Comments | athelind: Public Service Announcment: PDF Vulnerability

athelind

Public Service Announcment: PDF Vulnerability

Apr 06, 2010 09:15

Vulnerability found that allows PDF documents to run arbitrary code.

There's no hacking, cracking, or exploits here: this is just using features built into the format.

I just opened the test file using Adobe Reader under Ubuntu 9.04, and nothing popped up. This seems to be another Windows-Exclusive feature, brought to you by the fine folks in ( Read more... )

warning, computer, fnord, the revolution will be digitized

Comments 7

aeto April 6 2010, 16:46:20 UTC

The test file will only work on Windows, as it tries to start cmd.exe, which is a windows-only thing.

No clue if it would work on other systems, using different commands, and you can't tell from the sample file.

athelind April 6 2010, 17:35:13 UTC

I suspected that was part of it, but I don't grok enough 'Nix Shell to figure out what the appropriate commands would be, myself.

araquan April 6 2010, 19:28:41 UTC

There are tags for executing things on Mac and Unix (they are, surprisingly enough, called /Mac and /Unix, as opposed to /Win) but as of the 2006 PDF spec (v1.7, 31MB PDF- see page 659) their behavior is not defined as they are for Windows. In what little tinkering I've had time to do (which I will admit has been very little, and probably won't be much more before the evening) I've yet to induce a test PDF to do anything untoward on a Mac, but I haven't fed them into a genuine Adobe reader (I don't use those regularly). No attempt yet made on Linux.

theweaselking April 6 2010, 19:54:27 UTC

Uh, the "test file" runs "/launch 'c:\Windows\cmd.exe'"

NO KIDDING IT DOESN'T WORK UNDER LINUX.

If it had run "/launch '/usr/bin/rm -rf /*'" you'd be able to say it was "a Linux/Mac only problem" with about as much accuracy.

The hole presumably exists in the Linux version of the program, since it's the same program with the same spec. You simply lack a test for it.

athelind April 6 2010, 20:07:58 UTC

Urf. Mea culpa.

Like I said to Aeto, that had occurred to me. Gettin' snarky about Windows was, in this case, not only premature, but skirting the edges of dishonesty. I've updated my original post accordingly, and I'm going to make the observation in the comments in the OP.

I lack the Fu to make a test case for Linux, alas. If we DID substitute the commands, it still might not work in Linux -- not necessarily for any superior security protocols, but because 'Nixware is notorious for being cranky about calling up other 'Nixware and implementing more arcane features.

theweaselking April 6 2010, 20:16:56 UTC

Anyway. Assuming Linux doesn't behave *worse* than Windows, Adobe Reader will pop up a warning box, and the latest Foxit will as well.

athelind April 6 2010, 20:34:47 UTC

I tested it with a file that has commands for Windows, Mac and Linux; I got a warning box in Adobe Reader, but it didn't open the external app even when I confirmed it.

Evince, like the proverbial goggles, did nothing.

Security feature, or compatibility issue? With Linux, it's hard to tell.