Forgot your password?
typodupeerror

Hacker Finds Multiple PDF Backdoors 147

Posted by Zonk
from the watch-where-you-put-that dept.
Gungadin writes "Eweek.com has a story about a British security researcher figuring out a way to manipulate legitimate features in Adobe PDF files to open backdoors for computer attacks. David Kierznowski, a penetration testing expert specializing in Web application testing, has released proof-of-concept code and two sample PDF files to demonstrate how the Adobe Reader program can be rigged to launch Web-based attacks without any user action. He claims there are least seven different ways to backdoor a PDF."
This discussion has been archived. No new comments can be posted.

Hacker Finds Multiple PDF Backdoors

Comments Filter:
  • Non Adobe? (Score:5, Insightful)

    by BiggyP (466507) <philh.theopencd@org> on Friday September 15, 2006 @07:35PM (#16117767) Homepage Journal
    Ok, i don't have the Adobe reader installed but rather Evince and gPDF, since these lack support for a lot of the additional features of PDF am i any safer?
    • Evince, etc. (Score:5, Interesting)

      by Noksagt (69097) on Friday September 15, 2006 @07:41PM (#16117818) Homepage
      I also mostly use evince. Neither test worked. They triggered this message:
      "** (evince:18185): WARNING **: Unimplemented action: POPPLER_ACTION_UNKNOWN, please post a bug report with a testcase."

      Note that a different implementation only gives you DIFFERENT bugs and holes, as anyone who has followed exploits in xpdf knows.
    • I am using Slashdot's Discussion2 and I accidentally modded you redundant. Just posting this reply to cancel the mod.

      I find it very odd that there is no confirmation before a selected mod is applied. I think I'll submit that as a UI bug. Sorry for the inconvenience.

      BTW, I meant to mod the parent as Interesting, because he raises a great question: Are these flaws of the PDF format? Or just Adobe's implementation (or extensions)?

    • Re: (Score:2, Informative)

      by dextromulous (627459)

      Not necessarily.

      Some gPDF [securityfocus.com] vulnerabilities.

      I didn't find any Evince vulnerabilities in my limited search, but that doesn't mean there will not be one. You will most likely remain safe from 'sploits targeted towards Adobe users by not using the Adobe PDF reader, but that should be obvious.

    • by twitter (104583) on Friday September 15, 2006 @10:52PM (#16118578) Homepage Journal

      Evince and gPDF, since these lack support for a lot of the additional features of PDF am i any safer?

      From the Fine Article:

      the target's browser is automatically launched and loads the embedded link. "At this point, it is obvious that any malicious code [can] be launched," Kierznowski said.

      That looks like a lot of auto magic nonsense that most free software would not do. The only thing that's obvious to me is that any malicious w32 code is going to bounce off my browser. My pdf reader, kpdf, did not take the first step of automatically launching a browser and my browser would not take any of the dozens of brain dead and spam friendly automatic steps that makes IE a dissaster. A computer that's not internet safe but is connected to a network is always at risk.

      Note that it's not a "lack of features" that makes kpdf work right. Kpdf has links that work when you press them, table of content browsing, keyword searches, text and image cut and paste, and prints flawless copy. Those are the features you want in a pdf viewer. Automatically popping up a browser is a feature you don't want.

      • I clicked on the links with Opera in Windows XP, it launched Adobe Acrobat Reader as it should have, and then...nothing. Neither of the exploit demos were successful on my setup (Opera-XP-Acrobat Reader). Does this mean it's an IE-only exploit? (Note: my default browser is Opera as well)
      • The first "vulnerability" is the ability to have clickable web links in a pdf. It's a standard feature of the PDF document language, and all conforming viewers should support it. I'd be surprised if evince doesn't, but most of the other free viewers are too primitive.

        In my view this claim is idiotic anyway. I just found a giant security hole in HTML where if they view my page or email with a link and if they click on it, it might take them to a malicious site.

        *yawn*
        • My mistake - that post is not correct. It appears to actually be using JavaScript as supported by Adobe reader to automatically launch a link. Still, in my view, not a big deal (and my Adobe Reader asks for confirmation anway) but somewhat more valid.
    • The nearly featureless PostScript viewer GhostView ( http://www.cs.wisc.edu/~ghost/ [wisc.edu] ) does me fine for most PDF viewing chores. If a document needs more attention than can be read on screen in a few minutes, I'm just going to send it to a printer anyway.

