Re: [Full-disclosure] Backdooring PDF Files
Looks to me like its a flaw in the PLUG-IN not the Acrobat Reader itself. Here plugin should be disabled for the "URI" action. Go to your folder .ProgramFileDir\Adobe\Acrobat ver\Reader\plug_ins\ & only leave the PLUGINS that are ONLY FREQUENTLY USED BY U (or requests a program action withing the program) Which in my case, i only have the plugins, EWH32.api Search*.api restplugins move them to another folder (say: ProgramFileDir\Adobe\Acrobat ver\plug_ins_disabled\ ) acrobat has grown something BEYOND just a reader into something BIG with lots of attack vectors since ages. best security practices ? -bipin On 9/13/06, David Kierznowski <[EMAIL PROTECTED]> wrote: > Recently, there has been alot of hype involving backdooring various > web technologies. pdp (arcitect) has done alot of work centered around > this area. > > I saw Jeremiah Grossman mention PDF's being "BAD", however, I was > unable to easily locate any practical reasons as to why. I decided to > investigate this a little further. > > This article discusses two possible backdoor techniques for Adobe > Acrabat Reader and Professional. It includes proof of concept code and > backdoored PDF documents. > > The article can be found here: > http://michaeldaw.org/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Bipin Gautam http://bipin.tk Zeroth law of security: The possibility of poking a system from lower privilege is zero unless & until there is possibility of direct, indirect or consequential communication between the two... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Backdooring PDF Files
On 9/14/06, fit happy <[EMAIL PROTECTED]> wrote: It is really take effect in my virtual machine: xp sp2+pdf reader version 7.0.1.2005030700 ___Using the evince reader on Linux, the link opens within evince itself rather than launching a new browser. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Backdooring PDF Files
On 9/14/06, Hugo Francisco González Robledo <[EMAIL PROTECTED]> wrote: > I think it depends on the context. > > Example 1 (backdoored1.pdf) : > > On Ubuntu Linux with Adobe Reader 7.0.1 opens the web page on > mozilla-firefox whitout warning. > On FC5 with Acrobat Reader 7.0.8 it opens the page in firefox without warning as well. -sb ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Backdooring PDF Files
I think it depends on the context. Example 1 (backdoored1.pdf) : On Ubuntu Linux with Adobe Reader 7.0.1 opens the web page on mozilla-firefox whitout warning. On Windows XP sp2 with Adobe Reader 7.0.8 sends a warning about open the url. Example 2 (backdoored2.pdf) : On Ubuntu Linux and windows XP sp2 does nothing apparently. it, could be possible to make multi-target attacks :) but other viewers like evince or xpdf don't have any effect :( Regards! On Wed, Sep 13, 2006 at 11:06:55PM +0300, Juha-Matti Laurio wrote: > Proof of Concept for example 1 (backdoored1.pdf) opened with Adobe Reader > 7.0.8 > (i.e. no browser plug-in used) issued a Security Warning dialog box: > > "The document is trying to conenct to the site: > http://www.google.com/owned.html > > If you trust the site click "Allow", otherwise click "Block"." > > Option Remember my action is in use as well. > > When clicking "Allow" this Google page was opened in MSIE (in fact FF is my > default browser, however). > > Am I missing something related to differences between Reader plug-in and > Reader application? > > - Juha-Matti > > > David Kierznowski <[EMAIL PROTECTED]> wrote: > > > >Recently, there has been alot of hype involving backdooring various > >web technologies. pdp (arcitect) has done alot of work centered around > >this area. > > > >I saw Jeremiah Grossman mention PDF's being "BAD", however, I was > >unable to easily locate any practical reasons as to why. I decided to > >investigate this a little further. > > > >This article discusses two possible backdoor techniques for Adobe > >Acrabat Reader and Professional. It includes proof of concept code and > >backdoored PDF documents. > > > >The article can be found here: > >http://michaeldaw.org/ > > > >___ > >Full-Disclosure - We believe in it. > >Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >Hosted and sponsored by Secunia - http://secunia.com/ > > > --- > This list is sponsored by: Norwich University > > EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE > The NSA has designated Norwich University a center of Academic Excellence > in Information Security. Our program offers unparalleled Infosec management > education and the case study affords you unmatched consulting experience. > Using interactive e-Learning technology, you can earn this esteemed degree, > without disrupting your career or home life. > > http://www.msia.norwich.edu/secfocus > --- -- Hugo Francisco González Robledo Instituto Tecnológico de San Luis Potosí Llave pública en http://www.honeynet.org.mx Llave pública en http://ardilla.zapto.org Preguntale a Google-Earth donde estoy : http://ardilla.zapto.org/ubicaHugo.kml --- Educación es lo que queda después de olvidar lo que se ha aprendido en la escuela. Albert Einstein --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Backdooring PDF Files
