WARNING - PDF exploits - Adobe and Foxit [and others] readers

Discussion in 'Computer Security' started by MEB, Apr 1, 2010.

  1. MEB

    MEB Guest

    This particular style of exploit has been around for quite sometime in
    various forms. I have previously to advise of this style of attack.
    Yet another party has posted the methodology and provided example coding.
    Specially and EASILY crafted PDFs can be created to include calls to
    external applications which are not blocked by JAVA or other
    restrictions, yet can be run, forcing other unwanted activities [such as
    opening IE or running commands] or exploiting other vulnerabilities
    within other applications. This type of exploit can be used in
    conjunction with other exploits, compounding the potential malicious
    usage. These exploits can be modified to work within any OS, though
    system restrictions and other security may mitigate some of the
    potential exploits.

    Adobe Reader and Foxit Reader are vulnerable to this style of exploit,
    as may others. Foxit appears to be more exploitable than Adobe to this
    particular issue.

    Sumatra is apparently immune or doesn't support this type of exploit,
    and others may be as well.

    Metasploit and several other have provided other or additional styles
    of this type of exploit.

    REFERENCES/EXAMPLES:

    http://blog.didierstevens.com/2010/03/29/escape-from-pdf/
    take particular note of the comment section for indications of how easy
    the coding and modifications are.

    http://www.metasploit.com/

    --
    MEB
    http://peoplescounsel.org/ref/windows-main.htm
    Windows Info, Diagnostics, Security, Networking
    http://peoplescounsel.org
    The "real world" of Law, Justice, and Government
    ___---
     
    MEB, Apr 1, 2010
    #1
    1. Advertisements

  2. MEB

    thanatoid Guest

    <SNIP>

    Thanks for the info.

    I have never gotten around to removing AR 5 from my machine,
    even though I use the Fox reader for everything. Occasionally,
    on stupid sites which give you no choice, instead of DL'g, the
    damn PDF opens in the Opera browser windows using AR, not Fox. I
    would like NOTHING to ever open, and "hack the DL" if I have to.
    Do you know where the setting might be to remove the AR opening
    automatically?

    I suppose I could just remove AR, but then Opera it would
    probably find Fox and default to that, which is no good either.

    I hope you can make sense of what I just wrote.

    Thanks.
    t.
     
    thanatoid, Apr 1, 2010
    #2
    1. Advertisements

  3. MEB

    Dan Guest

    FoxitReader has a new update.
     
    Dan, Apr 3, 2010
    #3
  4. MEB

    MEB Guest

    Does it supposedly deal with these issues?


    --
    MEB
    http://peoplescounsel.org/ref/windows-main.htm
    Windows Info, Diagnostics, Security, Networking
    http://peoplescounsel.org
    The "real world" of Law, Justice, and Government
    ___---
     
    MEB, Apr 5, 2010
    #4
  5. You did not quote the issues you refer to in your response. I have put that
    part back (above.)

    You can easily check for yourself, as can anyone else. Foxit Software has a
    security page here:
    http://www.foxitsoftware.com/pdf/reader/security.htm

    Now that you can see the security page for Foxit Software and what patches
    they have released and for what reasons those patches were released and the
    referenced 'these issues' - do the updates deal with what you reported on
    April 1, 2010?
     
    Shenan Stanley, Apr 5, 2010
    #5
  6. Had to change one of your words - didn't make it to MS servers...

    Hmm, not sure for AR5 but AR6 is/was [or was this just for developers
    editions?]:

    [HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\6.0\Originals]

    "bBrowserIntegration"=dword:00000000


    However that would leave some files that MAY still cause issues. How
    about this/these [note they refer to XP removals but you should be able
    to figure out the 9X folders being referenced, OR just do a "find" for
    the file names]:

    http://www.instant-registry-fixes.org/how-to-uninstall-adobe-products/
    Note the *.ocx files [ActiveX controls] and the dlls...

    http://www.ehow.com/how_4925573_remove-adobe-reader.html

    http://www.adobetutorialz.com/articles/120/1/Removing-Acrobat-Reader-505

    You can or should be able to "disable" the *.ocx "helpers" by going to
    the folder and right clicking [IIRC].
     
