0day PDF pwns Windows

Thu, 20 Sep 2007 13:03:33 GMT
by pdp

I am closing the season with the following HIGH Risk vulnerability: Adobe Acrobat/Reader PDF documents can be used to compromise your Windows box. Completely!!! Invisibly and unwillingly!!! All it takes is to open a PDF document or stumble across a page which embeds one.

The issue is quite critical given the fact that PDF documents are in the core of today's modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs. You have to take my word for it. The POCs will be released when an update is available.

Adobe's representatives can contact me from the usual place. My advise for you is not to open any PDF files (locally or remotely). Other PDF viewers might be vulnerable too. The issues was verified on Windows XP SP2 with the latest Adobe Reader 8.1, although previous versions are also affected.

A formal summary and conclusion of the recent GNUCITIZEN's bug hunt to be expected soon.

Archived Comments

btw, the vulnerability is more severe then the QTL QuickTime issue.
nigel mellishnigel mellish
Preview on OS X still OK then? not trying to be snarky. really want to know.
nigel mellish, should be... I will try later when I have access to a Mac.
We love your POCs. Why after update:)
Assuming that this impacts standalone PDF documents, not just those opened through a browser?
Awesome AnDrEwAwesome AnDrEw
Can't wait to see how this works, PDP. It seems like everyday you have a new concept or issue to present.
I wonder if this explains that strange password-protected pdf I got from some random person this morning. I did open it using Preview (running MacOS X 10.4 here), although using a guest account that wasn't an administrator account. Turned out to be yet anther stupid pyramid scheme...
DaveOJ, it affects both... embeded and standalone.
If one views an altered Adobe file with an alternate reader (e.g. Fox-It), does this still work?
Grant, the exploit works although it is less severe.
pdp, any way to block it prior to adobe releasing a patch? It took them 2 months to patch the one I found that resulted in 7.08, heck it could be christmas before they do yours. Be nice if there was something we could do in the mean time to avoid being vuln to this.
Nice work, as always, pdp. Just one question: does it work if JavaScript is disabled in Acrobat Reader?
"Less Severe" Either you own the box or you don't, how is it "less severe?"
I too would be interested to hear how my preferred alternative PDF viewers hold up (Xpdf, Ghostscript, Kpdf et al.) ..? If there were a PoC I'd test myself, but in the circs I can only ask...
Nice... you've been on a tear lately! Can't wait to see the details! Billy (BK) Rios
Any of the open source PDF readers affected too? I hate the phone home-i-ness of Acrobat, so I went with Foxit instead.
3 of the last 4 releases have had "pwns" in the title. :S
The vulnerability affects Windows XP SP2 with IE7 and Adobe Reader 8.1, 8.0 and 7. Windows Vista users are not affected. Here is a harmless demonstration of the issue: You can also download this video from here or here. The PDF issue is officially confirmed by Adobe's team. Foxit is vulnerable as well, although the user is required to interact with the document in order to launch the exploit.
This seems to explain why a wide PDF-attached spam campain had spread around last month. http://sophos.com/pressoffice/news/articles/2007/08/pdf-spam.html
I, too, would be interested in learning whether certain alternatives are affected as well. In my case, Sumatra, as in the Portable Sumatra version available from portableapps.com
Thor LarholmThor Larholm
This is a little light on the details, but based on the video I would take a wild guess and think that you are using Object Codebase to launch the calculator and notepad. http://www.greymagic.com/security/advisories/gm001-ie/ has a nice example of this that requires no scripting, but does require you to render the HTML inside the My Computer zone. This would fit in well with Adobe Acrobat Reader being able to render HTML snippets and also not having set the FEATURE_LOCALMACHINE_LOCKDOWN flag. A yes or no to the above would be nice, so I don't have to reproduce this myself (lazy me ;)
Thor, this is not the issue although now when u r mentioning it, it might be a good idea to check it out.
This is very serious, I wont like a bit that opening my PDF format credit card statement ensures that $1000 is debited by an online transaction. This is scary, shucks!! thanks pdp
Cmon fricken show us some code! or post that pdf file so we can reverse it
Adrian PastorAdrian Pastor
pdp, remember to mention that it also works on win2k3 fully patched. I can definitely see some administrators accessing a malicious PDF file from a shared folder which compromises the server when running it on the win2k3 box.
David KierznowskiDavid Kierznowski
pdp, simple and very effective, nice.
Very nice that you found this bug. I don't open any PDF!
Information is a bit sparse right now. Is IE the only browser affected? Thanks, Mark
Could this vulnerability be propagated via a web page? E.g., a coupon page with code hidden it it, that gets the user to print to a pdf file, which when then opened triggers the vulnerability?
