It has been a few months since I posted anything here but tonight as I was fiddling around with the Launch action within a PDF file I discovered another oddity that I thought would make an interesting blog posting. As we are all probably aware of the Launch action within the PDF specification allows for arbitrary files to be opened and/or executed in Adobe reader versions prior to version 9.3.3 with very little restrictions. Adobe attempted to apply some basic blacklisting restrictions to prevent the Launch action from executing these arbitrary executables in version 9.3.3, but this attempt was poorly implemented as the blacklist was easily escaped by simply adding double quotes. Needless to say Adobe quickly corrected this with the release of Adobe reader version 9.4. So what was the oddity I discovered in a fully patched Adobe reader version 9.4 release that may be of interest?
What I discovered is that the PDF Launch action specification allows for any PDF file accessible by the end user to be printed to the default printer and Adobe reader implements this specification without properly disclosing that a print action is being carried out. What I mean by not properly disclosing that a print action is being carried out is that a warning dialog box is presented to the end user, but the message within the this dialog box provides no indication that the PDF file is being printed. The following screen capture is what is displayed to the end user prior to the Launch action being executed to print a PDF file:
As you can see no where within the warning dialog box is the name of the PDF file being accessed displayed to the end user nor is there any indication that a PDF file is being submitted as a print job to the end users default printer. The warning dialog box in my opinion is very misleading to say the least, as it would appear that we are attempting to open the AcroRD32.exe file which is the Adobe reader executable. Once the Open button is clicked the PDF file referenced by the Launch action is printed to the end users default printer.
Now this is definitely not as serious of an issue as the previous Launch action issues that allowed malicious actors to carry out attacks that would allow for the execution of arbitrary executables, which is why I titled this post an “Oddity”. Although I can think of a scenario where this oddity could be used to carry out an information disclosure attack. Since the Launch action will allow you to specify any PDF file accessible to the end user to be printed it would be possible to send a crafted PDF file to someone to gain access to other PDF files that you may not have access to. Take for instance, lets say we know our boss keeps all of the annual performance reviews on a network share drive that only he has access to and that we all share a common network printer in the office. We could easily craft a PDF file that printed all of these PDF files to our network printer without him knowing it for us to then just swoop by the network printer to pick up. Basically all we need to know is the path and the file name to carry this attack out. The second style of attack I could think of utilizing this oddity is more of an announce than a security issue. We could easily craft a PDF file with say 1,000 solid black pages which when opened by the end user would drain the default printer of all it’s ink or toner. This kind of attack sort of reminds me of the old black fax attack.
If your curious to the syntax feel free to download this PDF file “print.pdf” which when opened in Adobe reader on Windows will print itself to your default printer. One thing to note about the Launch action and printing is that we do not get to specify what printer the document is printed to and it is automatically sent to the end users default printer. If your curious to what the syntax would look like to print one PDF file from another download these and save these two PDF files in the same directory: “print_test.pdf” and “test.pdf“. Opening the “print_test.pdf” file will print the “test.pdf” file to the end users default printer.
View full post on sudosecure.net
