This is a special PDF hack: I managed to make a PoC PDF to execute an embedded executable without exploiting any vulnerability!
I use a launch action triggered by the opening of my PoC PDF. With Adobe Reader, the user gets a warning asking for approval to launch the action, but I can (partially) control the message displayed by the dialog. Foxit Reader displays no warning at all, the action gets executed without user interaction.
PDF viewers like Adobe Reader and Foxit Reader don’t allow embedded executables (like binaries and scripts) to be extracted and executed:
But I found another way to launch a command (/Launch /Action), and ultimately run an executable I embedded using a special technique. With Adobe Reader, a launch action needs to be approved by the user:
But I can partially control the message displayed by this dialog box:
I can use this to social-engineer users to “Open” the file:
Do you believe this could this mislead some of your users? Or maybe you can come up with a better message to fool your users.
With Foxit Reader, no warning is displayed:
I’m not publishing my PoC PDF yet, but you can download a PDF that will just launch cmd.exe here. Use it to test your PDF reader.
With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this (I don’t use JavaScript in my PoC PDF), and patching Adobe Reader isn’t possible (I’m not exploiting a vulnerability, just being creative with the PDF language specs).
I shared my PoC with Adobe’s PSIRT. Maybe they will come up with a solution to prevent this, should they consider that the protection offered by the warning dialog is not sufficient. BTW, preventing Adobe Reader from creating new processes blocks this trick.
In this case, Foxit Reader is probably worse than Adobe Reader, because no warning gets displayed to prevent the launch action. My PoC PDF requires some changes for Foxit Reader, because ultimately, the executable doesn’t run. But that’s probably due to some variation in the PDF language supported by Foxit Reader.
Tested with Adobe Reader 9.3.1 on Windows XP SP3 and Windows 7.
Didier Stevens 
PDF-XChange Viewer (2.0 Build 44) seems to be safe. It displays a clear (not faked) warning. And when I confirm with “yes” I get an error. Nothing else happens.
Comment by Christoph Schmees — Monday 29 March 2010 @ 19:59
@Christoph Thanks for testing. FYI: I don’t manipulate the warning dialog in the PDF I offer for download.
Comment by Didier Stevens — Monday 29 March 2010 @ 20:04
Nice work on the messing with the warning box. The workaround to block acrobat blocking process was interesting too – it seems crazy that “enhanced security” mode in acrobat doesn’t disable the /launch action.
FYI a cross reader/os version (albeit without message box bit) has been published a while ago from Fred Raynal:
/OpenAction <<
/F <>
/S /Launch
>>
Also available here: http://seclabs.org/fred/docs/sstic09/samples/actions/launch/calc.pdf
Comment by Paul Theriault — Monday 29 March 2010 @ 22:54
Ok so can’t post < in the comments 🙂
This is the interesting bit anyways:
/F
/DOS (C:\\\\WINDOWS\\\\system32\\\\calc.exe)
/Unix (/usr/bin/xcalc)
/Mac (/Applications/Calculator.app)
Or just look at the link if this doesn’t work 😉
Comment by Paul Theriault — Monday 29 March 2010 @ 22:56
Nice!
The lack of user confirmation in Foxit makes me remember a somewhat similar vulnerability I’ve reported a year ago in Foxit Reader: it didn’t require user confirmation before launching an executable via the “Open/Execute a file” action. (Just local executables, no arbitrary embedded exes at that time).
http://www.coresecurity.com/content/foxit-reader-vulnerabilities
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-0836
Seems like the flaw remained alive somewhere!
Comment by Francisco — Monday 29 March 2010 @ 23:17
In the case of foxit, I also did notice it executes without warning, however it doesn’t seem posible to pass parameters to whatever command you launch. If that is the case it sorts of renders the vulnerability useless, what do you think?
Comment by Mat — Monday 29 March 2010 @ 23:48
Hi,
This as been available in metasploit for months now:
http://blog.attackresearch.com/publications/metaphish/
http://www.metasploit.com/redmine/projects/framework/repository/revisions/8379/changes/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb
You can also name the exe acroread.exe to make it less suspicious
Comment by racinedestyle — Tuesday 30 March 2010 @ 7:01
@Mat I think there is a way…
Comment by Didier Stevens — Tuesday 30 March 2010 @ 7:03
@racinedestyle No, I had a look at the Ruby code, my PoC is different. Although we both use a launch action for cmd.exe, I don’t use JavaScript, embedding and extracting is totally different, and I control the content of the dialog box.
But I’ve contacted Colin with details of my PoC.
Comment by Didier Stevens — Tuesday 30 March 2010 @ 7:05
Nice post and PoC, congrats Didier!
From my tests with “launch_action_cmd.pdf”, PDF-XChange Viewer under Windows7 shows a legit warning message:
“The application “%1″ is set to be launched by this PDF file.
The file may contain program, macros or viruses that may potentially harm your computer.
Only open if you are sure it is safe.”
Also once accepted the message, tries to open the wrong path for cmd.exe and fails. The PATH used I suppose is the current PATH of the PDF file.
Comment by poc — Tuesday 30 March 2010 @ 7:37
I just checked with Sumatra PDF Reader (using the Portable version from portableapps.com), and it simply ignores the command to open the cmd.exe. I get the page, but no window. 🙂
Comment by Roach — Tuesday 30 March 2010 @ 8:00
Hi,
you’ve alredy tested on iphone’s safari ?
Comment by white_sheep — Tuesday 30 March 2010 @ 9:02
Sumatra PDF (v 1.0.1) does not show any warnings / dialog boxes and does not launch cmd either.
Comment by Peter — Tuesday 30 March 2010 @ 9:35
@poc Thanks for the info. FYI: the PDF you can download from the blogpost and used for your test doesn’t include the code that controls the warning message.
Comment by Didier Stevens — Tuesday 30 March 2010 @ 9:37
[…] gevonden dat niet is te patchen, maar aanvallers wel kwetsbare systemen laat overnemen. Deproof-of-concept exploit opent een ingebed uitvoerbaar bestand. In het geval van Adobe Reader verschijnt er wel eerst een […]
Pingback by Onderzoeker ontdekt onpatchbaar PDF “lek” | Lost in the Noise — Tuesday 30 March 2010 @ 10:19
Nice! great job! Windows Vista works too!
Comment by bujinkanjp — Tuesday 30 March 2010 @ 10:59
Wepawet chokes and gives up. “There were some errors. Please try again or let us know of this problem.”
Nuance PDF Reader puts up a messagebox: “cannot open file ‘cmd.exe'”
and shows HELLO WORLD under it.
Comment by larry seltzer — Tuesday 30 March 2010 @ 11:44
Hi,
a kind of this foxit exploit is already within metasploit (I guess the one Francisco mentioned). I used this in a PoC to “rcp” a reverse_shell.exe into the users startup folder. Worked like a charm.
The last time I used it was in late December 09. I’ve no idea if it is fixed already.
wlet
Comment by wlet — Tuesday 30 March 2010 @ 11:48
Nuance reader give an error message “Cannot open file cmd.exe”
Comment by mvario — Tuesday 30 March 2010 @ 12:43
Doesn’t work on Linux 😦
Comment by asd — Tuesday 30 March 2010 @ 13:13
I wonder if this works at Linux machines.
Comment by Joshua — Tuesday 30 March 2010 @ 13:23
another reason to switch to Linux! My Ubuntu 9.10 64 bit only shows Hello World!!
Comment by pahendriks — Tuesday 30 March 2010 @ 13:26
Does not work by default on Ubuntu 9.10. The Document reader does nothing else then read the .pdf. It doesn’t execute anything, by my knowledge.
Nice hack though 😀
Comment by Jarige — Tuesday 30 March 2010 @ 13:34
Try this reader it blocks this leakage and does not execute the code.
http://www.nuance.com/imaging/products/pdf-reader.asp
Comment by Cyber — Tuesday 30 March 2010 @ 14:05
Doesn’t work on my machine, Macbook OSX 10.6, with the standard preview program. No calculator opens. Thank you for proving again that my system is quite secure like it is.
Comment by Roger — Tuesday 30 March 2010 @ 14:07
@Roger Are you joking? Did you really expect cmd.exe to start on your Macbook?
Comment by Didier Stevens — Tuesday 30 March 2010 @ 14:11
@pahendriks Are you joking? Did you really expect cmd.exe to start on Ubuntu?
Comment by Didier Stevens — Tuesday 30 March 2010 @ 14:12
[…] on ways to execute arbitrary code out of PDF files and has come up with a new and surprising one: He can run an executable embedded inside a PDF without exploiting a vulnerability. Stevens isn’t revealing the details of the technique […]
Pingback by The Hackers Edge » Blog Archive » Malicious PDFs Execute Code Without a Vulnerability — Tuesday 30 March 2010 @ 14:14
Fairly easy to adapt that piece of PDF to fool acroread:
8 0 obj
<>
endobj
Okular does not fall for it though… 🙂
Comment by ruurd — Tuesday 30 March 2010 @ 14:24
8 0 obj
<<
/Type /Action
/S /Launch
/F (/usr/bin/gimp)
>>
endobj
Comment by ruurd — Tuesday 30 March 2010 @ 14:25
[…] on ways to execute arbitrary code out of PDF files and has come up with a new and surprising one: He can run an executable embedded inside a PDF without exploiting a vulnerability. Stevens isn’t revealing the details of the technique […]
Pingback by Malicious PDFs Execute Code Without a Vulnerability- The Hackers Edge — Tuesday 30 March 2010 @ 14:34
[…] dialog. It just automatically executes the embedded EXE. A commenter to Stevens’s post gives a story of a related vulnerability, and Stevens says it’s not uncommon for Foxit to blindly execute dangerous activities in […]
Pingback by Malicious PDFs Execute Code Without a Vulnerability- The Hackers Edge — Tuesday 30 March 2010 @ 15:01
Win XP sp3 bith Dutch & English) plus full version of Acrobat 9:
ie 8, opens calc.exe;
firefox 3.52 requests open or download both open calc.exe,
Chrone 4.1.429 nothing happens ;-).
