0day: PDF pwns Windows

published: September 20th, 2007

I am closing the season with the following HIGH Risk vulnerability: Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one.

The issue is quite critical given the fact that PDF documents are in the core of today’s modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs. You have to take my word for it. The POCs will be released when an update is available.

Adobe’s representatives can contact me from the usual place. My advise for you is not to open any PDF files (locally or remotely). Other PDF viewers might be vulnerable too. The issues was verified on Windows XP SP2 with the latest Adobe Reader 8.1, although previous versions are also affected.

A formal summary and conclusion of the recent GNUCITIZEN’s bug hunt to be expected soon.

» more | » comments | » comments rss | posted by pdp | syndication and integration ( )

Comments

pdp responds:

btw, the vulnerability is more severe then the QTL QuickTime issue.

nigel mellish responds:

Preview on OS X still OK then? not trying to be snarky. really want to know.

pdp responds:

nigel mellish,

should be… I will try later when I have access to a Mac.

Xinstict responds:

We love your POCs. Why after update:)

DaveOJ responds:

Assuming that this impacts standalone PDF documents, not just those opened through a browser?

Awesome AnDrEw responds:

Can’t wait to see how this works, PDP. It seems like everyday you have a new concept or issue to present.

Ben responds:

I wonder if this explains that strange password-protected pdf I got from some random person this morning. I did open it using Preview (running MacOS X 10.4 here), although using a guest account that wasn’t an administrator account. Turned out to be yet anther stupid pyramid scheme…

pdp responds:

DaveOJ, it affects both… embeded and standalone.

Grant responds:

If one views an altered Adobe file with an alternate reader (e.g. Fox-It), does this still work?

pdp responds:

Grant, the exploit works although it is less severe.

Geo responds:

pdp, any way to block it prior to adobe releasing a patch? It took them 2 months to patch the one I found that resulted in 7.08, heck it could be christmas before they do yours.

Be nice if there was something we could do in the mean time to avoid being vuln to this.

/nul responds:

Nice work, as always, pdp. Just one question: does it work if JavaScript is disabled in Acrobat Reader?

le$$er responds:

“Less Severe”

Either you own the box or you don’t, how is it “less severe?”

imipak responds:

I too would be interested to hear how my preferred alternative PDF viewers hold up (Xpdf, Ghostscript, Kpdf et al.) ..? If there were a PoC I’d test myself, but in the circs I can only ask…

BK responds:

Nice… you’ve been on a tear lately! Can’t wait to see the details!

Billy (BK) Rios

GiantCrazy responds:

Any of the open source PDF readers affected too? I hate the phone home-i-ness of Acrobat, so I went with Foxit instead.

nobody responds:

3 of the last 4 releases have had “pwns” in the title. :S

pdp responds:

The vulnerability affects Windows XP SP2 with IE7 and Adobe Reader 8.1, 8.0 and 7. Windows Vista users are not affected. Here is a harmless demonstration of the issue:

You can also download this video from here or here. The PDF issue is officially confirmed by Adobe’s team. Foxit is vulnerable as well, although the user is required to interact with the document in order to launch the exploit.

weweje responds:

This seems to explain why a wide PDF-attached spam campain had spread around last month. http://sophos.com/pressoffice/.....-spam.html

Roach responds:

I, too, would be interested in learning whether certain alternatives are affected as well. In my case, Sumatra, as in the Portable Sumatra version available from portableapps.com

Thor Larholm responds:

This is a little light on the details, but based on the video I would take a wild guess and think that you are using Object Codebase to launch the calculator and notepad. http://www.greymagic.com/secur...../gm001-ie/ has a nice example of this that requires no scripting, but does require you to render the HTML inside the My Computer zone. This would fit in well with Adobe Acrobat Reader being able to render HTML snippets and also not having set the FEATURE_LOCALMACHINE_LOCKDOWN flag.