      If it's full of "interactive content," then, well, you shouldn't have made it a PDF, since I'm pretty unlikely to jump through hoops to discover what you're trying to say. Use HTML or PowerPoint or what have you if you really need interactivity. My distrust
  • Heh (Score:5, Funny)

    by Shawn is an Asshole (845769) on Friday September 15, 2006 @07:36PM (#16117774)
    <beavis_and_butthead>
    Huh huh, penetration.
    </beavis_and_butthead>

    Who started giving this title?
  • by crazyjeremy (857410) * on Friday September 15, 2006 @07:37PM (#16117779) Homepage Journal
    "I do not really consider these attacks as vulnerabilities within Adobe. It is more exploiting features supported by the product that were never designed for this," Kierznowski said in an e-mail interview with eWEEK.
    Isn't that what a vulnerability is? Exploiting a "feature" in a way not originally intended?
    • by JustNilt (984644) on Friday September 15, 2006 @07:40PM (#16117808) Homepage
      It seems a fine line but I think many would consider this an exploit. A vulnerability would be a non-feature that can be exploited in some manner. I could be wrong (as far as speaking for others) but this is my take on it. Again, it seems a little like semantics but it's a line that can be defines quite well.
      • by suv4x4 (956391)
        It seems a fine line but I think many would consider this an exploit. A vulnerability would be a non-feature that can be exploited in some manner. I could be wrong (as far as speaking for others) but this is my take on it. Again, it seems a little like semantics but it's a line that can be defines quite well.

        I'm looking forward to someone giving a definitive answer to this burning question. I can't sleep until I know if my Adobe Reader has multiple exploits or multiple vulnerabilities.
    • by Shimmer (3036)
      I think the terms are pretty easy to understand:

            Exploit : Vulnerability :: Key : Lock

      So what this guy has done is develop exploits for pre-existing vulnerabilities in PDF. No?
    • Re: (Score:3, Informative)

      by cgenman (325138)
      I think he's defining a vulnerability to be a piece of poorly written code, like an input buffer that's vulnerable to an overflow. Or a URL parser that's vulnerable to a carefully formatted string. The code in that case is not behaving as intended.

      An exploit would be more along the lines of the old outlook viruses. Outlook used to allow arbitrary scripts to be run on mail loading, and messages to be sent to an entire address book. Combine these two, and you have an exploit. It's behaving completely as
      • Re: (Score:1, Interesting)

        by Anonymous Coward
        Whether or not a given piece of software is behaving as intended is not really relevant when considering whether or not the software in question has a security hole. For instance, I can write an app that listens on port 24126 and executes the commands received locally. The software is behaving exactly as intended. It also has a huge security hole - it allows anyone to connect to my computer and run basically any code they want. It may not be a bug in the code, but it is still a security hole. Just as in thi
        • by cgenman (325138)
          From a security point of view, they're the same problem. But from a *fixing* point of view, exploits are a lot more problematic. If the functionality if the application is causing the problem, then by definition fixing the security flaw will entail altering the functionality. Suddenly, your PDF-based form scripts won't work any more. A simple buffer overflow will cause headaches to the developer, but an exploit will cause headaches to the developer and a portion of your most devoted users.

  • Confused (Score:4, Insightful)

    by ndansmith (582590) on Friday September 15, 2006 @07:37PM (#16117783)
    After reading the article I am not sure if this is an Adobe Reader problem or a PDF problem. Every example cites an Adobe product, but the "hacker" said, "I do not really consider these attacks as vulnerabilities within Adobe. It is more exploiting features supported by the product that were never designed for this." Translation?
    • Re:Confused (Score:4, Informative)

      by MarkCollette (459340) on Friday September 15, 2006 @07:50PM (#16117874)
      Basically, the PDF standard [adobe.com] allows for a lot of ways to access data on your local machine, in databases, and through your web browser. It also has mechanisms for running JavaScript, and even executing arbitrary local programs. Some of these things require a user to click on a link in a PDF, and some require just openning the PDF or visiting a specific page in the PDF.

