Booby-trapping a PDF File
EDITED TO ADD (5/13): More info.
EDITED TO ADD (5/13): More info.
Shane • April 22, 2010 2:01 PM
@Dan
From the article (dated March 31st 2010): “Upon hearing of a possible security concern, [FoxIT] development team went to work and a resolution was determined in less than 24 hours and an updated version of the Foxit Reader will be made public in the next 72 hours.”
Looks like they were true to their word.
Shane • April 22, 2010 2:10 PM
Although I think we’d all agree that prompting the user isn’t the most ingenious resolution for this exploit.
This, and nearly all other vulnerabilities in PDF, are really just an obvious side-effect of function creep.
PDF – Portable Document Format, used to maintain typesetting / print layouts across multiple platforms independent of installed fonts / formatting chars / printers / etc.
Why on earth you can embed full on mp3s, movies, etc inside of them and run executable code is completely beyond me, and IMHO, absolutely unnecessary and detrimental.
Ron Helwig • April 22, 2010 2:28 PM
PDFs (Proprietary Document Format) are a huge FU to the readers, and I wish people would stop using them. They are designed for a print-based world that is no longer useful.
Its like making e-readers that flip pages, as if people read “pages” instead of paragraphs. Pages are an artifact of the physical reality of the book form, and are totally inappropriate for e-readers.
AlanS • April 22, 2010 2:58 PM
@Ron Helwig
PDF actually stands for Perilously Dangerous Format.
@Bruce
Isn’t this stuff really old news?
FYI: Alternative readers that don’t support a lot of the dangerous features allowed for by the PDF specs are listed here: http://pdfreaders.org/
Chris S • April 22, 2010 3:03 PM
PDF has its drawbacks – some of which could be resolved by requiring PDF/A – PDF for archiving.
http://en.wikipedia.org/wiki/PDF/A
As a long term archiving format, it does not allow audio, video, javascript or executables.
If our readers had an option “warn of functionality greater than PDF/A”, it would be a handy shortcut to enforce the safer version.
uk visa • April 22, 2010 3:06 PM
I think Shane makes a completely valid point re. the embedding of unnecessary formats in pdfs.
Playing music or movies from within pdfs is simply not required.
Tim • April 22, 2010 3:13 PM
Haha, he’s keeping the technique ‘secret’. The PDF that starts cmd.exe has this object in it:
8 0 obj
<<
/Type /Action
/S /Launch
/Win
<<
/F (cmd.exe)
>
>
endobj
Clearly his modification of the dialog text is just adding newlines in the command so that the actual ‘cmd.exe’ is pushed up out of view.
The rest of the technique probably involves prepending a small exe to the front of the PDF (PDFs are read from the end). This exe can then find and execute the main one which is embedded as a comment in the PDF.
Tim • April 22, 2010 3:15 PM
Ok, that didn’t work. Object should have been:
8 0 obj
[[
/Type /Action
/S /Launch
/Win
[[
/F (cmd.exe)
]]
]]
endobj
But with angle brackets instead of square ones.
Disco Tech • April 22, 2010 3:18 PM
They need to add fog and strobe lights to secure those pdfs!
AlanS • April 22, 2010 3:55 PM
Here’s a blog post that discusses malicious PDFs using this ‘feature’:
http://www.sophos.com/blogs/sophoslabs/?p=9413
Nick P • April 22, 2010 4:00 PM
@ Chris
I was also looking into PDF/A for a safer alternative. Although, I think it’s more restrictive than necessary for non-archival applications. We could allow hyperlinks, maybe a very restricted form of scripting [non-hyperlink] elements within the document, and allow non-embedded fonts. If we can’t replace PDF, then such a restricted subset would be a nice compromise. We could also build tools that strip regular PDF’s of dangerous functionality in a robust way.
