I have received several email questions and explanation requests regarding my blog post “Are PDFs Worm-Able” and the proof of concept video within the post. Instead of repeating a post I wrote over on my company’s blog I figured I would just link to it from here: Implications of Recent PDF /Launch Hacks. In the linked blog post I describe some of the implications of this style of hack and I also walk through a scenario in which a variation of my proof of concept is utilized to infect all PDFs found on a users system. I don’t think my proof of concept was as clear as I would have liked it to be. Within the proof of concept I infected a single benign PDF file from another PDF file, but this proof of concept could easily be modified to recursively traverse a users computer directories to find and infect all PDF files on that users computer and/or accessible to that user at the time of execution with any payload of my choosing. I chose to infect the benign PDF with another /Launch hack that redirected a user to my website, but this could have just as easily been an exploit pack and or embedded Trojan binary. Worse yet this dynamic infection vector could be utilized to populate all PDFs for some new O-day attack, thereby multiplying an attackers infection vehicles while still exploiting user systems (“worm-able”). This should really make you think twice even before you open up PDF files that have resided on your computer for years, as they could soon be the utilized against you if an attacker chose to do so. Now I have never seen this style of attack carried out and in the past I have preached that PDF files could be utilized in an attack like this but until now it always required the usage of an external script and/or binary that possessed the capabilities for updating PDF files on the fly. The cool thing about Didier’s hack is it brought to light for me a way to perform this attack without having to utilize anything outside the PDF file and without having to exploit the PDF application itself. Now if this clarification doesn’t scare you I don’t know what will, as it scares the hell out of me. I am an avid Linux user and tend to use “okular” for reading PDF files, which doesn’t support all the features many main stream PDF rendering applications like Acrobat Reader and Foxit, so I am not to worried with regards to my own systems, but in an enterprise environment this style of attack could spell real disaster. What I would really like to see as a solution is a minimalistic version of the main stream PDF rendering applications that do not support all these robust feature sets made available to the public. This would really help out those of us who tend to only use PDFs for reading documents and don’t require the ability to launch applications, play media files, dynamically fill-out forms, and/or utilize all the other robust features on a daily basis. Just a thought. 
View full post on sudosecure.net
[...] View full post on sudosecure.net [...]
[...] He recibido varias preguntas de correo electrónico y pide una explicación con respecto a mi entrada en el blog "son PDF Gusano-Able" y la prueba de video concepto en el puesto. En lugar de repetir un post que escribí sobre el blog de mi empresa me imaginé que acaba de enlace a ella desde aquí: Consecuencias de la reciente PDF / Hacks de lanzamiento. En el [. . . ] URL del artículo original http://www.sudosecure.net/archives/644 [...]
[...] Ho ricevuto diverse e-mail domande e richieste di spiegazioni in merito al mio post sul blog "sono in formato PDF Worm-Able" e la prova video di concetto all'interno del post. Invece di ripetere un post che ho scritto sopra il blog della mia azienda ho pensato che sarebbe solo un link ad esso da qui: implicazioni dei recenti PDF / Hacks Launch. In [. . . ] URL articolo originale http://www.sudosecure.net/archives/644 [...]
[...] “Within the proof of concept I infected a single benign PDF file from another PDF file, but this proof of concept could easily be modified to recursively traverse a users computer directories to find and infect all PDF files on that users computer and/or accessible to that user at the time of execution with any payload of my choosing.” He wrote on the SudoSecure.net site. [...]
[...] discovered a way to spread malicious code across PDF documents on a victim’s computer. The attack leverages a flaw in the way the PDF file format works, adding malicious data to legitimate PDF [...]
[...] front lines. Now, the PDF format itself has a huge security vulnerability that can be exploited without even using a rendering appplication. So, let’s take a break and have some fun for a change. Check out Password [...]
Never thought of doing that, but it could work following the security by obscurity principle.
so basically we should change our trusted pdf files extensions from pdf to something like pdg and associate that with adobe reader so that at least the old pdf’s (pdg’s) cannot become infected.