Comment by George Kerstholt — Tuesday 30 March 2010 @ 15:25
PDF-XChange Viewer did ask me the question as in comment #10, but only once, when trying to reproduce it did not ask again, but i am sure i did not touch the “do no ask again checkbox”.
Comment by leuk_he — Tuesday 30 March 2010 @ 15:50
Okular, the pdf-reader for KDE 4 under Kubuntu linux 9.10 opens the document as usual. No dialog, just “Hello world” as text in the pdf is shown.
Comment by Jovern — Tuesday 30 March 2010 @ 17:50
On Sorax it doesn’t work.
Comment by Hans — Tuesday 30 March 2010 @ 18:18
@Hans. No dialog box at all when you open it with Sorax? Then it probably doesn’t support /Launch actions.
Comment by Didier Stevens — Tuesday 30 March 2010 @ 18:21
[…] on ways to execute arbitrary code out of PDF files and has come up with a new and surprising one: He can run an executable embedded inside a PDF without exploiting a vulnerability. Stevens isn’t revealing the details of the technique yet.Different PDF readers react […]
Pingback by PDF Files Don’t Need Exploits To Be A Problem | Revelations From An Unwashed Brain — Tuesday 30 March 2010 @ 18:42
Using Adobe 9.3.0 on a fully patched Win XP SP3, I had the popup to allow or not Adobe Reader to open explicit C:\WINDOWS\system32\cmd.exe, same behavior on M$IE 8.0.6001.18702.
On Ubuntu 10.04, using Evince Viewer 2.29.92, no reaction (I think this is normal 😉
I’m not considering this as a “vulnerability”, except for software that doesn’t show dialog box before execution !!! Is there a list of potential vulnerable software ? It can be interesting for MetaSploit PoC 😉
Thx for the PoC on Win
Comment by Beufa — Tuesday 30 March 2010 @ 19:45
As a test on Ubuntu 9.10 using evince 2.28.1, I set the path to include the local directory and created a script named calc.exe. I then gave it execute rights. When typing the command evince launch-action-cmd.pdf it did not execute calc.exe. It did give me the following error and showed me the Hello World PDF:
Error: PDF file is damaged – attempting to reconstruct xref table…
Comment by Steve — Tuesday 30 March 2010 @ 19:57
SumatraPDF is safe…
Comment by Thomas — Tuesday 30 March 2010 @ 20:21
Foxit eader was fooled as well.
Is it a windows only problem?
Comment by fox ed — Tuesday 30 March 2010 @ 22:25
i mean foxit Reader
Comment by fox ed — Tuesday 30 March 2010 @ 22:26
/F (cmd.exe\nline1\nline2\nline3)
This is the thing behind the “control the box”. The problem is to get the \nline1\nline2\nline3 part away before the execution because the exec fails with the \nline1\nline2\nline3 trail garbage.
Comment by Marco — Tuesday 30 March 2010 @ 23:31
Just for the lulz:
/F (cmd.exe)
/P (\nTo continue viewing the encrypted content\nplease click the “Don’t show this message again” box\nand press OK!)
and you’re done. On a *nix system you could now use grep and other (ba)sh features to launch a script of your 0wn choice.
Comment by Marco — Tuesday 30 March 2010 @ 23:43
[…] Reader и была опробована на последней версии Adobe Reader 9.3.1. Подробнее Источник: uinС: Новости компьютерной […]
Pingback by Обнаружен способ автозапуска произвольных программ через PDF-файл | Сумы.biz — Tuesday 30 March 2010 @ 23:57
[…] Filed under: Hacking, PDF — Didier Stevens @ 0:00 Thanks to a tip from @riotz, I got my PoC PDF working on Foxit Reader. Remember, Foxit Reader issues no warning when launching a command! So I […]
Pingback by “Escape From Foxit Reader” « Didier Stevens — Wednesday 31 March 2010 @ 0:01
Evince 2.30 (the Windows version) doesn’t show warnings nor it does launch cmd.exe.
Tested on a win xp sp 3, can anyone confirm that?
Comment by netalien — Wednesday 31 March 2010 @ 1:23
Nice find again Didier! I just read the announcement on ZDnet – http://blogs.zdnet.com/security/?p=5929
Greetings from oz!
Comment by Wouter — Wednesday 31 March 2010 @ 2:49
[…] a informação fornecida pelo pesquisador Didier Stevens. I use a launch action triggered by the opening of my PoC PDF. With […]
Pingback by Arquivo PDF pode executar código arbitrário, mesmo sem vulnerabilidade « SECNOW – Web Security Analysis and Threads — Wednesday 31 March 2010 @ 3:10
[…] Escape From PDF | Didier Stevens […]
Pingback by Security Briefing: March 30th : Liquidmatrix Security Digest — Wednesday 31 March 2010 @ 3:13
If you uncheck allow opening of non-pdf file attachments under the Adobe Reader trust manager settings, then you just get a prompt saying the action is not currently allowed. Of course this not a default setting…
Comment by Matt — Wednesday 31 March 2010 @ 5:08
@fox ed: No, I’ll soon be testing this on Linux and expect to be able to do the same.
Comment by Didier Stevens — Wednesday 31 March 2010 @ 6:43
@Wouter Hey Wouter! Thanks for the ping!
Comment by Didier Stevens — Wednesday 31 March 2010 @ 6:44
@Matt Thanks for the info. Someone reported this to me, but he couldn’t tell me the exact setting of the Trust Manager.
Comment by Didier Stevens — Wednesday 31 March 2010 @ 6:45
[…] PDRTJS_settings_1148458_post_303 = { "id" : "1148458", "unique_id" : "wp-post-303", "title" : "Launch+PDF+Action+Mega+Abuse.", "item_id" : "_post_303", "permalink" : "http%3A%2F%2Ffeliam.wordpress.com%2F2010%2F03%2F31%2Flaunch-pdf-action-mega-abuse%2F" } @DidierStevens has released a way to partially “control” the message showed by Adobe Reader when it launches an application from inside a pdf file with the PDFAction “/Launch”. Check it out here […]
Pingback by Launch PDF Action Mega Abuse. « Feliam's Blog — Wednesday 31 March 2010 @ 7:11
Regarding Linux and Macs: I’m sure nobody expected those OS to open cmd.exe, but if it is possible to execute programs then both OS should have displayed an error message, for example “cmd.exe not found” or something. I know that failure to display such a message doesn’t mean that those OS are safe, but I think it’s a first indicator.
Would it be possible for you to create a PDF that tries to open /Applications/Calculator.app on a Mac?
Comment by Udo Thiel — Wednesday 31 March 2010 @ 10:39
@Udo Thiel Yes, would you agree to test such a Mac PDF?
Comment by Didier Stevens — Wednesday 31 March 2010 @ 11:02
@Didier Stevens: sure, just send it to my e-mail address.
Comment by Udo Thiel — Wednesday 31 March 2010 @ 11:07
i copied xcalc to cmd.exe and tried to open the pdf with adobe reader, but he just rebuilds the pdf. Strace doesnt give any indication of something beeing executed. Is linux secure?
Comment by nobody — Wednesday 31 March 2010 @ 11:43
Regarding Linux: I tested on Ubuntu with Raynal’s calc.pdf (Paul Theriault posted the link it above), it tries to run xcalc.
* does not work with evince (2.24.1), Ubuntu’s standard pdf reader
* does not work with Xpdf (3.02)
* DOES work with acroread (9.3.1), with warning
Comment by Nils Toedtmann — Wednesday 31 March 2010 @ 11:50
on ubuntu 10.4, acrobat 9.3.1, after ok’ing dialog:
“Error showing url: No application is registered as handling this file”
Comment by nobody — Wednesday 31 March 2010 @ 12:07
[…] a security researcher from Belgium, explained the exploit without publishing how to do it on his blog Monday. The trick doesn’t rely on Javascript, which has been the culprit in many of the […]
Pingback by Exploit PDF Files, Without Vulnerability - 404 Tech Support — Wednesday 31 March 2010 @ 12:27
@nobody testing on ubuntu 10.04 (beta1?): Maybe it doesn’t work on upcoming ubuntu 10.04, i tested on 8.10 (intrepid). Did you check that /usr/bin/xcalc is actually installed (package “x11-apps”)?