I settled on subsetting due to my experience earlier today. I was googling for alternatives to PDF that weren’t so permissive in nature and maybe easy to parse. I was specifically looking for sites talking about replacing PDF for security purposes. In five or ten minutes of searching, I found nothing. That’s not a good sign. The only thing people were talking about were formats like PDF/A or alternative readers of regular, insecure PDF specification. Imho, standardization on PDF is just another loss for IT security…
Btw, people looking into alternative readers or learning about PDF to build a secure reader might want to check out SumatraPDF. It’s a very lightweight, minimalist, standalone PDF reader. This thing loads and moves FAST!
A lot of the “feature creep” in PDF is necessary for particular use cases. Audio and video embedding, for instance, are essential if you want to use PDF for presentation slides that include demos (and let me tell you, that has saved my ass more than once). Javascript goes nicely with the form-filling mechanism — if the (US) IRS were less interested in funnelling money to third-party vendors, they could produce smart tax forms that do everything TurboTax (e.g.) does.
Where PDF goes wrong (imo) is in not having recognized that they needed to adopt the entire web security model. HTML still has even more scriptability than PDF, and yet your web browser manages not to be the cesspit of security holes that Acrobat does … because web browser authors knew to pay attention to this stuff from eight o’clock, day one.
BF Skinner • April 22, 2010 6:15 PM
Well sure pr0n. Doesn’t matter what format you put it in…you’ll get a social disease.
Henning Makholm • April 22, 2010 6:55 PM
Hey, I’ve got a social disease!
Jay • April 22, 2010 7:35 PM
Zack, why would you want to use .PDF to do presentation slides?
Half the problem here is that PDF started out as a ‘safe’ document format – safer than .DOC, with its myriad macros, anyway. That Adobe added scripting, audio, video, and embedded executables violates the ‘principle of least surprise’…
If you asked a stereotypical office user how to embed video into a .PDF, they would most likely say “But why would you want to? That’s what Powerpoint is for!”… and – given we have to design our security models on them – they would be right!
Thomas • April 22, 2010 7:36 PM
@ Zack
“””because web browser authors knew to pay attention to this stuff from eight o’clock, day one.”””
I assume you mean 8 pm?
Web browsers were a “cesspit of security holes”, just as (some/most/many) PDF readers are now, and for precisely the same reason: ‘usability’ trumps ‘security’.
The desire to compete with PowerPoint and Word, which requires adding all sorts of features, has turned PDF from “a really good way to store documents because it’s safe and WYSISWG” to “just another disaster waiting to happen. again.”
I guess it’s back to plain ASCII…
no.windows • April 22, 2010 10:53 PM
@Jay
Although we’re in the minority, there are some of us who do not use powerpoint (or its clones) and don’t want to. PDF is a good option for slides in that situation.
FrancesC • April 23, 2010 12:11 AM
I was infected with one of the blackmailing “security” programs from a pdf file that automatically opened in Foxit Reader. My husband managed to cripple it and then we found an article from Microsoft that gave us the info on how to get rid of it.
Winter • April 23, 2010 1:29 AM
@Jay
“Zack, why would you want to use .PDF to do presentation slides?”
Never used LaTeX Beamer to create a presentation? I can churn out a perfect slide a minute on Beamer if I know what I want to say (more if I had time to think about it). And all slides look terrific with real LaTeX polish.
PDF presentations work on any platform without dropping all the special fonts. You know, all airplanes and devil heads where your text or formula was.
Powerpoint is not available on Linux. OO.o often not available on “presenting” computers. And powerpoint will mess up the layout of your slides on EVERY computer you did not test it on.
Winter
Nick P • April 23, 2010 2:07 AM
@ Winter and Zack
So, we have people that like to use PDF’s way out of their original scope and we have reasons not to use PowerPoint. I’m still not seeing a reason to put all this risky functionality in what’s been advertised as a good document format to replace “proprietary” or “risky” formats as PDF proponents have said in the past. I don’t see why we can’t support two formats: one a little stronger than PDF/A and one more like modern PDF. That way we could use the simpler one when trust was an issue & interoperability was still essential.