    MEB.peoplescounsel, Apr 5, 2010
    #6
  7. MEB

    thanatoid Guest

    in
    Thanks very much.
    Cheers.
     
    thanatoid, Apr 5, 2010
    #7
  8. MEB

    thanatoid Guest

    in
    Did I offend the MaSters of the world by using the f word
    instead of darn?
    (...)
    Just occurred to me that I can check...
    (...)
    ONE LETTER? Unbelievable.
    Un-darn-believable.
     
    thanatoid, Apr 5, 2010
    #8
  9. MEB

    MEB Guest

    I didn't because they were already removed.
    Since you have returned the links to the materials, would you say or
    advise that the issues have been fixed pursuant the original linked
    materials and your link?

    Apr. 2, 2010
    "Authorization Bypass When Executing An Embedded Executable.
    SUMMARY

    Fixed a security issue that Foxit Reader runs an executable embedded
    program inside a PDF automatically without asking for user’s permission.
    AFFECTED SOFTWARE VERSION

    Foxit Reader 3.2.0.0303."

    Have you personally tested for these vulnerabilities [see for example,
    the metasploit link] with/after the supposed fix/update?

    I would opine that they may deal with SOME of those reported issues, I
    would not go so far as to claim they were completely fixed when taken in
    conjunction with other exploits/vulnerabilities or per indications of
    other versions affected; or per other exploits using similar methods
    [since there appeared to be several methods to achieve the results],
    would you?

    --
    MEB
    http://peoplescounsel.org/ref/windows-main.htm
    Windows Info, Diagnostics, Security, Networking
    http://peoplescounsel.org
    The "real world" of Law, Justice, and Government
    ___---
     
    MEB, Apr 5, 2010
    #9
  10. From: "MEB" <>

    | I didn't because they were already removed.



    | Since you have returned the links to the materials, would you say or
    | advise that the issues have been fixed pursuant the original linked
    | materials and your link?

    | Apr. 2, 2010
    | "Authorization Bypass When Executing An Embedded Executable.
    | SUMMARY

    | Fixed a security issue that Foxit Reader runs an executable embedded
    | program inside a PDF automatically without asking for user’s permission.
    | AFFECTED SOFTWARE VERSION

    | Foxit Reader 3.2.0.0303."

    | Have you personally tested for these vulnerabilities [see for example,
    | the metasploit link] with/after the supposed fix/update?

    | I would opine that they may deal with SOME of those reported issues, I
    | would not go so far as to claim they were completely fixed when taken in
    | conjunction with other exploits/vulnerabilities or per indications of
    | other versions affected; or per other exploits using similar methods
    | [since there appeared to be several methods to achieve the results],
    | would you?

    http://www.us-cert.gov/current/index.html#foxit_reader_3_2_1
     
    David H. Lipman, Apr 5, 2010
    #10
  11. MEB

    MEB Guest

    "US-CERT encourages users and administrators to review the Foxit notice
    regarding the release and upgrade to Foxit Reader 3.2.1.0401 to help
    mitigate the risks."

    I think the key word above is "help", perhaps I'm wrong.

    Last weeks summary of vulnerabilities, in particular relating
    Oracle/Sun JAVA and IE, seems to be a part of the total picture, add in
    the OSs themselves and their vulnerabilities and we have a slightly
    different total picture involved.

    http://www.us-cert.gov/cas/bulletins/SB10-095.html

    Oracle released an update:
    http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html
    "Due to the threat posed by a successful attack, Oracle strongly
    recommends that customers apply CPU fixes as soon as possible. This
    Critical Patch Update contains 27 new security fixes across all products."

    --
    MEB
    http://peoplescounsel.org/ref/windows-main.htm
    Windows Info, Diagnostics, Security, Networking
    http://peoplescounsel.org
    The "real world" of Law, Justice, and Government
    ___---
     
    MEB, Apr 5, 2010
    #11
  12. MEB

    Dan Guest

    Meb, I have been researching this vulnerability and apparently the new
    update to FoxitReader software allows their to be a warning box that will pop
    up before this vulnerability is launched.

    http://www.pcworld.com/businesscenter/article/193101/malicious_pdf_file_doesnt_need_a_software_vulnerability.html

    "I've reported it to Foxit Software, and they told me they will issue a fix
    this week. I don't know what the fix will be, but I assume it will be a
    warning message, to be in line with the other PDF readers," Stevens said via
    e-mail. (from the article)

    http://forums.foxitsoftware.com/showthread.php?t=18044

    http://www.kb.cert.org/vuls/id/570177

    "This issue is addressed in Foxit Reader 3.2.1.0401. This update will cause
    Foxit Reader to prompt the user before using a Launch Action." (From US-Cert)

    It appears that the makers of Foxit Reader are much more concerned about the
    user's safety and security than the makers of Adobe Reader.
     