On 9/14/06, Geo. <[EMAIL PROTECTED]> wrote: > > POC did nothing for my Foxit PDF reader. No www-page was opened and no > > script was executed. Maybe you folks should just dump the clumsy and > > insecure Acrobat Reader and move onto something better for reading .pdf > > documents? ;) > > Good suggestion but foxit doesn't allow typing into pdf form fields. > > Geo. (I'd use it if it weren't for that shortcomming) Have you tried GhostScript and GhostView? http://www.cs.wisc.edu/~ghost/ -JP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Backdooring PDF Files
> POC did nothing for my Foxit PDF reader. No www-page was opened and no > script was executed. Maybe you folks should just dump the clumsy and > insecure Acrobat Reader and move onto something better for reading .pdf > documents? ;) Good suggestion but foxit doesn't allow typing into pdf form fields. Geo. (I'd use it if it weren't for that shortcomming) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Backdooring PDF Files
I have tested both of the examples and no warning boxes are showing. It seams that everybody is getting different results. Interesting! On 9/13/06, Juha-Matti Laurio <[EMAIL PROTECTED]> wrote: Proof of Concept for example 1 (backdoored1.pdf) opened with Adobe Reader 7.0.8 (i.e. no browser plug-in used) issued a Security Warning dialog box: "The document is trying to conenct to the site: http://www.google.com/owned.html If you trust the site click "Allow", otherwise click "Block"." Option Remember my action is in use as well. When clicking "Allow" this Google page was opened in MSIE (in fact FF is my default browser, however). Am I missing something related to differences between Reader plug-in and Reader application? - Juha-Matti David Kierznowski <[EMAIL PROTECTED]> wrote: > > Recently, there has been alot of hype involving backdooring various > web technologies. pdp (arcitect) has done alot of work centered around > this area. > > I saw Jeremiah Grossman mention PDF's being "BAD", however, I was > unable to easily locate any practical reasons as to why. I decided to > investigate this a little further. > > This article discusses two possible backdoor techniques for Adobe > Acrabat Reader and Professional. It includes proof of concept code and > backdoored PDF documents. > > The article can be found here: > http://michaeldaw.org/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- pdp (architect) http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Backdooring PDF Files
I installed 7.0.8 (latest version) for testing. If the document is loaded from the browser you receive no warning. v7.0.8 seems to warn the user if the document is loaded from the desktop. I think this has to do with different Adobe contexts. -- David Kierznowski On 13/09/06, pdp (architect) <[EMAIL PROTECTED]> wrote: I have tested both of the examples and no warning boxes are showing. It seams that everybody is getting different results. Interesting! On 9/13/06, Juha-Matti Laurio <[EMAIL PROTECTED]> wrote: > Proof of Concept for example 1 (backdoored1.pdf) opened with Adobe Reader 7.0.8 > (i.e. no browser plug-in used) issued a Security Warning dialog box: > > "The document is trying to conenct to the site: > http://www.google.com/owned.html > > If you trust the site click "Allow", otherwise click "Block"." > > Option Remember my action is in use as well. > > When clicking "Allow" this Google page was opened in MSIE (in fact FF is my default browser, however). > > Am I missing something related to differences between Reader plug-in and Reader application? > > - Juha-Matti > > > David Kierznowski <[EMAIL PROTECTED]> wrote: > > > > Recently, there has been alot of hype involving backdooring various > > web technologies. pdp (arcitect) has done alot of work centered around > > this area. > > > > I saw Jeremiah Grossman mention PDF's being "BAD", however, I was > > unable to easily locate any practical reasons as to why. I decided to > > investigate this a little further. > > > > This article discusses two possible backdoor techniques for Adobe > > Acrabat Reader and Professional. It includes proof of concept code and > > backdoored PDF documents. > > > > The article can be found here: > > http://michaeldaw.org/ > > > > ___ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- pdp (architect) http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Backdooring PDF Files