Two questions: 1) When a Adobe confirmed the bug, did they give a timeline for releasing the fix? 2) Can you please not release details until a week (or two) _after_ the Adobe update is available? This week or two gives corporate IT guys time to update, and stay ahead of game. Many thanks!
Based on the greymagic link [ http://www.greymagic.com/security/advisories/gm001-ie/ ] it is clear there is an exploit with Activex, though I am not sure it is the only one or the same one that pdp is reporting. My result with the Greymagic POC on Windows 2000 was that the asp file, downloaded and opened locally, would start calc.exe when opened with IE but not when opened with Seamonkey. This is with Active X totally turned off in 4 IE zones but probably still on in the 5th zone which I have not made visible. (Note, i do not use browser plugins and do not have Adobe installed, so it was clearly the Active X.) pdp, will you at least say whether what you've found is the same as or different than the greymagic POC? This would help with user protection.
Apologies, I see my question was already answered in the reply to Thor. So the new vuln is a different one.
packetracer, adobe confirmed the bug privately. the bug was also confirmed by several friends and well known security researchers who had access to the exploit. swhx7, the bug is different.
This will still affect user accounts without administration privileges, I assume, but hopefully within the privileges range of the logged-in user? Only administrators will risk having their system taken over?
Why don't you upload the pdf?
I understand your reasons for not releasing details or a usable sample of this exploit, though it would sure be nice to have one for testing. In your video, the demo launches calculator. Can this exploit be effectively neutralized with a HIPS and restricting parent-child dependency settings? Rick
Is the interaction required to launch the exploit in Foxit something that appears normal or not? In other words, is it something that doesn't usually happen? A video of the interaction required would be nice if you can provide it.
Hahah what a owner http://www.marketwatch.com/quotes/adbe
pdp, could you post a regex that can detect PDFs that contain the vulnerability at least? This would allow us to block incoming attachments and uploads without necessarily giving away the exploit itself...
The fact that it works in Foxit as well as Adobe reader implies that it relies on a flaw in Windows, not just Adobe's reader. I'm interpreting "interaction" in Foxit as something more than just opening a PDF. If this is correct, then Foxit can be a safe alternative for now if used with care. The interaction referred to could be either something with Javascript or clicking a link (any other possibilities? form?). In my version of Foxit, at least up to v.2 I think, Javascript is an optional add-on, not installed by default.
Does the exploit look for a local file path, a remote file path, or both? At least knowing that much, I can write some IPS rules.
The demo video simply executes executables already existing on the local machine with no command line arguments. To me, this is more of a nuisance, than a security issue. However, if an attacker could execute arbitrary commands with arbitrary command line arguments, then that would be interesting. Does your exploit allow for arbitrary command line arguments? If so, could you post a PoC loading c:\boot.ini in notepad.exe to prove it? Or could you explain the security implication of running calc.exe, notepad.exe, or any other common executable in Windows without command line arguments?
severity, arbitrary commands options can be passed but to be honest with you, don't need them. There are ways attackers to execute far more dangerous things then simple commands.
pdp is the facilitator, he starts something cool and create a hype. I definitely cant wait to see this.
Hi pdp, do you know when the patch will be out? The vulnerability that you discovered is vital to one of my demo. Would appreciate it if you know when the patch is out so that I can take a look at the POC.
Pdp, nice find! Interesting vulnerability and video. Waiting for detailed information about it. You said it works in Acrobat (as shown in video) and in browser. What difference and can you make video (in browser demonstration)? And what browsers are vulnerable (and what Acrobat/Reader/plugin versions except Adobe Reader 8.1). About video: it is harmless one, but you can make harmful video :-). To show all possibility of this hole and to make people (and Adobe guys) to be more aware of danger of this vulnerability. You can make "format c:" demonstration ;-). Make it in VM environment (it will be harmless and easier for you and will be bright demonstration of the hole).
Any update from Adobe on a patch? I'd at least like to see a public acknowledgment that they are fixing it...
Hi guys, Is The fix out already ? It's funny, but before I read about this PDF vulnerability, a while back, I was thinking is that possible ? maybe I was just being creatively thinking lol as no one really expect a "text file" be a vehicle for madness ! Note: I've been always PDP11 :) just a coincidence PDP