Comment by Nils Toedtmann — Wednesday 31 March 2010 @ 12:44
[…] Stevens hat den neuesten Hack für PDF-Leseprogramme (neudeutsch Reader) veröffentlicht. In diesem Falle ein Hack im eigentlichen Sinne, also der […]
Pingback by PDFs doch abschaffen? | TC Blog — Wednesday 31 March 2010 @ 13:57
What versions of Foxit are vulnerable?
Comment by Sigtrap — Wednesday 31 March 2010 @ 14:17
@Sigtrap Tested with latest version 3.2.0.0303. Assume older versions exhibit same behavior.
Comment by Didier Stevens — Wednesday 31 March 2010 @ 14:21
[…] Didier Stevens found the vulnerability/ design flaw. Essentially it allows you to include executable files within a .pdf file, and auto-execute them as soon as the PDF is viewed! What’s more is that it doesn’t require javascript to be enabled. The PDF format does not allow you to embed binaries, but there is a ‘Launch Action’ which can launch a command, Didier has manipulated this to execute embedded data and he has even managed to manipulate the user warning shown below to display a custom message. […]
Pingback by New PDF Vulnerability/Design Flaw « JCSecurity — Wednesday 31 March 2010 @ 14:41
@Sigtrap and Didier Stevens
I have now tried the cmd.exe-PDF with Foxit version 1.3. This is the version I use at home. No known(?) vulnerabilities in that old version.
Foxit 1.3 doesn’t launch anything when launch-action-cmd.pdf is opened.
Comment by Sigtrap — Wednesday 31 March 2010 @ 16:01
[…] Whenever we run a post about yet another security hole in Adobe Reader, commenters chime in with their support for Foxit’s free alternative. If you’ve been sining its praises for security reasons, think again says security pro Didier Stevens. […]
Pingback by Using FoxIt because you think it’s safer than Adobe Reader? Think again. « MobileTrends.info — Wednesday 31 March 2010 @ 16:08
[…] their support for Foxit's free alternative. If you've been sining its praises for security reasons, think again says security pro Didier Stevens. Foxit, it turns out, has a rather major flaw right now. An attacker can piggyback and launch an […]
Pingback by Using FoxIt because you think it’s safer than Adobe Reader? Think again. « Gus — Wednesday 31 March 2010 @ 16:08
[…] Whenever we run a post about yet another security hole in Adobe Reader, commenters chime in with their support for Foxit’s free alternative. If you’ve been sining its praises for security reasons, think again says security pro Didier Stevens. […]
Pingback by Using FoxIt because you think it’s safer than Adobe Reader? Think again. | Tech Industry News — Wednesday 31 March 2010 @ 16:17
[…] Der belgische Sicherheitsexperte Didier Stevens hat Fehler in den PDF-Spezifikationen entdeckt, die dazu führen können, über eine entsprechend präparierte PDF-Datei und ohne Ausnutzung von Sicherheitslücken, Programmcode auf dem lokalen System auszuführen. Betroffen sind sowohl der Adobe Reader wie auch der Foxit Reader. Als mögliche Umgehungslösung kann man entweder im Adobe Reader unter Voreinstellungen > Berechtigungen die Option Nicht-PDF-Dateianlagen dürfen in externen Anwendungen geöffnet werden deaktivieren oder (unter Windows) den kostenfreien (frei wie Freibier) Nuance PDF Readers, der die Ausführung der von Stevens bereitgestellten Skripte generell verweigerte, einsetzen. […]
Pingback by Security Alerts – Der Schockwellenreiter — Wednesday 31 March 2010 @ 16:27
@Pingback
What vulnerabilities are there in Foxit 1.3? Newer versions has lots more features, and more vulnerabilities. I don’t need the features so I stay with version 1.3. And version 1.3 is only one 2.6MB static binary.
Comment by Sigtrap — Wednesday 31 March 2010 @ 16:27
[…] de um arquivo *.pdf malicioso, qualquer executável, de maneira silenciosa, via Foxit Reader. Ele criou uma prova de conceito, e ela mostrou-se mais eficaz no Foxit do que no próprio Adobe […]
Pingback by Foxit Reader: mais inseguro que o Adobe Reader? — Wednesday 31 March 2010 @ 16:58
[…] their support for Foxit's free alternative. If you've been sining its praises for security reasons, think again says security pro Didier Stevens." Using FoxIt because you think it's safer than Adobe Reader? Think again. […]
Pingback by Using FoxIt because you think it's safer than Adobe Reader? Think again. - Computer Security — Wednesday 31 March 2010 @ 17:13
[…] un chercheur en sécurité qui vient de mettre à jour une importante faille dans le format PDF. Sa technique permet ainsi d’appeler à partir d’un PDF un exécutable qui sera lancé […]
Pingback by Une faille fatale dans le format PDF — Wednesday 31 March 2010 @ 17:32
So, based off the file put up… I was able to create my own… the “hack” is simple really and, in my case, all I had to do was open the file in notepad, add the commands and save. And now I have a pdf that will launch internet explorer…
Comment by joel — Wednesday 31 March 2010 @ 17:46
[…] […]
Pingback by Foxit More Secure Than Adobe Reader? Think Again! — Wednesday 31 March 2010 @ 17:56
@Didier
btw Foxitreader
Opening your launch-action-cmd.pdf via Commandline with parameter -n like :
“C:\Programme\Foxit Software\Foxit Reader\foxit reader.exe” “C:\Dokumente und Einstellungen\Surf\Desktop\launch-action-cmd\launch-action-cmd.pdf” -n 1
will prevent the launch of the embedded executable.
WinXP SP3 , Foxit Reader 3.2.0.0303
Greetingz
Comment by fuzzylo — Wednesday 31 March 2010 @ 18:34
[…] PDF bug kills Foxit Reader. Perhaps it’s time to use Sumatra? Read More. Posted on 03/31/10 Tagged […]
Pingback by Another PDF Security Hole, for Foxit this Time - How-To Geek News — Wednesday 31 March 2010 @ 18:58
Your PoC PDF also works with Acrobat 9 Prof (Version 9.1.2) on Vista.
Comment by pipitas — Wednesday 31 March 2010 @ 19:10
@fuzzylo Thanks for the info!
Comment by Didier Stevens — Wednesday 31 March 2010 @ 19:13
[…] un chercheur en sécurité qui vient de mettre à jour une importante faille dans le format PDF. Sa technique permet ainsi d’appeler à partir d’un PDF un exécutable qui sera lancé automatiquement par le […]
Pingback by Sécurité informatique | Une faille fatale dans le format PDF | Le blog le7.net — Wednesday 31 March 2010 @ 19:25
[…] M. Stevens discusses in his blog post, opening the file with Adobe Reader results in the display of a warning message; since the document […]
Pingback by Booby-Trapped PDFs « Rich's Random Walks — Wednesday 31 March 2010 @ 20:02
@joel The “hack” is not that simple. I need 5 different stages to execute an embedded binary on Adobe, and 4 stages on Foxit.
Comment by Didier Stevens — Wednesday 31 March 2010 @ 20:55
[…] Escape From PDF […]
Pingback by Un fisier PDF poate executa cod malitios — Wednesday 31 March 2010 @ 21:16
Wed 3/31/2010 5:29 pm. Your launch-action-cmd.pdf launched cmd.exe with adobe version 7, xp.
So how do you get adobe to not launch any processes? That’d be fine with me; but I don’t want to stop everyone else from launching processes…
======================================
j.g. owen * email: owen_bda4@yahoo.com
web: http://owenlabs.org
======================================
Comment by j.g. owen — Wednesday 31 March 2010 @ 21:32
@j.g. owen One way I achieve this is with my LoadDLLViaAppInit tool: https://blog.didierstevens.com/2009/12/23/loaddllviaappinit/
Comment by Didier Stevens — Wednesday 31 March 2010 @ 21:39
[…] https://blog.didierstevens.com/2010/03/29/escape-from-pdf/ […]
Pingback by Tech4YourBiz » Blog Archive » PDF – Problematic Document Format? — Wednesday 31 March 2010 @ 21:47
Regarding linux: Most pdf viewers are based on the xpdf / poppler code, that don’t seem to implement /OpenAction.
For the pdf published here, both xpdf 3.0.2 and evince 2.28.2 just warn about the damaged xref table and display the page (and yes, I’ve replaced “cmd.exe” with “firefox”).
Comment by Michel Messerschmidt — Wednesday 31 March 2010 @ 22:30
[…] rimando al sito di Didier Stevens e al Blog ThreatPost che ha riportato a sua volta la notizia. 31st marzo, 2010 | Tags: adobe, […]
Pingback by PDF Come bypassare la sicurezza ed eseguire codice senza usare vulnerabilità | www.e-toolbox.it — Wednesday 31 March 2010 @ 23:12
But even though you control some lines of the text box it still shows the filename being launched? Because I noticed you don’t scroll all the way up in the screenshots you posted.
Comment by Peter — Thursday 1 April 2010 @ 0:27
Okay, I just read the comment from Marco and understood how you did it. Funny thing, in Vista it doesn’t even show me the scroll bar, it just shows the bottom-most text. I can scroll of course with the arrows but there is no bar.