A yes or no to the above would be nice, so I don’t have to reproduce this myself (lazy me ;)

pdp responds:

Thor, this is not the issue although now when u r mentioning it, it might be a good idea to check it out.

Bruce responds:

This is very serious, I wont like a bit that opening my PDF format credit card statement ensures that $1000 is debited by an online transaction. This is scary, shucks!!

thanks pdp

James responds:

Cmon fricken show us some code! or post that pdf file so we can reverse it

Adrian Pastor responds:

pdp,

remember to mention that it also works on win2k3 fully patched. I can definitely see some administrators accessing a malicious PDF file from a shared folder which compromises the server when running it on the win2k3 box.

David Kierznowski responds:

pdp, simple and very effective, nice.

Vincent responds:

Very nice that you found this bug. I don’t open any PDF!

Mark responds:

Information is a bit sparse right now. Is IE the only browser affected?

Thanks,
Mark

Charles responds:

Could this vulnerability be propagated via a web page? E.g., a coupon page with code hidden it it, that gets the user to print to a pdf file, which when then opened triggers the vulnerability?

packetracer responds:

Two questions:

1) When a Adobe confirmed the bug, did they give a timeline for releasing the fix?

2) Can you please not release details until a week (or two) _after_ the Adobe update is available? This week or two gives corporate IT guys time to update, and stay ahead of game.

Many thanks!

swhx7 responds:

Based on the greymagic link [ http://www.greymagic.com/secur...../gm001-ie/ ] it is clear there is an exploit with Activex, though I am not sure it is the only one or the same one that pdp is reporting.

My result with the Greymagic POC on Windows 2000 was that the asp file, downloaded and opened locally, would start calc.exe when opened with IE but not when opened with Seamonkey. This is with Active X totally turned off in 4 IE zones but probably still on in the 5th zone which I have not made visible. (Note, i do not use browser plugins and do not have Adobe installed, so it was clearly the Active X.)

pdp, will you at least say whether what you’ve found is the same as or different than the greymagic POC? This would help with user protection.

swhx7 responds:

Apologies, I see my question was already answered in the reply to Thor. So the new vuln is a different one.

pdp responds:

packetracer, adobe confirmed the bug privately. the bug was also confirmed by several friends and well known security researchers who had access to the exploit.

swhx7, the bug is different.

OmegaJunior responds:

This will still affect user accounts without administration privileges, I assume, but hopefully within the privileges range of the logged-in user? Only administrators will risk having their system taken over?

Suma responds:

Why don’t you upload the pdf?

herbalist responds:

I understand your reasons for not releasing details or a usable sample of this exploit, though it would sure be nice to have one for testing. In your video, the demo launches calculator. Can this exploit be effectively neutralized with a HIPS and restricting parent-child dependency settings?

Rick

Quadro responds:

Is the interaction required to launch the exploit in Foxit something that appears normal or not? In other words, is it something that doesn’t usually happen? A video of the interaction required would be nice if you can provide it.

Crack responds:

Hahah what a owner

http://www.marketwatch.com/quotes/adbe

tsw responds:

pdp, could you post a regex that can detect PDFs that contain the vulnerability at least? This would allow us to block incoming attachments and uploads without necessarily giving away the exploit itself…

swhx7 responds:

The fact that it works in Foxit as well as Adobe reader implies that it relies on a flaw in Windows, not just Adobe’s reader.

I’m interpreting “interaction” in Foxit as something more than just opening a PDF. If this is correct, then Foxit can be a safe alternative for now if used with care.

The interaction referred to could be either something with Javascript or clicking a link (any other possibilities? form?). In my version of Foxit, at least up to v.2 I think, Javascript is an optional add-on, not installed by default.

Somewhat_Concerned responds:

Does the exploit look for a local file path, a remote file path, or both? At least knowing that much, I can write some IPS rules.

severity responds:

The demo video simply executes executables already existing on the local machine with no command line arguments. To me, this is more of a nuisance, than a security issue.

