Are PDF’s Worm-able?

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
If the sheer amount of exploits in Adobe’s products over the last year haven’t scared you off yet, then maybe a PDF attack (that doesn’t require an exploit or JavaScript to run) will. Here’s a proof of concept video for your viewing pleasure.
 
wow thats pretty awesome. maybe we should just ditch computers all together. i dont think the abacus gets viruses.
 
Hmmm... so if I run a program on my computer, it can edit files on my computer... including inserting itself into other files.

At least I had to click OK on a big scary warning box.
 
Well, they should just have the thing it runs on the desktop .

sure pdf can have file attachments but all this is showing is that it ask to run a virus file.

running the virus on the desktop does the same thing
 
siliconnerd said:
You don't need admin access to modify your own files. Without admin access it may not be able to infect the system, but it could still transmit the worm. :(
Click to expand...

Not sure what the attack vector is but still a number of ways to mitigate the issue potentiallt, DEP, AV, etc. But sure a user can could potentially screw up his own stuff with this kind of attack.
 
So was it Reader or the pdf that was modified? Would either of those actions trigger an AV program's heuristics?
 
Let me get this straight: For the attack to be successful, the user has to be an utter pillock, and hit the Launch/OK button when the dialog shows up?


I wonder if other PDF readers are affected, since the format is kind of standardized.
 
i open all questionable PDF's in a linux vm.. can't get any safer than that :)
 
Heck yes this is possible...
In your adobe acrobat reader:
Go to Edit - Preferences - JavaScript, and uncheck "Enable Acrobat Javascript"
 
GoodBoy said:
Heck yes this is possible...
In your adobe acrobat reader:
Go to Edit - Preferences - JavaScript, and uncheck "Enable Acrobat Javascript"
Click to expand...

Congratulations, you didn't actually watch the video. This exploit was done with JS off.
 
Meh. Most of Adobe's products ARE already infections as far as I'm concerned (photoshop excepted). :p
 
This is old news. The exploit is done by calling a "launch file" command in that is mandatory under the pdf specifications. The dialog box that pops up can have it's text changed to anything you want. The social engineering to get someone to click "yes" is child's play such as "Do you want to view this pdf?".
 
Leman said:
Let me get this straight: For the attack to be successful, the user has to be an utter pillock, and hit the Launch/OK button when the dialog shows up?
Click to expand...

Have you taken note of all the "click ok" training that users have had over the last 15 years?
 
Definitely much worse sounding than I had initially thought.
From the followup that Vermillion linked:

I am an avid Linux user and tend to use “okular” for reading PDF files, which doesn’t support all the features many mainstream PDF rendering applications like Acrobat Reader and Foxit, so I am not to worried with regards to my own systems, but in an enterprise environment this style of attack could spell real disaster. What I would really like to see as a solution is a minimalistic version of the mainstream PDF rendering applications that do not support all these robust feature sets made available to the public. This would really help out those of us who tend to only use PDFs for reading documents and don’t require the ability to launch applications, play media files, dynamically fill-out forms, and/or utilize all the other robust features on a daily basis.
Click to expand...

This is a very big problem and one of the novelties of PDF's - forms. Hell the government even uses PDF's for fillable forms (I've filled out W2 PDF's in the past). Since Adobe is pretty lackadaisical at bug fixes in their products (I still have issues with Acrobat 9 crashing anytime I try to open more than 1 file at a time), I would expect Foxit to be the company that goes after this exploit and tries to fix it before Adobe does.
 
Leman said:
Let me get this straight: For the attack to be successful, the user has to be an utter pillock, and hit the Launch/OK button when the dialog shows up?


I wonder if other PDF readers are affected, since the format is kind of standardized.
Click to expand...

99.9 percent of computer users ARE utter pillocks though. Why do you think people fall for the fake antivirus programs and end up purchasing them? If it looks semi-legitimate, then your average computer users is going to assume it is legitimate.

Just like who reads the EULA for anything? You just click OK until the program is installed, same thing with this. People do not take the time to read anything or comprehend anything when it comes to dialog boxes on computers. :eek: :(

This is why malware is so prevalent.
 
vengence said:
This is old news. The exploit is done by calling a "launch file" command in that is mandatory under the pdf specifications. The dialog box that pops up can have it's text changed to anything you want. The social engineering to get someone to click "yes" is child's play such as "Do you want to view this pdf?".
Click to expand...

TheBuzzer said:
Well, they should just have the thing it runs on the desktop .

sure pdf can have file attachments but all this is showing is that it ask to run a virus file.

running the virus on the desktop does the same thing
Click to expand...

I think what's new is that the executed code is within the infecting pdf itself. It is not a separate file being launched. That makes this dangerous because all pdfs on your system could be subject to an incremental update to do the same... and who doesn't trust pdfs? (Well, all of us now :))

What I don't get is how this is anything like a worm. It requires a user to launch the file and click through a dialog before propagating. Sounds like an old school virus to me.

The /launch hack is just going to put pdfs into the same boat as all Office documents and macro functionality.
 
drdoug99 said:
99.9 percent of computer users ARE utter pillocks though. Why do you think people fall for the fake antivirus programs and end up purchasing them? If it looks semi-legitimate, then your average computer users is going to assume it is legitimate.
Click to expand...

The problem here is that I think the best way to make this better would be to DECREASE the amount of times that a user needs to grant privileges. If only serious and important things needed to be approved people would pay more attention. Downloading and approving Android apps or allowing execution in Vista/7 become routine too quickly and it would be hard to devote a ton of time and attention to each one. It certainly would help if agreements were standardized so that people know which option will do what without the chance of being tricked (Do you not want to not install this if so click Cancel) and EULA's were done away with or be forced to be written in clear and concise language.
 
Actually what's funny also is that in the wikipedia article they also confuse viruses with worms so whatever.
 
Just noticed a new Foxit version out.
http://filehippo.com/download_foxit/changelog/
# Bug Fixes:

- Fixed a security issue that Foxit Reader runs an executable embedded program inside a PDF automatically without asking for user’s permission.
Click to expand...

I wonder if that (somewhat) fixes the exploit that was used with Reader in that video. (assuming someone would not knowingly click to allow the exe to run)
 
zero2dash said:
Just noticed a new Foxit version out.
http://filehippo.com/download_foxit/changelog/


I wonder if that (somewhat) fixes the exploit that was used with Reader in that video. (assuming someone would not knowingly click to allow the exe to run)
Click to expand...

Nope, all it fixes was Foxit was running the exe without even displaying the pop-up shown in the video. Now it shows the same type of pop-up, but will still happily run the exe after the user inevitably clicks yes.
 
You must log in or register to reply here.
Back
Top