Comment by Peter — Thursday 1 April 2010 @ 0:32
[…] Stevens Escape from PDF 一文中 PDF运行外部程序的实例。用户可以下载此 PDF 体验一下 FoxIt Reader […]
Pingback by F-Secure:PDF为何漏洞百出 « 每日IT新闻,最新IT资讯,聚合多站点消息,保证你与世界同步 — Thursday 1 April 2010 @ 2:29
[…] you haven’t heard yet Didier Steven’s has made public a feature he discovered within the standard PDF document language that allows a […]
Pingback by sudosecure.net » Blog Archive » Expanding Upon Didier Steven’s PDF Feature Find — Thursday 1 April 2010 @ 4:02
I use ubuntu and my Document Viewer didn’t open any application!
Comment by Anonymous — Thursday 1 April 2010 @ 6:14
[…] Stevens Escape from PDF 一文中 PDF运行外部程序的实例。用户可以下载此 PDF 体验一下 FoxIt Reader […]
Pingback by See's Message » F-Secure:PDF为何漏洞百出 — Thursday 1 April 2010 @ 6:14
[…] c’est reparti. Sur le blog de Didier Stevens, un bel exemple d’attaque PDF qui lance un programme exécutable (ici, une fenêtre en ligne […]
Pingback by Bruno Kerouanton » Failles PDF… — Thursday 1 April 2010 @ 6:19
Win XP sp3:
Adobe Reader v5.1 can’t open the pdf.
Acrobat 7 displays the pdf and shows the warning dialog.
Foxit Reader 2.0 displays the pdf and pops the cmd window open without warning.
Foxit Reader 1.3 displays the pdf and appears to be immune to the technique.
Adobe Reader LE 2.5 can’t open the pdf (WinMo6.5)
Comment by lurk — Thursday 1 April 2010 @ 7:50
[…] Escape From PDF « Didier Stevens (tags: pdf security) AKPC_IDS += "512,";Popularity: unranked Share this Post: Tagged with: […]
Pingback by links for 2010-04-01 — Thursday 1 April 2010 @ 8:05
@Peter Of course, but most users don’t scroll. And I didn’t scroll in the video & screenshots, otherwise I would disclose the details.
Comment by Didier Stevens — Thursday 1 April 2010 @ 8:20
[…] https://blog.didierstevens.com/2010/03/29/escape-from-pdf/ 四月 1st, 2010 | Category: […]
Pingback by 视频:不通过漏洞也可利用PDF执行恶意程序 | CNzeta — Thursday 1 April 2010 @ 8:24
[…] infatti l'ho provato sotto XP e viene bloccato provate pure voi occhio a quella finestra Escape From PDF Didier Stevens I can use this to social-engineer users to “Open” the file: Immagini allegate […]
Pingback by Anonymous — Thursday 1 April 2010 @ 8:33
@lurk I believe Foxit Reader 1.3 has no support for Launch Actions. So it just ignores it; That’s what all PDF readers do (AFAIK): if they encounter an unknown keyword during the parsing process, they just ignore it. This way, they can still render documents with a higher PDF language version number than the one the reader is supporting.
Comment by Didier Stevens — Thursday 1 April 2010 @ 8:35
[…] And a fundamental flaw in the Portable Document Format, […]
Pingback by Careful out there « Idrach: Thoughts and Musings — Thursday 1 April 2010 @ 8:48
If this pdf file, with cmd included is opend on a limited computer, will it open?
Comment by Klaas — Thursday 1 April 2010 @ 9:12
@Klaas Don’t know, depends on what you mean with limited computer. If you mean a LUA user, then yes, it will work. Care to provide more details on the limitation?
Comment by Didier Stevens — Thursday 1 April 2010 @ 9:14
@didier, I have at work, a network of 25 windows xp pc, the normal route for opening is blocked, also 10 other ways to open cmd.
Bye this computer you need to login with username and password. The server of this accounts is 2miles of my work.
Comment by Klaas — Thursday 1 April 2010 @ 9:56
@Klaas OK, I see. No, if you use something like Software Restriction Policies to block the execution of cmd.exe, my pdf won’t work.
Comment by Didier Stevens — Thursday 1 April 2010 @ 10:17
Does it actually launch a file embedded in the PDF, or just exe’s on the client computer? The sample PDF just launches cmd.exe on the target machine. Nothing embedded.
Comment by Adger — Thursday 1 April 2010 @ 10:22
This is amazing trick 🙂 In reply to comment 52:
I have this settings disabled since I installed Adobe Acrobat. People just don’t go through advanced settings. I’m sure that trick will work for 99% of PC useres.
“The social part of our industry, we are never going to patch” – Mike Murray – 2010-03-04
And if knowledge is infinite, than stupidity must be infinite too 🙂
Comment by junk — Thursday 1 April 2010 @ 10:24
@Adger Yes, like you can see in the video, it actually launches a file embedded in the PDF. But it’s not embedded according to the PDF standards, I use another technique.
The sample PDF just launches cmd.exe. I’ve not disclosed my PoC. As a first step, the PoC also launches cmd.exe. But then it takes 4 extra steps, that ultimately launch an embedded, arbitrary executable.
Comment by Didier Stevens — Thursday 1 April 2010 @ 10:27
[…] guys over on EthicalHacker.net, I’ve decided to briefly write about the latest discovery from Didier Stevens. In this post, I will be looking at the PDF exe launch feature discovered by Didier. Ironically, I […]
Pingback by PDF Launch Command without javascript - isolated-threat — Thursday 1 April 2010 @ 10:50
Hey the vulnerability works for URL’s too ! Just replace cmd.exe with URL of your choice and watch the fun! Suddenly there are so many attack vectors possible ! Common now Adobe.. you still think this is a feature !?!
..
Here it is in action .. http://hypersecurity.blogspot.com/2010/04/pdf-command-execution-vulnerability.html
Comment by Dah4ckeR — Thursday 1 April 2010 @ 11:21
reply to 52 & 110: I have that box unchecked too and this is the result (also checked with the calc.pdf, same popup): http://i44.tinypic.com/1zobupt.jpg
Comment by bob — Thursday 1 April 2010 @ 12:25
STDUViewer 1.5.402.0 Will not open the terminal.
Comment by Another Reader — Thursday 1 April 2010 @ 13:14
[…] Getting malware on these machines would be pretty easy now, and depending on the data collected for the CNP transaction the results could be pretty significant. Especially considering this post demonstrating ways to run executables from PDFs. […]
Pingback by Branden R. Williams, Business Security Specialist » Key Logger Attacks on the Rise (this is no joke!) — Thursday 1 April 2010 @ 13:43
PoC in PDF Reader…
Irgendwie wundert mich das, warum die jetzt erster drauf gekommen sind… Gut der PoC ist ein spezieller, aber dadruch, dass PDF so weit verbreitet ist, dachte ich es gäbe schon so was. This is a special PDF hack: I managed to make a PoC PDF to execut…
Trackback by Bananas Development Blog — Thursday 1 April 2010 @ 14:09
Bluebeam PDF Revu launches the PDF file, but no CMD line is shown
Comment by brian — Thursday 1 April 2010 @ 16:02
[…] Didier Stevens veröffentlichte am 29. März 2010 eine Schwachstelle in der PDF-Spezifikation auf seinem Blog. Betroffen sind alle aktuellen Versionen von Adobe Reader und Acrobat bis inkl. 9.3 und anderen alternativen PDF Viewern, wie z.B. Foxit Reader. Die Schwachstelle wurde von Didier Stevens dem Adobe Product Security Incident Response Team (PSIRT) gemeldet. Allerdings wird es hier nicht ein einfach Patch tun, da es sich um eine PDF-Spezifikation handelt und nicht um eine Sicheheitslücke in den entsprechenden PDF-Viewern. […]
Pingback by Slimers Blog » Schwachstelle in der PDF-Spezifikation — Thursday 1 April 2010 @ 18:27
All I want is a PDF reader that reads all PDF files, prints some out, and DOES NOT have Javascript or launching executable code or any of that OBVIOUS exploitable stuff. Is it just Sumatra that is out there? And that doesn’t even display many PDF files?
This is why PDF as a format needs to be abandoned.
Comment by Frustrated — Thursday 1 April 2010 @ 18:52
W7 + SumatraPDF 1.0 (running either as normal user or as admin): cmd.exe does not get started.
Comment by Roebie — Thursday 1 April 2010 @ 20:29
Ouch, that’s going to cause a bit of a wave. I tried my hands on a PoC too, and it works on Vista+Reader9, dropping only the final executable and one helper file – and it’s scary how easy it was.
Comment by BitPoet — Thursday 1 April 2010 @ 20:50
[…] I posted about a thought I had that expanded upon Didier Steven’s Escape From PDF built in feature discovery where he executed a embedded executable binary using some crafty […]
Pingback by sudosecure.net » Blog Archive » Are PDF’s Worm-able? — Thursday 1 April 2010 @ 22:02
Like Bluebeam Infix seems to ignore the launch actions as well. Nitro PDF gives out a warning: “There was error opening the file. The file cannot be opened.”
After clicking OK you see the pdf with an information tab issueing that the file was corrupted and has been repaired.
Comment by well — Thursday 1 April 2010 @ 22:02
@BitPoet Thanks a lot for sharing your PoC with me! Excellent work, well done!
