It has been a few months since I posted anything here but tonight as I was fiddling around with the Launch action within a PDF file I discovered another oddity that I thought would make an interesting blog posting. As we are all probably aware of the Launch action within the PDF specification allows for arbitrary files to be opened and/or executed in Adobe reader versions prior to version 9.3.3 with very little restrictions. Adobe attempted to apply some basic blacklisting restrictions to prevent the Launch action from executing these arbitrary executables in version 9.3.3, but this attempt was poorly implemented as the blacklist was easily escaped by simply adding double quotes. Needless to say Adobe quickly corrected this with the release of Adobe reader version 9.4. So what was the oddity I discovered in a fully patched Adobe reader version 9.4 release that may be of interest?
Earlier this week Adobe released security updates and patches to resolve several security vulnerabilities, but after some manipulation of my original POC found here: “Are PDF’s Worm-able” I have found that the /Launch misuse attack can still be carried out. The following video demonstrates this attack being carried out on a fully patched Adobe Reader version 9.3.3.
The good folks over at M86 Security Labs is reporting the first instance of the Zeus data stealing bot taking advantage of the PDF Launch action. You can read the full blog posting here: PDF ‘Launch’ Feature Used to Install Zeus. The malicious actors involved with this instance appear to only have a very small grasp of the capabilities surrounding the Launch action, as this attempt at utilizing the Launch action to carry out badness is very rudimentary. The malicious actors require the targeted user to click through two different warnings dialog boxes and do not take advantage of controlling the second warning dialog box text at all. There intentions are clearly shown in the Launch dialog box as shown in the screen shot:
We all knew it was coming, so I doubt anyone is going to be shocked to learn that SophosLabs is reporting they have now seen the first instance of a malicious PDF file utilizing the Launch action. Paul from SophosLabs did a short blog posting found here: Troj/PDFEx-DF: SophosLabs sees malware exploiting /Launch. Now my only question concerning this instance is whether or not the malicious PDF file contained the logic or feature set to perform incremental updates on other PDF files. Adobe will be releasing their official patch for the Launch action tomorrow, but from all that I can tell it will not address the incremental update issue at all.
The most common question I have received this week is are there any legitimate use cases for the /Launch action within the PDF specification. With that in mind I sat back for about 15 minutes today and gave this some serious thought, which resulted in the following three legitimate use cases:
- Identify all PDF files that reside on a users computer to identify possible targets that could be used to carry out badness.
- Secure Adobe Reader 9.0 by applying the Registry settings they recommended earlier this week.
- Secure my “idiot” users computers that would fall for this /Launch attack by uninstalling Adobe Reader if they click through the WARNING MESSAGE.
Just a few minutes ago I learned via a comment submitted on my “Are PDFs Worm-Able?” posting that another proof of concept was created performing the same style of attack. Have a look for yourself:
I have received several email questions and explanation requests regarding my blog post “Are PDFs Worm-Able” and the proof of concept video within the post. Instead of repeating a post I wrote over on my company’s blog I figured I would just link to it from here: Implications of Recent PDF /Launch Hacks. In the linked blog post I describe some of the implications of this style of hack and I also walk through a scenario in which a variation of my proof of concept is utilized to infect all PDFs found on a users system.
Yesterday I posted about a thought I had that expanded upon Didier Steven’s Escape From PDF built in feature discovery where he executed a embedded executable binary using some crafty hacking. My thought was that it may very well be possible to launch an attack internally from one PDF onto another already existing PDF. I emailed Didier with my idea and some of the specifics, and he said it was definitely possible. So I decided to try my luck at creating a proof of concept and created this video to demonstrate it: