Anyways to join in on the fun I spent a few minutes modifying Didier’s cmd.exe proof of concept to launch Firefox in Windows and passed it my URL, so if you open this PDF file: “win_sudosecure.pdf” within Windows under Foxit or Acrobat Reader and have Firefox installed you should get sent to my website. Of course if your using Acrobat Reader you have to click through the pop up. So why would I demonstrate that you can pass arguments to the Launch action that opens a URL? Well I can think of some really nasty phishing attacks this style of attack could be utilized for. Just think if you landed on one of the oh so common web exploit packs or if the PDF was crafted to look like an official banking document that provided instructions to verify your information by entering it into the targeted URL. Hmm since arguments can be passed here is another thought. The PDF document itself could be an official looking banking document with a form embedded that allowed a user to fill out his or her information within the PDF document itself. At the bottom of the form a submit button calling the Launch action to execute Firefox or Internet Explorer while passing the information via URL arguments to an attackers happy to receive, parse, and store server. Obviously the attacker should post an official thank you from the URL for your submission to really dig the knife in. Not a pretty picture and I could see this style of attack being pretty effective since we all know users have a tendency to fall this sort of stuff.
I also modified the origami “calc.rb” Ruby script to create a PDF that when opened in Linux with Acrobat Reader it will launch Firefox. Now for this PDF to work Firefox has to be installed in “/usr/bin/firefox”. The interesting thing about attempting to do this in Linux was I could not pass arguments to the Launch command, so it is not as effective as the Windows version. Darn not as easy to phish those pesky Linux users, oh well. If you want to test it just open this PDF: “linux_firefox.pdf” within Linux. When I first started playing with this Linux version I thought of some really nasty things you could possibly do by passing the sudo command arguments/parameters, but again as I stated earlier I was quickly disappointed when it didn’t work. Oh well, better luck next time.