Comment by Didier Stevens — Thursday 1 April 2010 @ 22:31
[…] Escape From PDF « Didier Stevens PDFs are getting more evil by the day! […]
Pingback by Branden R. Williams, Business Security Specialist » Security & Compliance Links April 1, 2010 — Thursday 1 April 2010 @ 22:32
I use Samutra PDF. The pdf you kindly provided did not launch anything.
Comment by Ba7eth — Friday 2 April 2010 @ 1:46
nm my previous post.
Comment by Ba7eth — Friday 2 April 2010 @ 2:42
[…] provided a sample file at his site for you to test your reader of […]
Pingback by PDF readers exploit alert | RoxBlogs — Friday 2 April 2010 @ 2:45
Arcobat Professional 7 gives a clear warning:
Launch: C:\Windows\System32\cmd.exe
The application “C:\Windows\System32\cmd.exe” is set to be launched by this pdf file. The file may contain programs, macros, or virusses that could potential harm your computer.. and so on.
Comment by Stephan — Friday 2 April 2010 @ 5:55
Ouch:(.That sounds bad:(…Thank you for sharing this with the rest of the world. Hope that Adobe bring about a work around quickly.
Comment by Common Sense — Friday 2 April 2010 @ 6:21
[…] doar interpretează specificaţiile formatului. Fişierul PDF care rulează un cod inofensiv (demo) se poate descărca de pe blogul lui […]
Pingback by Fişierele PDF sunt periculoase şi fără vulnerabilităţi | Softwarenet InfoSite — Friday 2 April 2010 @ 6:44
[…] kihasználni, figyelmeztet Didier Stevens, a Contraste Europe biztonsági szakértője. Stevens a blogjában tette közzé annak a módszernek a leírását, amelynek segítségével az Adobe Reader és a […]
Pingback by Nem biztonságos a pdf, vírushordozó lehet « Hajdúmagazin — Friday 2 April 2010 @ 8:09
FoxIT has released an update, that will now give you a warning before running the application from inside of a PDF!
You sure woke people up it seems!
Comment by Erik — Friday 2 April 2010 @ 9:27
[…] har en säkerhetsforskare kommit på ett enkelt sätt som en hackare kan använda Adobe Reader eller Foxit för att köra […]
Pingback by Farligt säkerhetsproblem med Adobe och Foxit pdf-reader « DataProvider Sweden Blogg — Friday 2 April 2010 @ 11:18
[…] I use a launch action triggered by the opening of my PoC PDF. With Adobe Reader, the user gets a warning asking for approval to launch the action, but I can (partially) control the message displayed by the dialog. Foxit Reader displays no warning at all, the action gets executed without user interaction. – Didier Stevens […]
Pingback by Escape From PDF « Descent Into Darkness — Friday 2 April 2010 @ 12:48
[…] Reader不会给出任何提示。 <*参考 https://blog.didierstevens.com/2010/03/29/escape-from-pdf/ *> […]
Pingback by Foxit Reader 3.2 执行内嵌可执行程序漏洞 — Friday 2 April 2010 @ 12:59
hi,
nice work !
i’d like to give an argument to the .exe called in my powerpoint but it doesn’t seems to be accepted (ex :cmd /k dir)
anyone for a clue ?
Comment by akway — Friday 2 April 2010 @ 14:45
Just tried with an old Sumatra 0.9.4 and no cmd apparition…
Comment by Pascal — Friday 2 April 2010 @ 17:28
As someone said above Foxit has come out with an update that fixes this. I’m glad they addressed this so quickly. Thank you for finding this and making it public!
Comment by Martin — Friday 2 April 2010 @ 22:03
[…] https://blog.didierstevens.com/2010/03/29/escape-from-pdf/ https://blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/ http://www.adobe.com/devnet/acrobat/pdfs/pdf_reference_1-7.pdf http://www.f-secure.com/weblog/archives/00001923.html http://msdn.microsoft.com/en-us/library/bb762153%28VS.85%29.aspx Credit This vulnerability was reported by Didier Stevens. This document was written by Will Dormann. […]
Pingback by Open Systems Journal » Blog Archive » VU#570177: Foxit Reader vulnerable to arbitrary command execution — Friday 2 April 2010 @ 23:41
Hello,
thanks for the info which resulted into update of Foxit to implement warning dialog about launched executable …
Comment by Dwarden — Saturday 3 April 2010 @ 9:10
far as i know, that executes in temp inter files, which has been treated as the internet zone size 2005 good luck accessing anything from there
Comment by Michael Evanchik — Saturday 3 April 2010 @ 15:00
@Michael Evanchik Try it out with my test file …
Comment by Didier Stevens — Saturday 3 April 2010 @ 15:15
[…] Foxit don’t allow embedded executables to run directly, wrote Didier Stevens on his security blog. But Stevens found a way to get an embedded executable to run via a different launch […]
Pingback by Malicious PDF file doesn’t need a software vulnerability — Saturday 3 April 2010 @ 15:19
[…] nel modo in cui il reader comunica con l’utente utilizzante il file maligno. Nella propria analisi Stevens spiega di aver scoperto il modo di ospitare un file .exe embedded all’interno di un […]
Pingback by Antonino Minuto 2.0 » Archive » PDF, scoperto l’exploit perfetto? — Saturday 3 April 2010 @ 17:45
[…] 29 Marzo sul blog di Stevens è apparso l’articolo intitolato “Escape from PDF“, dove il ricercatore dimostra con un PoC come sfruttare questa vulnerabilità. […]
Pingback by PDF Vulnerabile “By Design” | PillolHacking.Net — Sunday 4 April 2010 @ 3:46
[…] là thông tin gây sốc được chuyên gia nghiên cứu bảo mật Didier Stevens công bố. Mã tùy chọn sẽ thực thi khi mở tập tin PDF bằng 2 phần mềm xem […]
Pingback by Bảo mật Chủ Nhật, 04/04/2010, 23:30 Nhúng mã độc vào file PDF không cần qua lỗi bảo mật « Net24h.info — Sunday 4 April 2010 @ 17:44
PDF-XChange has decided to change the feature that allows users to stop being warned about launching executables. See this thread: http://www.docu-track.com/forum3/viewtopic.php?f=35&t=8067&p=37131#p37131
regards
Comment by Paul O'Rorke — Sunday 4 April 2010 @ 20:13
[…] https://blog.didierstevens.com/2010/03/29/escape-from-pdf/ カテゴリー: セキュリティニュース タグ: Acrobat, Acrobat Reader, PDF, ハッカー, ハッキング, 脆弱性 コメント (0) トラックバック (0) コメントをどうぞ トラックバックURL […]
Pingback by アバスト ブログ! :: 株式会社ソフトメール (avast! Korea) » PDF自体の脆弱性がなくてもハッキングが可能 (動画で試演) — Monday 5 April 2010 @ 0:46
[…] días está dando la vuelta al mundo el trabajo que ha realizado Didier Stevens para conseguir ejecutar binarios desde un documento PDF. La técnica, si se está utilizando Adobe Acrobat Reader, muestra un mensaje que puede ser, como […]
Pingback by El peligroso mundo del PDF | Shadow Security — Monday 5 April 2010 @ 10:03
My POC demo :
Comment by yunsoul — Monday 5 April 2010 @ 10:22
05-04-2010 15:30 – Foxit Reader is now updated !!!
Comment by Jan — Monday 5 April 2010 @ 13:30
[…] أحد الباحثين الأمنيّن من تشغيل ملفات تشغيليّة مضمّنة في ملفات pdf، […]
Pingback by مشاكل ملفات pdf التي لا تنتهي | Security 4 Arabs - مجتمع الحماية العربي — Monday 5 April 2010 @ 15:03
[…] consider that the protection offered by the warning dialog is not sufficient,” Mr. Stevens explains on his […]
Pingback by Newmail Articles » New PDF-Based Arbitrary Code Execution Technique Revealed — Monday 5 April 2010 @ 15:59
So, has anyone tried this on a Mac using Preview? Does the execution happen? Is there any warning?
Thanks
Al
Comment by al — Monday 5 April 2010 @ 16:41
[…] Escape From PDF – didierstevens.com I managed to make a PoC PDF to execute an embedded executable without exploiting any vulnerability! […]
Pingback by Week 13 in Review – 2010 | Infosec Events — Monday 5 April 2010 @ 18:36
[…] under: Hacking, PDF, Update — Didier Stevens @ 0:01 Some new info after last week’s Adobe and Foxit […]
Pingback by Update: Escape From PDF « Didier Stevens — Tuesday 6 April 2010 @ 0:03
[…] Escape From PDF (Didier […]
Pingback by PDFs pueden ser peligro público | TengoTecno.com — Tuesday 6 April 2010 @ 0:42
@Al Nope it doesn’t work in Preview. Acrobat Reader on the Mac will launch Firefox but it first opens up Terminal and then opens Firefox, just tested it about 5 mins ago. Also the Acrobat Reader version on Mac doesn’t allow you to pass arguments/parameters to it, so its functionality is limited.
Comment by Jeremy — Tuesday 6 April 2010 @ 3:03
[…] Conway’s proof of concept attack–detailed here with more information here–takes advantage of the same weakness in PDF readers that security researcher Didier Stevens of Belgium discovered a week ago and explained on his blog. […]
Pingback by The Cheap Computer Geek » Blog Archive » Exploits not needed to attack via PDF files — Tuesday 6 April 2010 @ 3:22
How is that different from Windows7 executing a binary you downloaded from the web, after clicking “Ok” when the UAC pops up. Or do you plan your next “news” to be “Windows7 security vulnerability discovered – users can actually execute binaries on Windows”?