However, if an attacker could execute arbitrary commands with arbitrary command line arguments, then that would be interesting.

Does your exploit allow for arbitrary command line arguments? If so, could you post a PoC loading c:\boot.ini in notepad.exe to prove it?

Or could you explain the security implication of running calc.exe, notepad.exe, or any other common executable in Windows without command line arguments?

pdp responds:

severity, arbitrary commands options can be passed but to be honest with you, don’t need them. There are ways attackers to execute far more dangerous things then simple commands.

hackathology responds:

pdp is the facilitator, he starts something cool and create a hype. I definitely cant wait to see this.

tombstone responds:

Hi pdp, do you know when the patch will be out? The vulnerability that you discovered is vital to one of my demo. Would appreciate it if you know when the patch is out so that I can take a look at the POC.

MustLive responds:

Pdp, nice find! Interesting vulnerability and video.

Waiting for detailed information about it.

You said it works in Acrobat (as shown in video) and in browser. What difference and can you make video (in browser demonstration)? And what browsers are vulnerable (and what Acrobat/Reader/plugin versions except Adobe Reader 8.1).

About video: it is harmless one, but you can make harmful video :-). To show all possibility of this hole and to make people (and Adobe guys) to be more aware of danger of this vulnerability. You can make “format c:” demonstration ;-). Make it in VM environment (it will be harmless and easier for you and will be bright demonstration of the hole).

MadScientist responds:

Any update from Adobe on a patch? I’d at least like to see a public acknowledgment that they are fixing it…

PDP11 responds:

Hi guys,

Is The fix out already ?

It’s funny, but before I read about this PDF vulnerability, a while back, I was thinking is that possible ? maybe I was just being creatively thinking lol as no one really expect a “text file” be a vehicle for madness !

Note: I’ve been always PDP11 :) just a coincidence PDP

pdp responds:

PDP11, not yet… according to my contacts in Adobe, the patch will be available at the end of this month.

codepupil responds:

Can you confirm if this work around will work?
http://www.adobe.com/support/s.....07-04.html

/nul responds:

IMHO, with Adobe bulletin, it became obvious that this is an URI handler bug. Mitigation reg key (cDefaultLaunchURLPerms) speaks for itself :)

It seems like mailto: handler is by default set to “automatic” launch in Adobe Acrobat/Reader (reg value=2).

pdp responds:

codepupil, I need to verify this. There are a few more issues that make the exploit functional and complete.

tigre responds:

Hi, isn’t the point here that only pdf’s of unknown origib could be suspicious? Most pdf’s are from legitimate providers and so you must mean spam that comes with a pdf. So can normal pdf’s even be infected with whatever the exploit is? Or are we talking abour PDF”S FROM SUSPICIOUS SOURCES ONLY HERE OR ALL PDF’S ?

codepupil responds:

PDP, Thanks I’ve deployed the workaround just in case.

Tigre: It would seem to me the bigger issue is someone embedding this pdf in webpages or in html emails but I may be wrong…

thorin responds:

I have a hard time believing that “XP with IE7″ is the only vulnerable combination. Especially when you’re example video doesn’t seem to depend on IE at all.

Has anyone tested on Win2K? XP w/ IE 6? other

MadScientist responds:

I’m with thorin – a whole shitload of companies who aren’t running IE7 have just removed all their mitigations based on that announcement, but I’m not convinced. pdp, can you please confirm that Adobe’s workaround really solved the problem that you found? Thanks.

pdp responds:

More information on the issue can be found here and here. Adobe has released advisory over here. Successful exploitation of the PDF issue relays on a few other things.

Microsoft has no other choice but to patch up the issue just to satisfy the community, even though this may not by entirely their problem. First of all developers should not really trust the user input and pass it to a function that they don’t fully understand. Now, some of you may criticize me for this statement, but do we blame PHP or ASP for the SQL Injections that your software has? No! Why should anyone pass something that does not look like a URL into a function that expects URLs?

thorin responds:

Thanks pdp that technet blog article was great.

Adrian responds:

Thanks.

For those who are against the idea of publishing this vulnerability. Their concerns are understood. People just don’t like being helpless. To make an analogy, I would imagine that we shouldn’t talk about AIDS because we didn’t find a cure for it; we shouldn’t broadcast news of Burma because we can’t help the people there.

MadScientist responds:

Adrian: not the best analogy since AIDS is rampant in the wild and many people are working on stopping it, so we need to talk about it. With the PDF vulnerability, it is still contained.

I’m a big fan of full disclosure *if the vendor is unresponsive* as a means to increase pressure for a solution. If I can find a vulnearbility, so can many others, so we need a fix. But if the vendor has acknowledged and is working towards a ‘cure’, give them time before unleashing the madness.

Picco responds:

Why can’t we have an example of this vurnerability ?

cyanid-E responds:

there is my PoC: http://security.fedora-hosting.....df_poc.pdf

there is ugly description: http://security.fedora-hosting.....df_poc.txt

thank you, pdp :)

regards,
cyanid-E

helloworld responds:

Hi There

There’s a direct exploitation of this vuln without any prompt,advertise,or whatever. we can reevaluate the XSS criticity vector with these kind of PoC. http://aviv.raffon.net/ (news = Back from the dead)

regards.

laurent.gaffié responds:

Hi guys

i guess we can rename your PoC from remote unless than locally now! nice find btw keep it up dude ;)

regards laurent gaffié

ricko responds:

This is a great tutorial thanks!2

Nms responds:

Hi there!

@helloworld&laurent.gaffié : just rename your pdf file, say test.pdf, to test.fdf … Opens external Acrobat with IE7 and prompt an open dialog with FF. Enjoy ;)

Cheers

Deeprunner responds:

Very Informative and I see We still can’t get along apparently, oh well. But, being obviously on the lower end of the knowledge curve in this arena…Can any of you human beings tell me what you think of this link’s usefullness regarding these kind of issues? -Vegas

XT12D responds:

Bad analogy, Adrian, A better one would be, “Why not hand out vials of HIV tainted blood in the hopes that some freelance doctor will find a cure?”

ggman responds:

@cyanid-E

I opened your pdf on a linux system
via:

1. adobe firefox plugin
2. adobe reader 8.1.1 (”Adobe strongly recommends upgrading to Adobe Reader 8.1.1″)

and evolution offered me to send an email to guys with really strange email adresses:

1. “windows/system32/calc.exe”
2. test%..

- quite scary -

Sally responds:

This explains why spammers have now switched to sending their emails with a PDF attachment. Usually the PDF attachment contains an embedded image of a stock quote or something stupid like that. Lately I have been openning these out of curiousity but it seems we should not.

Sally responds:

Have you all noticed that the spammer’s choice of delivery has become PDF attachments?

The attached PDF usually contains stock quotes.

Onlinespiele responds:

Are there any reactions from Adobe?

CG responds:

now that all the patches are out are you going to release some more details?

Moose responds:

Does this affect Windows XP w/ Service Pack 3?

Thanks

Respond

GNUCITIZEN Products

	Blogsecurify is a division of GNUCITIZEN. The initiative was established to provide social media security services through our free automated testing engine. The Blogsecurify team is also engaged to deliver quality content on issues concerning social media technologies.
	Netsecurify is a division of GNUCITIZEN. The initiative was established to provide network security services through our free automated testing engine. The service is still in private-beta.
	Websecurify is a division of GNUCITIZEN. The initiative was established to provide a free web application security framework for automated and manual penetration testing. The service is still in private-beta.
	Secapps serves as an application directory of all online tools which the GNUCITIZEN team has built over the years.
	Securls serves as an information security intelligence tool, combining news and articles from the best information security resources online.