vrijdag 9 april 2010

Unpatchable PDF hack

A Belgian researcher, Didier Stevens has published an unpatchable PDF hack.
Well, in most security related websites this hack has been published as an unpachable PDF leak. Assuming the pdf format is containing a hole that’s unfixable. Pretending it is possible to make up an unpatchable leak in any kind of file format is a myth off course. Delete the software and the leak is fixed...
Anyway, the hack is interesting by itself because Foxit reader launches the application without any warning! Adobe it self pops-up a warning.
And since most PDF users are of the "OK"-click generation this provides great opportunities for bad willing people.
Didier himself didn't publish a prove of concept of the launch action and the embedded executable combined, but instead only showed a prove of concept of the launch action. Taking a closer look at this prove of concept and Didier’s explanation it won't be that hard to make use of this hack. Below is an image of the prove of concept PDF file with the launch action and the cmd.exe executable highlighted. Basically you will only have to find out how to embed an executable to a PDF file and, then launch it. Off course hex-editing the cmd.exe string in the PoC file makes you able to launch any application you want.