Comment by virgil — Tuesday 6 April 2010 @ 6:34
Allarme sicurezza per i file Pdf…
Adobe e FoxIt stanno investigando su un nuovo pericolo legato ai file Pdf, che potrebbe consentire l’esecuzione di eseguibili embedded, ma senza exploit di vulnerabilità.La tecnica di hacking infatti non passerebbe attraverso la scoperta di falle. Una …
Trackback by 100spiare — Tuesday 6 April 2010 @ 8:45
@virgil Maybe you don’t understand this, but a PDF is not an executable. And the PDF standard goes a long way to prevent you from executing embedded executables.
Comment by Didier Stevens — Tuesday 6 April 2010 @ 9:02
[…] Stevens在本周發表一概念性驗證程式,展示如何透過Adobe […]
Pingback by BLOG888 » Blog Archive » 研究人員:不需漏洞也可利用PDF執行惡意程式 — Tuesday 6 April 2010 @ 10:15
[…] two dozen security problems in those programs.Last month, researcher Didier Stevens said he’d discovered that he could embed an executable file — such as a malicious program — inside of a PDF […]
Pingback by Security Updates for Foxit, QuickTime/iTunes — Krebs on Security — Tuesday 6 April 2010 @ 14:33
[…] der vergangenen Woche war eine Sicherheitslücke in verschiedenen PDF-Betrachtern entdeckt worden, die es Angreifern erlaubt, beliebigen Code auf dem betroffenen PC […]
Pingback by Foxit wieder sicher – Adobe Reader nicht | Software Blog — Tuesday 6 April 2010 @ 15:44
Tested using Adobe Reader on Ubuntu 9.04 (yes, Canonical has Adobe for Ubuntu now).
Nothing popped up.
Comment by Your Obedient Serpent — Tuesday 6 April 2010 @ 16:19
[…] things when you open them? Why, there’s a simple pop-up question. And not only that, but the pop-up question’s text itself can be manipulated, as shown by Didier Stevens. This form of attack is no accident. It’s not a bug. […]
Pingback by InsanIT.net » Blog Archive » How Do You Deal With Security When Insecurity Is A Feature? The Adobe PDF Dilema — Tuesday 6 April 2010 @ 16:52
[…] catching up on my reading when I came back, I ran across this post about launching executable files from pdf files with little to no interaction or notable […]
Pingback by Leave all your baggage behind | Port 22 Tech — Tuesday 6 April 2010 @ 18:48
Folks in my LJ have pointed out that, of course, the embedded command in the text file is, specifically, a Windows command. Of course it’s not going to work in Mac or Linux.
The question is, if the function call is replaced by the appropriate ‘Nix command, will it work? And if it doesn’t work, is that due to “superior OS security”, or just the erratic feature support that us Linux users all bitch about when it interferes with things we want to do, and gloat about when it interferes with potential hazards?
I lack the ‘Fu to make the appropriate test files myself; I’m going to try the version linked in the comments above.
Comment by Your Obedient Serpent — Tuesday 6 April 2010 @ 20:18
Okay, calc.pdf, under Ubuntu 9.04:
In Evince: nothing.
In Acrobat Reader 9.3.1: warning pop-up, but nothing opens when I click the button to allow it to open.
I’ve confirmed that xcalc is, indeed, in usr/bin/.
Comment by Your Obedient Serpent — Tuesday 6 April 2010 @ 20:27
And how can you pass parameters to cmd.exe
tried /F (cmd.exe /params)
/F (cmd.exe)(/params)
/F (cmd.exe) /params
didnt work.
And this does not open aterm or gimp or anything on linux. Adobe throws the file exec warning what I OK down then nothing happens (Adobe reader 9.1.2).
Comment by boxer — Wednesday 7 April 2010 @ 1:40
The test file that is supposed to run cmd.exe does not function correctly when it is opened with Acrobat reader 6.02 running on windows 98. I get this error: There was an error opening this document. The file is damaged and could not be repaired.
Win-98 does not have cmd.exe. I copied calc.exe to cmd.exe but still got the same error. Conclusion: Windows 98 continues to be largely invulnerable to most malware, viruses, trojans, etc.
Comment by Sum Guy — Wednesday 7 April 2010 @ 2:41
[…] Didier Stevens proved this concept. Read more on his blog: […]
Pingback by Malicious PDF document on the rise | Windows, security, etc. — Wednesday 7 April 2010 @ 7:41
[…] Aldri åpne vedlegg fra usikre kilder (men det visste du kanskje fra før?) og trykk heller på “Ikke åpne” framfor “Åpne” hvis det spretter opp en meldingsboks i PDF-leseren din. Kilde: https://blog.didierstevens.com/2010/03/29/escape-from-pdf/ […]
Pingback by Hack utnytter funksjon i pdf-dokument @ Sikkerhetsmodus — Wednesday 7 April 2010 @ 8:06
What if I disable the opening of PDF File Attachments in Preference->Trust Manager?
I suspect it will not work.
Comment by gambit — Wednesday 7 April 2010 @ 9:10
@gambit Yes, it will: https://blog.didierstevens.com/2010/04/06/update-escape-from-pdf/
Comment by Didier Stevens — Wednesday 7 April 2010 @ 9:18
You mean it will still launch cmd.exe even though I have disable the opening of PDF File Attachments?
Comment by gambit — Wednesday 7 April 2010 @ 11:29
@gambit. No, it will not launch. You wrote “I suspect it will not work.”, I understood you meant that the setting would not work.
Comment by Didier Stevens — Wednesday 7 April 2010 @ 13:19
[…] Gefahr wurde mir allerdings heute deutlich durch zwei interessante Video-Fundstücke: Didier Stevens zeigte vor wenigen Tagen beispielsweise, wie mittels eines Hacks eine ausführbare Datei innerhalb […]
Pingback by » Warum PDFs als E-Mail-Anhang eher vermieden werden sollten | optivo E-Mail-Marketing-Blog — Wednesday 7 April 2010 @ 17:21
I’v tried posting this several times since 3/30, but it hasn’t gone through. Going to try it again, this time by obfuscating the URLs:
Actions (including Launch) have been in the PDF spec since 1.1 (1996).
There are many similar examples of this, including:
– readme of vpe from 2000: www[dot]cam[dot]ctan[dot]org/tex-archive/macros/latex/contrib/vpe/vpe.txt
– Portable Document Format (PDF) Security Analysis and Malware Threats paper www[dot]blackhat[dot]com/presentations/bh-europe-08/Filiol/Presentation/bh-eu-08-filiol.pdf#page=12
– samples (including the one Paul mentions above) code[dot]google[dot]com/p/origami-pdf/source/browse/#hg/samples/launch
See also:
– esec[dot]fr[dot]sogeti[dot]com/blog/index.php?2009/06/26/68-at-least-4-ways-to-die-opening-a-pdf
– esec[dot]fr[dot]sogeti[dot]com/blog/index.php?2009/07/06/70-is-this-pdf-malicious
You can make other PDF viewers (such as Nuance and PDF-XChange Viewer “vulnerable” to this by including the full path (as the spec describes) in a manner that Paul mentions in his 2nd post. I.e., include 4 backslashes for every backslash in the path.
@Mat: you can provide the /P (insert parameters here) action to pass parameters to the file you specify in /F (path\filename)
Comment by earthsound — Wednesday 7 April 2010 @ 18:43
“I managed to make a PoC PDF to execute an embedded executable without exploiting any vulnerability!”
Technically, no. You did have to exploit two vulnerabilities:
1. The fact that the wording of a security alert can be altered to hide what’s actually being opened by the PDF IS a vulnerability (of the application I believe, unless the PDF spec REQUIRES you to put that text before/instead of the actual URI in any warning message, in which case it’s a vulnerability baked into the specification.)
