Researcher Didier Stevens just managed to discover that he can make PDF reader execute any command without exploiting any vulnerability ! On his blog he demonstrated how the “Launch” action parameter of PDF document can be abused to execute arbitrary command on the victims machine.
Though he did not reveal complete details, his partial PoC is good enough to guess how the attack can be made possible. I decided to have a look at it and see how this behaves on different platforms and readers.
Apparently what Adobe thought was a feature, leaves gaping holes in the operating system for any attacker to exploit ! By Simply having a look at the PDF file specifications from Adobe’s website, I was able to create the attack that Sevens has described in his Post. It is extremely trivial to manipulate the dialog box prompt -
This was tested on WinXP SP3 with Adobe 9.3.1. Clicking on open, directly opens calculator as I just changed “/F” parameter from his PoC to “calc.exe”.
But wait, that’s not it, I replaced calc.exe with guess what – a URL and voila … my browser just opened and took me straight to that page. Ohh.. how nice Adobe !!? :/ If your PDF opens directly in your browser, then it gets even better ! -
Now, not only can the attacker take you to a exploit loaded website, but this also becomes a even more lucrative vector for phishing attack. Imagine receiving a PDF from a bank that asks you click on “open” to go its website for entering details !
I decided to try this on my Ubuntu 9.10, but (thank god) the Evince document viewer did not open any file (yes I modified the PDF for xcalc). But what about Adobe Reader 9.3.1 on Ubuntu ?? It did gave the prompt but unlike windows, it did not allow me to execute any program.
Instead I was able to open any file in the default editor. Also, note that I was not able to control the prompt text box as in the case of windows ! Also, the URL demo also didn’t work with Adobe on Ubuntu.
Hope Adobe and others fix this issue soon ! I don’t wanna start analyzing another pile of malicious PDF’s again .. ;)