@ Thomas
Good point on the browser. When I read that part of Zack’s post, I was thinking: “what the hell is he talking about? haven’t browsers been the greatest source of compromises over the past few years?” Last thing we need is another browser. (read: modern PDF’s)
Plain ASCII, RTF, or a watered-down version of HTML are actually what I use for long-term, security-oriented document storage. I don’t remember the last time I though: “Oh man, this document is an RTF file. Should I open it!?” Most recent memory went more like this: “The RTF version is only 8KB!? The Word document was originally 150K!” And that was before compression. I still love many “obsolete” standards. I remember when I used RTF exclusively to send drafts to my team in college. They looked at the size of the first one and told me they wouldn’t even bother reading such an empty document. It took some convincing that Word was just “that bloated” before they opened it. Still get a laugh out of that. 🙂
vwm • April 23, 2010 3:47 AM
Guys, if you do not want your PDF to start Attachments, turn it off.
HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Originals
Name: bAllowOpenFile
Type: REG_DWORD
Data: 0
BF Skinner • April 23, 2010 6:43 AM
At the Storm Center Johannes published a diary entry ( http://isc.sans.org/diary.html?storyid=8545 ) about PDFs arbitrary code execution and then said that Didier Stevens was THE brain on the subject.
joe • April 23, 2010 6:49 AM
The problem is that too many people want to use a particular format for everything. PDF gets popular as a secure document format, and as it gets more popular it attracts more users who are not as interested in security. These uses (customers) push the supplier to add feature creep.
I just wish Adobe made it simple to turn off all the advanced functions. I seem to be able to disable Javascript and attachments that run external files. Maybe that will be enough.
Oh, just realized I’m using Acrobat not Acrobat Reader, so maybe Reader doesn’t allow you to disable functions.
Peter Venkman • April 23, 2010 6:59 AM
@Ron Helwing ” designed for a print-based world that is no longer useful.”
Okay Igon. Been hearing that since Guttenberg invented the thing.
This isn’t even mostly true. Although there is more and more information being committed to electronic forms the advantage to not losing access to your words just because your battery dies and you’re over nine feet away from a power socket is not neglible.
Too Have you ever spent an hour reading hard copy and an hour reading off your monitor? Which left you more tired. Likely the monitor. The active screen is more taxing to our eyes than a book which passively reflects ambiant light.
Finally and, to my mind, most important. Centuries of practice have helped define the art of making things readable and legible. And it’s translatable to electronic forms. Why do fonts have little serif widgets on the top and bottom of each letter? It makes it readable. Why don’t we see that in good websites (because sans serifs are easier to read there). How many times have you seen a website with yellow lettering against a light blue background? Yuck. I’m all for experimentation but the unuseful print world realized long ago that that combination should be used rarely, very rarely.
Ali • April 23, 2010 9:33 AM
Zawinski’s Law:
“Every program attempts to expand until it can read mail. Those programs which cannot so expand are replaced by ones which can.”
Shane • April 23, 2010 11:42 AM
@Zack
“A lot of the “feature creep” in PDF is necessary for particular use cases.”
Simply because people wish to use things in ways other than they were intended does not make the integration of those misuses as features ‘necessary’.
Just because Johnny Numbnuts and his buddies want to plow their driveways with their Prius’, doesn’t mean that every Prius should come standard with a front-mounted shovel and tire chains that cannot be removed by the consumer.
“Where PDF goes wrong (imo) is in not having recognized that they needed to adopt the entire web security model.”
No, where PDF went wrong was in its attempt to be an encapsulated, proprietary alternative to HTML, instead of sticking to what it was relatively good at, which was being a portable document format.
When you start having to rethink the entire codebase to fit in a set of features that never really needed to be there in the first place, it’s time to write a new application with the intended scope in mind from the start.
John Campbell • April 23, 2010 2:17 PM
@Peter Venkman
“Okay Igon. Been hearing that since Guttenberg invented the thing.”
Gutenberg. Guttenberg is a not particularly talented actor.
“Perhaps we should publish this in PDF…”
“Why?”
“We can do more damage that way.”