2. While not a vulnerability in the application or the spec, there is still the ultimate vulnerability behind the keyboard/mouse that decides to open the file. 😛
Eliminate the first vulnerability, and the risk posed by the second vulnerability decreases (but probably not enough… 😉
Comment by Steve K — Wednesday 7 April 2010 @ 19:00
[…] sul sistema da colpire. La scoperta è stata fatta dal ricercatore Didier Stevens, che ha che ha pubblicato la notizia sul proprio blog corredandola con foto e video (visualizzabile in fondo a questo articolo). Stevens, che non ha […]
Pingback by Nuovo allarme sicurezza per i file PDF « PC SICURO — Thursday 8 April 2010 @ 8:04
[…] Didier Stevens demonstrated a technique to execute an executable file embedded in a PDF without exploiting any vulnerability, […]
Pingback by More on PDF Dangers- The Hackers Edge — Thursday 8 April 2010 @ 17:14
[…] faille « par défaut » (ou de conception) du format PDF mise à jour par Didier Stevens la semaine dernière continue à faire couler beaucoup d’encre. […]
Pingback by Exploit PDF : Quand les Features tournent au Bug - CNIS mag — Thursday 8 April 2010 @ 19:21
@earthsound: to complement your list, one of the first articles about PDF security issues related to launch actions dates back to 2000, and it was published by Adobe:
Click to access OpenFilenAttach.pdf
Comment by decalage — Thursday 8 April 2010 @ 20:55
[…] ha scoperto questo exploit, per dimostrare la veridicità della sua scoperta ha pubblicato sul suo blog delle foto e anche un video in cui si può osservare un possibile attacco che potrebbe essere […]
Pingback by valkiro — Friday 9 April 2010 @ 7:42
[…] The Register segnala che Didier Stevens, ricercatore di sicurezza, ha dimostrato che è possibile annidare codice ostile eseguibile – un virus, insomma – all’interno di un documento PDF. Aprendo un documento del genere con Adobe Reader, normalmente compare una finestra di dialogo che chiede all’utente se vuole procedere, ma Stevens è riuscito a manipolarne il testo in modo che inganni buona parte degli utenti. Disabilitare Javascript è inutile e non è possibile rimediare aggiornando Reader, perché secondo Stevens non si tratta di una vulnerabilità, ma soltanto di un uso “creativo delle specifiche del linguaggio PDF”. Sono disponibili un video e un PDF dimostrativo. […]
Pingback by Occhio alla trappola: un PDF può diventare un worm « Paoblog — Friday 9 April 2010 @ 8:12
[…] Didier Stevens showed that it is possible to embed malicious code within .pdf files without relying on javascript. […]
Pingback by Tech 989 Radio Spot » Blog Archive » Beware the PDF — Friday 9 April 2010 @ 10:01
[…] característica existia y de la cual es responsable Adobe Corporation, es Didier Stevens en su post, podemos ver cómo es posible ejecutar código en Windows, a continuación les voy a poner cómo […]
Pingback by Puedo ejecutar lo que quiera dentro de un PDF y no es un exploit! | Realidad IT — Friday 9 April 2010 @ 19:51
[…] Stevens, otro experto en seguridad también hizo la prueba usando un virus la década de los 80’s y logró enlazarlo con un archivo […]
Pingback by Los archivos PDF pueden ser usados como virus | TengoTecno.com — Friday 9 April 2010 @ 20:11
[…] Stevens, otro experto en seguridad también hizo la prueba usando un virus la década de los 80’s y logró enlazarlo con un archivo […]
Pingback by Los archivos PDF pueden ser usados como virus | El Tecnologo X — Friday 9 April 2010 @ 20:28
To Catch a PDF Hacker, You Have To Think Like One…
Despite the improvements Adobe has developed for Acrobat and Reader, it’s still tough to stay on top of creative hackers who love to use the PDF. To that end, security researchers like Didier Stevens finds ways to hack into an application in ord…
Trackback by Blog — Friday 9 April 2010 @ 23:35
[…] وضعت شركة أدوبي حلّ مؤقت للمشكلة التي تناولناها هنا والتي تسمح للمهاجم بتشغيل برنامج من خلال ملف pdf. والتي كشف عنها الباحث ديدير ستفين. […]
Pingback by ادوبي تضع حلّ مؤقت لمشكلة التشغيل في pdf | Security 4 Arabs - مجتمع الحماية العربي — Saturday 10 April 2010 @ 1:10
[…] som lurar till körning av skadlig kod. Säkerhetsforskaren Didier Stevens har nyligen demonstrerat hur det är möjligt att köra godtyckliga filer i pdf-dokument även fast de senaste […]
Pingback by Adobe jobbar för bättre pdf-säkerhet « Prylbögens Blogg — Sunday 11 April 2010 @ 20:08
[…] Didier Stevens’ entire PoC exercise on his blog at https://blog.didierstevens.com/2010/03/29/escape-from-pdf/ Related Posts:Watch out for the wriggling PDF […]
Pingback by Security expert finds a way to exploit PDF without a vulnerability | 4x PDF Blog & PDF News — Monday 12 April 2010 @ 0:59
I cannot even download Didier’s PDF file for testing because my virus control software (McAfee) blocks it (containing trojan Exploit-PDF.cd). Suppose me and my organization is safe 🙂
Comment by Ctigger — Monday 12 April 2010 @ 13:32
I was unable to get this to work. I am really interested in this type of vulnerability – I helped prepare some Adobe research for the OWASP conference in Florida, and was asked to present the material to a client. Which version of Adobe were you using for this to work?
Comment by Aaron — Monday 12 April 2010 @ 21:43
[…] The problem lies deep inside the PDF file format, as originally published by in this blog post. Websense Messaging and Websense Web Security customers are protected against this attack. To view […]
Pingback by Zbot (also known as Zeus) trojan campaign spreading via email — Thursday 15 April 2010 @ 11:40
[…] Didier Stevens, seorang profesional keamanan dan blogger menemukan fitur di format file PDF yang memungkinkan menyertakan file EXE ke dalam PDF dan menjalankannya melalui program pembaca PDF terkenal seperti Foxit Reader atau Adobe Reader. Termasuk juga menjalankan file lain ketika membuka file pdf. Selengkapnya bisa membaca tulisannya “Escape from PDF” […]
Pingback by Hati-hati dari ancaman virus (celah keamanan) file PDF | ebsoft.web.id — Thursday 15 April 2010 @ 16:52
[…] Another researcher, Didier Stevens, has determined how to launch from a PDF, and demonstrated it with videos of the process, found here. […]
Pingback by Adobe Reader at the Forefront of Malware Delivery - Sister CISA CISSP — Thursday 15 April 2010 @ 18:49
just to confirm above comments, the ability to embed an executable inside of a pdf has been available in metasploit for months. credit to colin ames, val smith, and dave kerb (Attack Research)
module: http://www.metasploit.com/modules/exploit/windows/fileformat/adobe_pdf_embedded_exe
paper / presentation: http://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html
Comment by jcran — Thursday 15 April 2010 @ 19:04
[…] El problema se encuentra dentro del formato de archivos PDF, como se publicó originalmente en el post de este blog. […]
Pingback by Alerta de Seguridad: Nueva campaña de ZBot viene en PDF « Estamos en Línea — Thursday 15 April 2010 @ 20:45
[…] El problema se encuentra dentro del formato de archivos PDF, como se publicó originalmente en el post de este blog. […]
Pingback by Alerta de Seguridad: Nueva campaña de ZBot viene en PDF | Blinky-IT — Thursday 15 April 2010 @ 22:07
[…] esta noticia: http://www.hispasec.com/unaaldia/4178/comentar Más información: Escape from PDF https://blog.didierstevens.com/2010/03/29/escape-from-pdf/ Escape from Foxit Reader https://blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/ […]
Pingback by Actualización de seguridad para Foxit Reader « Bendita Tecnologia — Friday 16 April 2010 @ 4:36
[…] Didier Stevens, seorang profesional keamanan dan blogger menemukan fitur di format file PDF yang memungkinkan menyertakan file EXE ke dalam PDF dan menjalankannya melalui program pembaca PDF terkenal seperti Foxit Reader atau Adobe Reader. Termasuk juga menjalankan file lain ketika membuka file pdf. Selengkapnya bisa membaca tulisannya “Escape from PDF” […]
Pingback by Virus dari file berformat pdf | Duniaku — Friday 16 April 2010 @ 7:03
[…] the file: The problem lies deep inside the PDF file format, as originally published by in this blog post. Websense Messaging and Websense Web Security customers are protected against this attack. […]
Pingback by Malicious Web Site / Malicious Code: New Zbot campaign comes in a PDF : CU*Secure — Friday 16 April 2010 @ 10:00
[…] mir nciht glauben mag, sollte einfach mal diesen Link in XP folgen – CMD.exe wird selbständig ohne Nachzufragen geöffnet. Topics: […]
Pingback by Datenschutz Datensicherheit IT-Grundschutz : pdf – Problematisches Dokumenten Format? — Friday 16 April 2010 @ 14:00
[Security]PDFの仕様「Launch action」 について思う…
2010 年 3 月 29 日に Didier Stevens が公開した PDF 仕様 「Launch action」の悪用手法(元記事はこちら)が話題になっていますね。Didier Stevens 氏の PoC(zip) を Adobe Reader 9.3.1 で開いてみると、警告ダイアログが表示され、[OK] をクリックすると cmd.exe が実行…
Trackback by 思い立ったら書く日記 — Friday 16 April 2010 @ 15:30
[…] “alternative” PDF reader Fox-It is not necessarily any more secure than Adobe Reader. Here’s at least one person who agrees with […]
Pingback by Friday’s Roundup « jimcofer.com — Friday 16 April 2010 @ 16:53
[…] intended to be used to run an application or opening or printing a document. Recently it has been discovered by a security researcher that this feature can be used to run an executable embedded within the PDF […]
Pingback by Embedded PDF executable hack goes live in Zeus malware attacks | Zero Day | ZDNet.com — Friday 16 April 2010 @ 18:33
[…] The problem lies deep inside the PDF file format, as originally published by in this blog post: https://blog.didierstevens.com/2010/03/29/escape-from-pdf. […]
Pingback by Sicherheitshinweis von Websense: Trojaner-Angriff getarnt als PDF - pressemeldungen.at — Sunday 18 April 2010 @ 19:52
[…] function in the PDF specification, as security researcher Dieder Stevens demonstrated in his blog. This function allows a portable document author to attach an executable file and, via social […]
Pingback by PDF Launch Feature Abused to Carry ZeuS/ZBOT | Malware Blog | Trend Micro — Tuesday 20 April 2010 @ 9:19
Didier-
Thank you for this entry.
