davidh
March 31st, 2010, 04:18 PM
PDF Arbitrary Code Execution - vulnerable by design.
Published: 2010-03-31,
Last Updated: 2010-03-31 19:04:25 UTC
by Johannes Ullrich (Version: 1)
Didier Stevens, who probably knows the PDF format better then most and has written some great PDF analysis tools, published a very interesting and concerning blog post [1].
In this post, he outlines how PDFs can be used to execute code. Nothing new you may say... plenty of exploits have done this in the past. This is different: He is not using a vulnerability, but a feature. Evidently, PDFs have the ability to execute code by design. Since this is not an implementation, but a design problem, various PDF readers are vulnerable. In his blog, Didier show a video of the exploit using Adobe's PDF reader. Adobe's reader will show a warning and ask the user for permission. However, the wording of this warning may be changed by the attacker. Foxit, a popular alternative to Adobe's reader, will show no warning.
At this point, Didier does not provide a public PoC exploit. However, he says he is in contact with vendors.
[1] http://blog.didierstevens.com
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
http://isc.sans.org/diary.html?storyid=8545&rss..
Published: 2010-03-31,
Last Updated: 2010-03-31 19:04:25 UTC
by Johannes Ullrich (Version: 1)
Didier Stevens, who probably knows the PDF format better then most and has written some great PDF analysis tools, published a very interesting and concerning blog post [1].
In this post, he outlines how PDFs can be used to execute code. Nothing new you may say... plenty of exploits have done this in the past. This is different: He is not using a vulnerability, but a feature. Evidently, PDFs have the ability to execute code by design. Since this is not an implementation, but a design problem, various PDF readers are vulnerable. In his blog, Didier show a video of the exploit using Adobe's PDF reader. Adobe's reader will show a warning and ask the user for permission. However, the wording of this warning may be changed by the attacker. Foxit, a popular alternative to Adobe's reader, will show no warning.
At this point, Didier does not provide a public PoC exploit. However, he says he is in contact with vendors.
[1] http://blog.didierstevens.com
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
http://isc.sans.org/diary.html?storyid=8545&rss..