PDP11, not yet... according to my contacts in Adobe, the patch will be available at the end of this month.
Can you confirm if this work around will work? http://www.adobe.com/support/security/advisories/apsa07-04.html
IMHO, with Adobe bulletin, it became obvious that this is an URI handler bug. Mitigation reg key (cDefaultLaunchURLPerms) speaks for itself :) It seems like mailto: handler is by default set to "automatic" launch in Adobe Acrobat/Reader (reg value=2).
codepupil, I need to verify this. There are a few more issues that make the exploit functional and complete.
Hi, isn't the point here that only pdf's of unknown origib could be suspicious? Most pdf's are from legitimate providers and so you must mean spam that comes with a pdf. So can normal pdf's even be infected with whatever the exploit is? Or are we talking abour PDF"S FROM SUSPICIOUS SOURCES ONLY HERE OR ALL PDF'S ?
PDP, Thanks I've deployed the workaround just in case. Tigre: It would seem to me the bigger issue is someone embedding this pdf in webpages or in html emails but I may be wrong...
I have a hard time believing that "XP with IE7" is the only vulnerable combination. Especially when you're example video doesn't seem to depend on IE at all. Has anyone tested on Win2K? XP w/ IE 6? other
I'm with thorin - a whole shitload of companies who aren't running IE7 have just removed all their mitigations based on that announcement, but I'm not convinced. pdp, can you please confirm that Adobe's workaround really solved the problem that you found? Thanks.
More information on the issue can be found here and here. Adobe has released advisory over here. Successful exploitation of the PDF issue relays on a few other things. Microsoft has no other choice but to patch up the issue just to satisfy the community, even though this may not by entirely their problem. First of all developers should not really trust the user input and pass it to a function that they don't fully understand. Now, some of you may criticize me for this statement, but do we blame PHP or ASP for the SQL Injections that your software has? No! Why should anyone pass something that does not look like a URL into a function that expects URLs?
Thanks pdp that technet blog article was great.
Thanks. For those who are against the idea of publishing this vulnerability. Their concerns are understood. People just don't like being helpless. To make an analogy, I would imagine that we shouldn't talk about AIDS because we didn't find a cure for it; we shouldn't broadcast news of Burma because we can't help the people there.
Adrian: not the best analogy since AIDS is rampant in the wild and many people are working on stopping it, so we need to talk about it. With the PDF vulnerability, it is still contained. I'm a big fan of full disclosure *if the vendor is unresponsive* as a means to increase pressure for a solution. If I can find a vulnearbility, so can many others, so we need a fix. But if the vendor has acknowledged and is working towards a 'cure', give them time before unleashing the madness.
Why can't we have an example of this vurnerability ?
hi there is my PoC: http://security.fedora-hosting.com/0day/pdf/pdf_poc.pdf there is ugly description: http://security.fedora-hosting.com/0day/pdf/pdf_poc.txt thank you, pdp :) regards, cyanid-E
Hi There There's a direct exploitation of this vuln without any prompt,advertise,or whatever. we can reevaluate the XSS criticity vector with these kind of PoC. http://aviv.raffon.net/ (news = Back from the dead) regards.
Hi guys i guess we can rename your PoC from remote unless than locally now! nice find btw keep it up dude ;) regards laurent gaffié
This is a great tutorial thanks!2
Hi there! @helloworld&laurent.gaffié : just rename your pdf file, say test.pdf, to test.fdf ... Opens external Acrobat with IE7 and prompt an open dialog with FF. Enjoy ;) Cheers
Very Informative and I see We still can't get along apparently, oh well. But, being obviously on the lower end of the knowledge curve in this arena...Can any of you human beings tell me what you think of this link's usefullness regarding these kind of issues? -Vegas
Bad analogy, Adrian, A better one would be, "Why not hand out vials of HIV tainted blood in the hopes that some freelance doctor will find a cure?"
@cyanid-E I opened your pdf on a linux system via: 1. adobe firefox plugin 2. adobe reader 8.1.1 ("Adobe strongly recommends upgrading to Adobe Reader 8.1.1") and evolution offered me to send an email to guys with really strange email adresses: 1. "windows/system32/calc.exe" 2. test%.. - quite scary -
This explains why spammers have now switched to sending their emails with a PDF attachment. Usually the PDF attachment contains an embedded image of a stock quote or something stupid like that. Lately I have been openning these out of curiousity but it seems we should not.
Have you all noticed that the spammer's choice of delivery has become PDF attachments? The attached PDF usually contains stock quotes.
Are there any reactions from Adobe?
now that all the patches are out are you going to release some more details?
Does this affect Windows XP w/ Service Pack 3? Thanks