      Many of these features are quite helpful for corporate clients, but maybe shouldn't be allowed by default.

      In retrospect, some of the other free 3rd part PDF viewers, that don't support those fancy features, might be better for people to use:

      http://www.icesoft.com/products/icepdf.html [icesoft.com]
      • by TubeSteak (669689)
        So, just to boil this issue down to the essentials:

        Will turning off javascript within Acrobat prevent the exploit?

        (I run IE w/javascript enabled, but not Acrobat. Go Figure)
    • Re: (Score:3, Informative)

      by Kesch (943326)
      Really, it's using pdf supported code to undertake malicious actions. The code may or may not work in other readers depending on wether the specific feature has been implemented, however it is at least known for sure that Adobe Reader has the advanced support in place for the exploitable features.
    • I'd have to agree with you and suggest that instead the article and commentary title here are slightly mislieading...if that were all a typical user read, s/he'd have the impression that merely opening a PDF file would make the computer vulnerable to exploitation in some fashion. The two methods described in this eWeek article don't appear to be anything of the sort. I think the majority of people now on any platform and likely the vast majority of more highly literate (in a computer sense) users don't al
      • (My apologies for the above formatting, I was editing and the cat walked on the laptop, which normally doesn't result in a permanent mistake!)
    • Its not a bug, its a FEATURE!
  • How badly do you have to screw up to make it possible to hack through a virtual document?
  • by Noksagt (69097) * on Friday September 15, 2006 @07:39PM (#16117798) Homepage
    The article has two testcases. The second uses Windows ODBC so, unsurprisingly, fails. The first is supposed to open a web page automatically, but I'm presented with a dialogue asking me if I really want to open it (and the URL is identified in the dialogue). This seems to be good behavior. Did Adobe get things right on Linux & not on Windows? That's got to be a first.
    • by JustNilt (984644)
      Neither test document worked for me on a Windows XP box all patched up and using Acrobat Reader 7.0.8. What I get is a Security Warning stating the document is trying to connect to the domain. I'm not totally convinced this is an Adobe warning as it looks a lot like IE's warnings and I haven't yet tested exhaustively.

      Either way, it's time to start letting clients know that PDFs have been added to the list of "potentially risky" file types.
    • by JCCyC (179760)
      The article has two testcases. The second uses Windows ODBC so, unsurprisingly, fails. The first is supposed to open a web page automatically, but I'm presented with a dialogue asking me if I really want to open it (and the URL is identified in the dialogue). This seems to be good behavior. Did Adobe get things right on Linux & not on Windows? That's got to be a first.

      Same here (RPM version 7.0.1-1), except the dialog box does NOT say what URL is going to be opened. And it refuses to save any browser pr
      • by sjwest (948274)
        Simple answer hacking microsoft windows is more productive, and validates the issue so it gets reported here.
    • by Kesch (943326)
      Looking at some of the comments in his blog, the presence or absence of a warning box is kind of random. However, it might be linked to wether you open the pdf from your browser(no warning) or from your machine.

      I got an interesting result on mine (under Linux) in that it asked me if I wanted to config my browser settings. I answered 'yes' and was then directed to a config page where I could input which browser command I wanted to use to launch my browser. It looks like this could easily be set to an interme
    • Both test cases give me a confirmation dialog offering to add the target site to a trusted list.

      Curiously, both XP and Firefox updated over the last two days.
  • pr0n (Score:5, Funny)

    by User 956 (568564) on Friday September 15, 2006 @07:44PM (#16117839) Homepage
    He claims there are least seven different ways to backdoor a PDF.

    I've seen quite a bit of pr0n. There's way more than seven ways.
  • by Mikachu (972457) <jjburke&hunter,cuny,edu> on Friday September 15, 2006 @07:45PM (#16117842) Homepage
    Sources claim the exploits would have been found sooner if any other hackers had the patience to wait for PDFs to load.
  • Yippee Skippee (Score:3, Interesting)

    by Mozleron (944945) on Friday September 15, 2006 @07:46PM (#16117846)
    Just when i thought i didn't like PDFs, up comes this neat little "Feature" to try and make me like them all the more...

