it, you call it “controlled chaos”.
hi
there is my PoC: http://security.fedora-hosting.....df_poc.pdf
there is ugly description: http://security.fedora-hosting.....df_poc.txt
thank you, pdp :)
regards,
cyanid-E
Hi There
There’s a direct exploitation of this vuln without any prompt,advertise,or whatever. we can reevaluate the XSS criticity vector with these kind of PoC. http://aviv.raffon.net/ (news = Back from the dead)
regards.
Hi guys
i guess we can rename your PoC from remote unless than locally now! nice find btw keep it up dude ;)
regards laurent gaffié
This is a great tutorial thanks!2
Hi there!
@helloworld&laurent.gaffié : just rename your pdf file, say test.pdf, to test.fdf … Opens external Acrobat with IE7 and prompt an open dialog with FF. Enjoy ;)
Cheers
Great Site - really useful information!n
Very Informative and I see We still can’t get along apparently, oh well. But, being obviously on the lower end of the knowledge curve in this arena…Can any of you human beings tell me what you think of this link’s usefullness regarding these kind of issues? -Vegas
Bad analogy, Adrian, A better one would be, “Why not hand out vials of HIV tainted blood in the hopes that some freelance doctor will find a cure?”
@cyanid-E
I opened your pdf on a linux system
via:
1. adobe firefox plugin
2. adobe reader 8.1.1 (”Adobe strongly recommends upgrading to Adobe Reader 8.1.1″)
and evolution offered me to send an email to guys with really strange email adresses:
1. “windows/system32/calc.exe”
2. test%..
- quite scary -
This explains why spammers have now switched to sending their emails with a PDF attachment.
Usually the PDF attachment contains an embedded image of a stock quote or something stupid like that. Lately I have been openning these out of curiousity but it seems we should not.
Have you all noticed that the spammer’s choice of delivery has become PDF attachments?
The attached PDF usually contains stock quotes.
Are there any reactions from Adobe?
now that all the patches are out are you going to release some more details?
:-)
Every security professional has to chose the path between publishing and keeping secret exploits every day. It’s uncommon to put 0days in Blogs, because that handles out the problem to the wrong guys: not to those, who want to fix the issue, but to those, trying to abuse it for malicious mails or so.
I’m nosy, too… but executable code in a pdf is as old as Methusalem. That’s no 0day. That’s a joke ;).
Have fun,
wishi
thanks for the comment.