    Dan, Apr 6, 2010
    #12
  13. MEB

    MEB Guest

    Again, though I applaud the efforts [call me overly cautious], I still
    wouldn't go so far as to say the issues have been absolutely fixed when
    one of the abilities/malicious activities is to "suppress" the pop-up
    box, hence the warning never appears or is not seen, we have also seen
    methods elsewhere for "auto" click/authorizations involved; so I'll
    continue to reserve "its fixed" until real world proven.

    As for Adobe, since that is basically its own "operating environment",
    these issues will apparently be more difficult to address as they are
    supposedly a "feature".

    --
    MEB
    http://peoplescounsel.org/ref/windows-main.htm
    Windows Info, Diagnostics, Security, Networking
    http://peoplescounsel.org
    The "real world" of Law, Justice, and Government
    ___---
     
    MEB, Apr 6, 2010
    #13
  14. MEB

    MEB Guest

    See other parts of this thread for information on FoxIt Reader updates.


    US-CERT Technical Cyber Security Alert TA10-103C -- Adobe Reader and
    Acrobat Vulnerabilities

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1


    National Cyber Alert System

    Technical Cyber Security Alert TA10-103C


    Adobe Reader and Acrobat Vulnerabilities

    Original release date: April 13, 2010
    Last revised: --
    Source: US-CERT


    Systems Affected

    * Adobe Reader 9.3.1 and earlier 9.x versions
    * Adobe Reader 8.2.1 and earlier versions
    * Adobe Acrobat 9.3.1 and earlier 9.x versions
    * Adobe Acrobat 8.2.1 and earlier versions


    Overview

    Adobe has released Security Bulletin APSB10-09, which describes
    multiple vulnerabilities affecting Adobe Reader and Acrobat.


    I. Description

    Adobe Security Bulletin APSB10-09 describes a number of
    vulnerabilities affecting Adobe Reader and Acrobat. These
    vulnerabilities affect Reader and Acrobat 9.3.1 and earlier 9.x
    versions, and 8.2.1 and earlier versions.

    An attacker could exploit these vulnerabilities by convincing a
    user to open a specially crafted PDF file. The Adobe Reader browser
    plug-in is available for multiple web browsers and operating
    systems, which can automatically open PDF documents hosted on a
    website.


    II. Impact

    These vulnerabilities could allow a remote attacker to execute
    arbitrary code, write arbitrary files or folders to the file
    system, escalate local privileges, or cause a denial of service on
    an affected system as the result of a user opening a malicious PDF
    document.


    III. Solution

    Update

    Adobe has released updates to address this issue. Users are
    encouraged to read Adobe Security Bulletin APSB10-09 and update
    vulnerable versions of Adobe Reader and Acrobat.

    Adobe does not offer standalone installers of Reader or Acrobat
    versions 9.3.2 or 8.2.2. For a fresh installation, first install
    Adobe Reader 9.3.0 or 8.2.0 and then use the automatic update
    feature or install the appropriate update referenced in APSB10-09.

    Disable JavaScript in Adobe Reader and Acrobat

    Disabling JavaScript may prevent some exploits from resulting in
    code execution. Acrobat JavaScript can be disabled using the
    Preferences menu (Edit -> Preferences -> JavaScript; uncheck Enable
    Acrobat JavaScript).

    Adobe provides a framework to blacklist specific JavaScipt APIs. If
    JavaScript must be enabled, this feature may be useful when
    specific APIs are known to be vulnerable or used in attacks.

    Prevent Internet Explorer from automatically opening PDF documents

    The installer for Adobe Reader and Acrobat configures Internet
    Explorer to automatically open PDF files without any user
    interaction. This behavior can be reverted to a safer option that
    prompts the user by importing the following as a .REG file:

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\AcroExch.Document.7]
    "EditFlags"=hex:00,00,00,00

    Disable the display of PDF documents in the web browser

    Preventing PDF documents from opening inside a web browser will
    partially mitigate this vulnerability. If this workaround is
    applied, it may also mitigate future vulnerabilities.