Roger • April 24, 2010 1:00 AM
I think Acrobat became slow and buggy enough for me to start hating PDF somewhere around 2002. Anyway, that was about when I uninstalled it. Nowadays when I google for something and find a PDF, I either check Google’s de-PDFed version, or skip it altogether.
Quite simply, no-one has time to keep loading and unloading PDF files when skimming the web for information. If you used robots.txt to stop Google from doing a cached, non-PDF version, then it’s “Goodbye, I’ll try your competitors instead.”
Now, if Google’s cached version shows me that it really is something I am looking for and need to keep, then I will download it — but I open it in GSView, which is really a Postscript reader. I have GSView so I can read academic papers in Postscript format, but it also opens PDF — much faster than any Adobe product, and without all the bells, whistles and crap.
But I have a much greater hatred of PDF than simply that it is an inappropriate web publishing format. What I REALLY hate is that very often it reflects a corporate obsession of form over substance, even to the point of massive waste. It represents the mindset that really does believe that it is important for your document to look exactly the same, every time it is printed.
This is actually true, for some things. Legal contracts, perhaps. Bar coded tickets, probably. Maybe great works of art.
It is NOT true for inter-office memos, leave applications, project proposals, technical reports, or even — dare I say it?!? — presentations.
Need to submit a form? Well it doesn’t matter if all the fields are copy-and-pasted from some other doc and some don’t even make sense, you used the correct form, so you’re golden. Writing a new business case? Sure, just spend 2 days making sure the formatting is just like the one in the examples (PDFed, of course, so this time you can’t easily just use it as a template), and 30 minutes thinking about whether or not this proposal actually makes business sense. Or you could spend the 2 days actually thinking about the project and send it in as plain text email, but then some jerk will reply “Wall of text!! TLDR !!*”
greg • April 25, 2010 4:09 AM
The bulk of my work is on PDF. The papers i download. Even when i submit papers for review. Its either ascii or pdf. A fringe outside is ps.
PDF is not quite the security problem everyone makes out if you use 3rd party readers etc, since they generally don’t support any of these fancy features. And you can still make nice presentations without these features. I use it for all my lectures and talks.
But as for slow? Compared to word or OO? I don’t think so.
Clive Robinson • April 25, 2010 8:09 AM
@ greg,
“But as for slow? Compared to word or OO? I don’t think so.”
Depends, use the fancy PDF features and you can get a one legged dog…
Likewise with MS Word and OOo.
Me I stick with MS Office 97 and RTF when I need anything other than ASCII text files I need to send to someone.
Even though MS keep changing RTF it is still one of the few things they kind of got right with file formats (ie you can get in there with a text editor and MK1 eyeball if you have problems)
Odalchini • April 25, 2010 8:55 AM
@Peter Venkman
“Why do fonts have little serif widgets on the top and bottom of each letter? It makes it readable.”
People with visual impairments – for whom I provide large-print versions of our publications – say that for them, a sans-serif typeface is more readable than a serif one.
Nick P • April 25, 2010 12:47 PM
@ Clive
MY GOD, MAN! Office 97!? Have you any ideas how many latent defects that thing might have? I’d be surprised if they are still supporting it. Upgrade to at least 2003: it’s cheap, maybe still supported, and Word loads in like 1-2 seconds on a core duo machine (you know, the ones that were $800 2 years ago). I’m with you on the RTF, though. If it’s just a simple message, some notes, etc. with formatting I use RTF because Wordpad is quite efficient, the format safe and file sizes ultra small. I use PNG for images due to small size, but their implementations keep having problems. Keep wondering if I should switch to BMP for secure viewers… lulz
Jameson • November 25, 2010 8:46 AM
Try Infix, that will be easier. http://www.iceni.com/
Subscribe to comments on this entry
All comments are now being held for moderation. For details, see this blog post.
Sidebar photo of Bruce Schneier by Joe MacInnis.
dan • April 22, 2010 1:54 PM
The article mentions Foxit Reader will run an executable without displaying a message, but the current version asks for permission – http://www.foxitsoftware.com/pdf/reader/security.htm#0401