    Wait, this isn't a good thing, is it... And i'm willing to bet Adobe is not really all that happy about it either...

    Maybe this will prod them into getting back to their roots of a simpler system that did not take 30+ seconds to start up and did not bring a browser to its knees when it decided to act up... Or maybe i could just be dreaming.
  • by akheron01 (637033) on Friday September 15, 2006 @07:48PM (#16117857) Homepage
    As a concerned Mac user I enjoy my very securely built operating system very much, and since the OS X drawing system is based heavily around PDF I was wondering if these could possibly create vulnerabilities in the operating system for mac users.
    • Re: (Score:3, Informative)

      by agent dero (680753)
      The vulnerabilities aren't in the format per se, but more in Adobe's implementation of their Acrobat products.

      Apple, along with Preview, has its own implementation of rendering and viewing PDFs
    • by Strolls (641018)
      As a concerned Mac user ... I was wondering if these could possibly create vulnerabilities ... for mac users.
      Well, if you tried downloading the sample PDF [michaeldaw.org] in 10.4 you'd see that opening it in Preview shows an apparently-live webpage. So it would seem fairly safe to say the answer may be "yes".

      Stroller.

      • Re: (Score:2, Informative)

        by Rivendell (543219)
        Opening the first PDF with Preview does not cause Safari to launch, and appears to show a static Google web page. No outbound traffic was observed when opening the PDF in Preview. Opening the PDF using Acrobat 5.0, 6.0 , and 7.0 appears to cause Safari to launch and open "http://www.google.com/owned.html". It looks like Preview is not vulnerable to this particular attack, while at least some Adobe Acrobat readers for OSX are vulnerable.
        • by Strolls (641018)
          Ah, ok. Please excuse me - you have my apologies. Having not tried this under the Adobe applications I assumed the point was to load the Google webpage, and because clicking on links within that open Safari I assumed the page be dynamic. I also wanted to reply to a Mac user smug about security.
          • by tm2b (42473)
            I also wanted to reply to a Mac user smug about security.
            ...and, despite the fact that the OP wasn't smug (in fact, was worried), underscored that some smugness may be warranted.

            Good job, bigot boy!
    • by Petrushka (815171)

      Fear not: the title (replicated from TFA) is glaringly inaccurate in an attempt to sensationalise and induce general panic.

      As even the blurb above states quite clearly, these are not vulnerabilities in PDF, a file format, they're vulnerabilities in Adobe Reader, an application (and one which most OS X users have no need for, thanks to Preview).

      In fact, TFA seems to indicate moreover that the attacks are specific to Windows.

      Nothing to see here .... unless you use Adobe Reader in Windows.

      • by laffer1 (701823)
        Actually I have it installed on my Mac. There are a few features Preview does not support.
  • Penetration (Score:2, Funny)

    by SauroNlord (707570)
    David Kierznowski, a penetration testing expert I wish I was a penetration test expert!
    • by Xemu (50595)
      If "crash tests" requires "crash test dummies" then I guess we know what the rubber dolls are used for in penetration testing.
  • Of course (Score:2, Insightful)

    by Anonymous Coward
    As if postscript is not dangerous enough, Adobes PDF attack vector executes javascript. When you're done disabling javascript in the Adobe PDF reader, you should disable it in your browser.

    Has everyone downloaded the new version of firefox because 5 out of 7 of the vulns it fixes are javascript related. Why do we have to keep going through this, are people in denial or something? We all know what the problem is. There's only one security advisory I'd like to see for javascript problems, the mother of all ad
    • Well the first order of business would be to hunt down an kill all the "web developers" who insist on using javascript for essential parts of their site. If it wasn't for them, I could just use dillo like I want to and not worry about javascript crap...

    • by pclminion (145572)

      PDF does not contain PostScript. The outward appearance of PDF's high-level data types (like dictionaries), and the PDF graphics language were inspired by PostScript, but it is NOT a stack based language. You can't, for instance, write a PDF which computes Mandelbrot's fractal and displays it (as you could with a PostScript program).

      Get the facts straight. Just because a PDF looks "kinda like" a PostScript file in a binary editor doesn't mean it's PostScript.