It is always possible to check the installed Acrobat plug-in with the following test URL: http://gemal.dk/browserspy/acrobat.html (FF and MSIE) The following command works only in Gecko-based browsers: about:plugins - Juha-Matti ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Backdooring PDF Files
Yes, the first example opens MSIE without any user interaction when visiting your PoC link with Firefox 1.5.0.6. This issue is more serious due to recent unpatched issues and public exploits in IE. - Juha-Matti David Kierznowski <[EMAIL PROTECTED]> wrote: I installed 7.0.8 (latest version) for testing. If the document is loaded from the browser you receive no warning. v7.0.8 seems to warn the user if the document is loaded from the desktop. I think this has to do with different Adobe contexts. -- David Kierznowski On 13/09/06, pdp (architect) <[EMAIL PROTECTED]> wrote: > I have tested both of the examples and no warning boxes are showing. > It seams that everybody is getting different results. Interesting! > > On 9/13/06, Juha-Matti Laurio <[EMAIL PROTECTED]> wrote: > > Proof of Concept for example 1 (backdoored1.pdf) opened with Adobe Reader 7.0.8 > > (i.e. no browser plug-in used) issued a Security Warning dialog box: > > > > "The document is trying to conenct to the site: > > http://www.google.com/owned.html > > > > If you trust the site click "Allow", otherwise click "Block"." > > > > Option Remember my action is in use as well. > > > > When clicking "Allow" this Google page was opened in MSIE (in fact FF is my default browser, however). > > > > Am I missing something related to differences between Reader plug-in and Reader application? > > > > - Juha-Matti > > > > > > David Kierznowski <[EMAIL PROTECTED]> wrote: > > > > > > Recently, there has been alot of hype involving backdooring various > > > web technologies. pdp (arcitect) has done alot of work centered around > > > this area. > > > > > > I saw Jeremiah Grossman mention PDF's being "BAD", however, I was > > > unable to easily locate any practical reasons as to why. I decided to > > > investigate this a little further. > > > > > > This article discusses two possible backdoor techniques for Adobe > > > Acrabat Reader and Professional. It includes proof of concept code and > > > backdoored PDF documents. > > > > > > The article can be found here: > > > http://michaeldaw.org/ > > > > > > -- > pdp (architect) > http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Backdooring PDF Files
Proof of Concept for example 1 (backdoored1.pdf) opened with Adobe Reader 7.0.8 (i.e. no browser plug-in used) issued a Security Warning dialog box: "The document is trying to conenct to the site: http://www.google.com/owned.html If you trust the site click "Allow", otherwise click "Block"." Option Remember my action is in use as well. When clicking "Allow" this Google page was opened in MSIE (in fact FF is my default browser, however). Am I missing something related to differences between Reader plug-in and Reader application? - Juha-Matti David Kierznowski <[EMAIL PROTECTED]> wrote: Recently, there has been alot of hype involving backdooring various web technologies. pdp (arcitect) has done alot of work centered around this area. I saw Jeremiah Grossman mention PDF's being "BAD", however, I was unable to easily locate any practical reasons as to why. I decided to investigate this a little further. This article discusses two possible backdoor techniques for Adobe Acrabat Reader and Professional. It includes proof of concept code and backdoored PDF documents. The article can be found here: http://michaeldaw.org/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Backdooring PDF Files
Recently, there has been alot of hype involving backdooring various web technologies. pdp (arcitect) has done alot of work centered around this area. I saw Jeremiah Grossman mention PDF's being "BAD", however, I was unable to easily locate any practical reasons as to why. I decided to investigate this a little further. This article discusses two possible backdoor techniques for Adobe Acrabat Reader and Professional. It includes proof of concept code and backdoored PDF documents. The article can be found here: http://michaeldaw.org/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/