    To prevent PDF documents from automatically being opened in a web
    browser, do the following:

    1. Open Adobe Acrobat Reader.
    2. Open the Edit menu.
    3. Choose the Preferences option.
    4. Choose the Internet section.
    5. Uncheck the "Display PDF in browser" checkbox.

    Do not access PDF documents from untrusted sources

    Do not open unfamiliar or unexpected PDF documents, particularly
    those hosted on websites or delivered as email attachments. Please
    see Cyber Security Tip ST04-010.


    IV. References

    * Security update available for Adobe Reader and Acrobat -
    <http://www.adobe.com/support/security/bulletins/apsb10-09.html>

    * Upcoming Adobe Reader and Acrobat 9.3.2 and 8.2.2 to be Delivered
    by New Updater -

    <http://blogs.adobe.com/adobereader/2010/04/upcoming_adobe_reader_and_acro.html>

    * Adobe Reader and Acrobat JavaScript Blacklist Framework -
    <http://kb2.adobe.com/cps/504/cpsid_50431.html>

    ____________________________________________________________________

    The most recent version of this document can be found at:

    <http://www.us-cert.gov/cas/techalerts/TA10-103C.html>
    ____________________________________________________________________

    Feedback can be directed to US-CERT Technical Staff. Please send
    email to <> with "TA10-103C Feedback VU#352598" in
    the subject.
    ____________________________________________________________________

    For instructions on subscribing to or unsubscribing from this
    mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
    ____________________________________________________________________

    Produced 2010 by US-CERT, a government organization.

    Terms of use:

    <http://www.us-cert.gov/legal.html>
    ____________________________________________________________________

    Revision History

    April 13, 2010: Initial release


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.5 (GNU/Linux)

    iQEVAwUBS8TuRj6pPKYJORa3AQJfzggAj8p3s/TrJT16ceFtRzLR31QBgRq6GxYr
    h8WnsGlj2WR71XjH219XaWx9Mj3KBWVxbAsNPmK0tEir7KA+n4DwZCewTDYRqfYs
    8N7G9MOI68Z87+7zBiZAo0j5/lQuxLWyTF9PqWbX8gCWLqJWW46cEZCqg7OGRbYt
    w8coxdMXU6tM3WGoWAIKwLRtpQUdubcITPTrE7RATyLJ1422B9dkTSeSCuHHZs5d
    eXSPYzTQ1EOwHpuA5/a/or2SjeRPLQcpxb/8WKelSqwW3hpK4zviEnPt4cYyeNqW
    BQY06OQMTKch/nmniuEDuiwe69m0gTw7Tw2Dm6xrg6BLBy3A6GAwkQ==
    =CQ6i
    -----END PGP SIGNATURE-----


    --
    MEB
    http://peoplescounsel.org/ref/windows-main.htm
    Windows Info, Diagnostics, Security, Networking
    http://peoplescounsel.org
    The "real world" of Law, Justice, and Government
    ___---
     
    MEB, Apr 14, 2010
    #14
  15. From: "MEB" <>


    | This particular style of exploit has been around for quite sometime in
    | various forms. I have previously to advise of this style of attack.
    | Yet another party has posted the methodology and provided example coding.
    | Specially and EASILY crafted PDFs can be created to include calls to
    | external applications which are not blocked by JAVA or other
    | restrictions, yet can be run, forcing other unwanted activities [such as
    | opening IE or running commands] or exploiting other vulnerabilities
    | within other applications. This type of exploit can be used in
    | conjunction with other exploits, compounding the potential malicious
    | usage. These exploits can be modified to work within any OS, though
    | system restrictions and other security may mitigate some of the
    | potential exploits.

    | Adobe Reader and Foxit Reader are vulnerable to this style of exploit,
    | as may others. Foxit appears to be more exploitable than Adobe to this
    | particular issue.

    | Sumatra is apparently immune or doesn't support this type of exploit,
    | and others may be as well.

    | Metasploit and several other have provided other or additional styles
    | of this type of exploit.

    | REFERENCES/EXAMPLES:

    | http://blog.didierstevens.com/2010/03/29/escape-from-pdf/
    | take particular note of the comment section for indications of how easy
    | the coding and modifications are.

    | http://www.metasploit.com/

    Adobe Acrobat and Reader updates to bring the software to v9.3.2 has been released.

    ftp://ftp.adobe.com/pub
     
    David H. Lipman, Apr 14, 2010
    #15
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.