PDF Worm – Exploit Requires No Specific Security Hole to Function

Security Holes Not Required to Attack via PDF files

If the sheer amount of exploits in Adobe’s products over the last year haven’t scared you off yet, then maybe a PDF attack (that doesn’t require an exploit or JavaScript to run) will. Here’s a proof of concept video for your viewing pleasure:

Jeremy Conway, product manager at NitroSecurity, created this proof of concept for an attack in which malicious code is injected into a file on a computer as part of an incremental update, but which could be used to inject malicious code into any or all PDF files on a computer. So looks like a new generation of PDF Worms are coming soon.

PDF are The New Vector for Malware -  PDF Worms Coming

The attack requires the user of the computer to allow the code to be executed by agreeing to it via a dialog box. However, the attacker could at least partially control the content of the dialog box that appears to prompt the user to launch the executable and thus use social engineering to entice the computer user to agree to execute the malware, said Conway.

Worse, another growing competitor to Adobe: Foxit PDF, does not even warn the user that code is about to be invoked.  It just quietly lets the code run without any user interaction!

Turning off JavaScript would not prevent the attack. It also does not require that the attacker exploit a vulnerability in the PDF reader itself. The PDF reader incremental update capability “can be used as an infection vector,” said Conway. The attack “does not exploit a vulnerability. No crazy Zero-Day (exploit) is needed to make this work.

Another PDF security specialist Didier Stevens has developed a PDF document which is capable of infecting a PC without exploiting a specific vulnerability. The demo exploit works both in Adobe Reader and in Foxit. Stevens says he used the “Launch Actions/Launch File” option, which can even start scripts and EXE files that are embedded in the PDF document. This option is part of the PDF specification.

Stevens intends to keep his PDF document with the embedded code under wraps until the vendors respond. However, he has provided a document (direct download) which launches the command prompt when the PDF file is opened. When tested by the TechChunks Security team, this worked under Windows 7 with the current versions of Adobe Reader and Foxit. In principle, this concept is also said to be suitable for starting an FTP transfer to download and start a trojan.

The authors are not releasing the method, but I can tell you that once the concept is released, which it has been, someone on the wrong side will figure it out soon enough. Adobe, Foxit and other PDF reader providers need to look into this ASAP and  release a patch quickly.

10 Comments

Add a Comment

Your email address will not be published. Required fields are marked *

two × 1 =

CommentLuv badge