  • Easy (Score:5, Informative)

    by OpenSourced (323149) on Friday September 15, 2006 @08:02PM (#16117942) Journal
    Use FoxitReader (http://www.foxitsoftware.com), much lighter and faster than Adobe Reader, and probably with its own set of vulnerabilities, but unlikely to be much targeted.

    • Free (Score:3, Informative)

      by mrchaotica (681592) *

      Better yet, use Ghostscript [wisc.edu]. It's also much lighter and faster than Acrobat Reader, and -- more importantly, and unlike Foxit Reader -- is Free Software.

      • by gatzke (2977)

        Yes, but the default version has an annoying splash screen registration screen to click through every time you open gv or gsview.

        As a result, I stopped using their reader. Free and Annoying.
        • by duguk (589689)

          > Yes, but the default version has an annoying splash screen registration screen to click through every time you open gv or gsview.

          Nope, it doesn't have an annoying splash screen, but does have a small unobtrusive advert in the top right - which doesnt need internet access, only advertises FoxIts own products AND can be turned off through the menus.

          > As a result, I stopped using their reader. Free and Annoying.

          Definately free, but easy to use for idiots. At least it doesn't crash Firefox :)

          Dug
          • by Ctrl-Z (28806)
            I believe the comment was that ghostscript is free and annoying, not foxit.
  • "Hacker"?! (Score:5, Interesting)

    by coyote-san (38515) on Friday September 15, 2006 @08:18PM (#16117995)
    Since when is a respected security researcher a "HACKER"?!

    Seriously. I know the old definition of "hacker" and have been proud to be called one (in that sense) in the past, but the headline clearly refers to the malicious definition of hacker. This headline seems to serve no purpose other than deliberately blurring the line between legitimate researchers and the jerks who exploit weaknesses.
    • Re: (Score:3, Interesting)

      by Ilgaz (86384)
      Normally I would say "Oh another hacker, not hacker fight" but your post makes perfect sense since just 2 stories below, posted by Zonk again, says:

      "IT: How Hackers Identify Their Targets
      Posted by Zonk on 0:07 16th September, 2006
      from the drawing-a-bead dept.

      narramissic writes "In a recent article, security guru Brent Huston writes about research he did to get inside the minds of spammers and expose some of the processes they use to identify potential targets. "

      The "hacker" term used there is in spammer/zom
  • Malvin: I can't believe it, Jim. That girl's standing over there listening and you're telling him about our back doors?
    Jim Sting: [yelling] Mister Potato Head! Mister Potato Head! Back doors are not secrets!
    Malvin: Yeah, but Jim, you're giving away all our best tricks!
    Jim Sting: They're not tricks.
  • by Anonymous Coward
    The Mac version of Acrobat reader is actually not affected by these vulnerabilities; they only occur on the Windows platform.
  • Create a parallel directory to installdir/adobe/acrobat 7.0/acrobat/plug-ins/ directory, call it plug-not, and move all non essential plug-ins into that directory.

    I just want a reader, not a full fledged pseudo-browser app with tons of security exploits - there's already one called Internet Explorer on my PC!

    So I've moved away: Accessibility, Acroform, ADBC, EScript, Multimedia, weblink, webpdf, etc.

    Now when you open those "exploit" links, you get an pop-up saying, "The plug-in required by this 'URI' action
    • by Lehk228 (705449)
      try out foxit, it's, by far faster than acrobat reader and aside from any technical security improvements, it has the benefit of being a tiny target compared to acrobat

      yes even much faster than the stripped down version of acrobat reader
  • by md17 (68506) * <james AT jamesward DOT org> on Friday September 15, 2006 @08:46PM (#16118110) Homepage
    In the article the second "back door demo (PDF)" link just points to the same PDF as the first link. The correct link is:
    http://michaeldaw.org/projects/backdoored2.pdf [michaeldaw.org]
  • by Anonymous Coward
    The first back door (PDF), which eWEEK confirmed on a fully patched version of Adobe Reader, involves adding a malicious link to a PDF file. Once the document is opened, the target's browser is automatically launched and loads the embedded link.

    Just about anything can automatically open a link. If there is something malicious on the page it is loading, that's a browser problem.
    • by Ilgaz (86384)
      It launches INSIDE the plugin, plugin renders the web browser and it looks very functional, that "first" link, it loads google.co.uk fine.

      More interestingly, as many of Mac users got sick of Adobe or Apple PDF plugins, I use Schubert IT browser plugin (free for non commercial use) inside Omniweb 5.5

      Now, this is Mac and OS X... No known "go to page and get spyware if your system not updated" stuff around.

      This is big deal for Windows.
      • by Ilgaz (86384)
        Oops, Schubert IT plugin (http://schubert-it.com/) is NOT effected by first link, it loads web page , doesn't open another link.

        Apologies, I misunderstood the problem.

        Again, launching a URL on Windows could be disaster.
  • by md17 (68506) * <james AT jamesward DOT org> on Friday September 15, 2006 @08:51PM (#16118126) Homepage
    I've tried both exploits on Linux (acroread & Gnome Document Viewer). Neither work. The first asks if I want to connect to the web site and I have to explicitly click "Allow" (in acroread). The second of-course doesn't work because I don't have any ODBC junk on my Linux box. But that doesn't mean that it can't talk to other unsecured ports on my computer. That would be interesting to find out.
  • future mother-in-law: so, what do you do?
    guy: i'm a penetration tester.
    ....fill in rest.....
  • Apart from its (known) security problems, Acrobat Reader has a number of other problems, foremost that it's slow and that it fails to comply with Gnome, KDE, and Macintosh desktop UI standards.

    There are more usable, faster, and safer alternatives.
    • Re: (Score:3, Interesting)

      by vtcodger (957785)
      ***Acrobat Reader has a number of other problems, foremost that it's slow and that it fails to comply with Gnome, KDE, and Macintosh desktop UI standards.***

      There are Gnome and KDE UI standards? Who knew?

      OK, OK, that's snarky. But when you port a program from one OS to another -- Windows to Linux in this case -- there are going to be UI problems. Most Mac programs are human factors disasters when ported to Windows. And heck yes, that includes Excel. Personally, I've always found Excel to be major a

  • Even for Windows. I tested the proof of concept PDFs in FoxIt PDF reader (http://foxitsoftware.com/), and none of them worked. The flaws aren't in the PDF format itself, they're in Adobe's implementation of it.
  • "He claims there are least seven different ways to backdoor a PDF."

    But remember there must be 50 ways to leave your lover
  • Get your PDF version of the story here [slashdot.org]
  • Most PDFs can be viewed with gsview [wisc.edu], the old Postscript previewer. It doesn't have all that crap Adobe put in like WebBuy, but nobody uses that anyway. Gsview will display PDFs that older versions of Adobe Reader won't.

  • I clicked on the link. I am using Firefox. It warned me that my pdf reader is old, (6.0) opened what appeared to be a pdf version of google home page then redirected to google.com/owned.html which did not exist. Does it mean that my machine is vulnerable?

    The second test too failed the same way.

    But in the tabs where I expected pdf docs now there is a 404 Not Found error. What does it prove?

    What should I do to remove these fancy features from pdf readers?

  • IIRC, at least PostScript has been demonstrated as a Turing complete language (someone wrote a printer's driver in it, as reported on Slashdot many years ago, IIRC). And, given PDF's background, why shouldn't it be that too? Please, someone with more knowledge, please enlighten me if I'm on the wrong track! And, if it is, would that matter to this context, finding (or writing) 'backdoors'?
  • ...but why can't Slashdot, of all places, use "cracker"?
    • by elrous0 (869638) *
      Because no one uses the word "cracker" for malicious hackers, outside of a few anal-retentive hold-outs. Sorry, but common usage has left this debate behind long ago. You can either deal with it or end up like that annoying old fart at the nursing home ranting about how "gay" means happy, dammit!

      -Eric

  • When the user types in the search box in recent versions of Acrobat reader, while viewing a .pdf retrieved from the web, the reader performs a GET on the search keywords appended to the original location of the document (enclosed in double quotes).
    So, as a website owner you get the search terms used on your documents as 404 errors in the logfile.
    (I have not yet tried to answer those queries with a 200 response, who knows what happens then...)

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...