On downloading PDFs from unknown sources, it got me to wondering, aside from scanning the documents, what other easy precautions non-technical users can take.
1. First, what is PoC? A search at acronymfinder.com returned nothing relevant.
2. If I understand you correctly, as a safety precaution, you recommend UNCHECKING “Enable Acrobat JavaScript” in Adobe Acrobat under Preferences –> JavaScript, and UNCHECKING “Allow documents to open other files and launch other applications” under Preferences –> Trust Manager, as default settings, correct?
3. Are there other Preference settings you recommend in Acrobat to further increase security against malware? Or any other precautions with respect to PDFs?
4. Also, with JavaScript disabled, is there an obvious notification in Acrobat if it should be required, in much the same fashion as Firefox’s NoScript extension (which I use).
Sorry for the basic questions. Thank you, MK Ross
Comment by MKRoss — Tuesday 20 April 2010 @ 15:35
I have literally been waiting for people to wake up and speak out about this adobe hack, infact there are some that run without you doing anything other than going to a site. It hooks right into your AcroRd32.exe and give out some nice maleware. That whole windows security spoof where it would replace your security center with a fake one where all the links would send you to some website. Anyways i hope they get a handle on it.
Comment by Christopher L BrentChase — Tuesday 20 April 2010 @ 17:41
[…] to demonstration by security researcher, Didier Stevens on how to exploit PDF’s launch action feature to execute any program. This was followed by […]
Pingback by Security Blog by Nagareshwar » Blog Archive » Hackers Exploit Launch Feature of PDF to Spread the Bonets — Tuesday 20 April 2010 @ 19:25
[…] function in the PDF specification, as security researcher Dieder Stevens demonstrated in his blog. This function allows a portable document author to attach an executable file and, via social […]
Pingback by PDF Launch Feature Abused to Carry ZeuS/ZBOT — Wednesday 21 April 2010 @ 16:00
[…] the past few years I’ve done some not-so-gentle research into Adobe’s Corporate Authenticity. I share frustrations with the researcher and with Gregg Keizer’s interview regarding the ability Adobe has in answering about specifics. I […]
Pingback by Triflex Enterprise | PDFs Exploitable?!? I’m shocked… — Thursday 22 April 2010 @ 5:20
Can this be made to work on OS X Preview.app?
Comment by kL — Thursday 22 April 2010 @ 20:01
With Linux Mint 8 (Helena) with standard viewer evince nothing pops up, just the “Hell world” is shown. The same when opening with gimp 2.6.
Comment by Investorix — Thursday 22 April 2010 @ 20:46
nothing happens in okular, it just shows pdf document.
yay linux! 😀
Comment by w23 — Friday 23 April 2010 @ 4:56
You can hex-edit the .pdf file and substitute the (cmd.exe) with another 3-letter .EXE (as long as the file is in the system path). Hex-editing might allow this exploit to launch a file under Linux or a Mac OS. I use Foxit Reader v3.1.4.1125 – the exploit worked without warning me.
If you use a process blocker program (I use ProcessGuard v3.500), it will stop the execution of the external program.
Comment by bumblefoot2004 — Friday 23 April 2010 @ 16:59
[…] Didier Stevens, a security professional and bloggers to find the features in PDF file format which allows to include files in PDF and EXE to run it through the famous PDF reader program such as Adobe Reader or Foxit Reader. Included also run other files when opening the PDF file. Learn to read his writing “Escape from PDF”. […]
Pingback by Be careful of the virus threat (vulnerability) PDF file | eTechLife — Sunday 25 April 2010 @ 6:04
Dear steven,would you please tell me how to control the message displayed by this dialog box?It is great to social-engineer,I am eager to know it,thanks much much
Comment by seanliu — Monday 26 April 2010 @ 5:23
@MKRoss
1) Proof of Concept
2) Yes
3) Yes, don’t run as local admin. Sandbox the reader.
4) Yes
Comment by Didier Stevens — Monday 26 April 2010 @ 9:18
@jcran Egypt informed me about this just after I posted this. I’ve been in touch with Colin, he has my PoC.
Comment by Didier Stevens — Monday 26 April 2010 @ 10:14
@seanliu I will disclose my PoC in due time.
Comment by Didier Stevens — Monday 26 April 2010 @ 10:18
Dear stevens,I am waiting every day on your blog,hope soon
Comment by seanliu — Tuesday 27 April 2010 @ 13:42
Stevens – I managed to replicate your PoC and demoed it to a client. We were shocked at how often that type of attacked worked with the test group we dealt with.
Comment by Pendraggon — Tuesday 27 April 2010 @ 15:08
@Pendraggon Yes, it is scary.
Comment by Didier Stevens — Tuesday 27 April 2010 @ 15:27
[…] this time, however, is that the attack uses a technique recently published by a researcher that takes advantage of the /launch command in Adobe software. Shorten URL: http://threatpost.com/en_us/O9Y. Click to copy to clipboard or post […]
Pingback by PDF Malware Using New Attack Technique | Enhanced Computer Network Defence — Wednesday 28 April 2010 @ 21:01
Does anyone know if a signature or regex could be created that looks for the /OpenAction within a PDF file? Is there really any reason that a valid PDF file should be using the /OpenAction switch? I would like to implement an IDS block for this type of signature if it won’t cause any problems with valid PDFs.
Comment by Jay — Friday 30 April 2010 @ 18:51
@Jay My PDFiD tool detects /OpenAction.
Comment by Didier Stevens — Friday 30 April 2010 @ 21:46
Hey Didier, great work finding this! I wish Adobe would get their act together and fix this glaring security hole. Alan
Comment by Alan Pugh — Sunday 2 May 2010 @ 22:45
Thanks Didier, PDFiD is a nice tool. However that still leaves the question if an IPS signature that blocks any packets that match the signature/regex “/OpenAction”, would it block a lot of perfectly valid PDFs? My plan is to implement this block on an enterprise webproxy, and email gateways. After reading your post on Disarming a PDF file it seems like adding /AA, /JS and /JavaScript to the list may also be a good idea.
Comment by Jay — Monday 3 May 2010 @ 4:16
[…] permite lanzar un ejecutable sin hacer uso de ninguna vulnerabilidad. En el blog de Didier Stevens (https://blog.didierstevens.com/2010/03/29/escape-from-pdf/) podéis ver los detalles de esta “característica” e incluso un video con la […]
Pingback by PDF- “Visual” Malo. | PandaLabs Blog — Monday 3 May 2010 @ 9:04
@Jay I’ve no statistics on this, but I’ve seen some legit PDFs with an /OpenAction, for example to move you to a particular page.
Comment by Didier Stevens — Monday 3 May 2010 @ 15:48
[…] is not a new idea to run an executable from within a PDF, the researcher Didier Stevens present a trick technique to make it more practical, “in the real […]
Pingback by 0day or not today: exploit in the wild | Fortinet FortiGuard Blog — Tuesday 4 May 2010 @ 21:50
[…] un chercheur en sécurité qui vient de mettre à jour une importante faille dans le format PDF. Sa technique permet ainsi d’appeler à partir d’un PDF un exécutable qui sera lancé automatiquement par le […]
Pingback by Une faille fatale dans le format PDF - Faiçal Le Presque Direct — Tuesday 4 May 2010 @ 22:24
[…] The problem lies deep inside the PDF file format. This technique is similar, but not the same, as explained in this blog post. […]
Pingback by New Zbot campaign comes in a PDF : CU*Secure — Thursday 6 May 2010 @ 10:00
[…] Free ware, Security, windows | Posted on 08-05-2010 GA_googleFillSlot("Rectangularads"); Last Month researcher Didier Stevens showed a proof, that hackers can Exploit PDF Files Without any Vulnerabilities, just by using a […]
Pingback by Foxit PDF Reader gets Safe Mode — Saturday 8 May 2010 @ 15:05
[…] week, Didier Stevens (an independent security researcher) wrote a blog about a security hole in PDFs. In it he described […]
Pingback by Launching malicious content from PDFs | Data Protection and Recovery Center — Tuesday 11 May 2010 @ 18:12
[…] within a PDF file without using any JavaScript and without having to exploit any vulnerabilities. Didier Steven’s Escape From PDF hack and Jeremy Conway's POC show a way to control the message presented to the end […]
Pingback by This Month in the Threat Webscape : CU*Secure — Friday 14 May 2010 @ 10:00
I don’t know how do u make it
but i must admit that u are a genius
Comment by harry — Sunday 16 May 2010 @ 1:55
[…] Escape from PDF […]
Pingback by chackraview.net » Blog Archive » Beware of Embedded PDF Malwares — Monday 17 May 2010 @ 1:43
[…] attachments. Earlier this year, security researcher Didier Stevens uncovered a PDF behavior that could be used to launch commands outside of Reader. To avoid this problem, open Edit > […]
Pingback by Security Musings » Blog Archive » Hardening Adobe Reader — Tuesday 18 May 2010 @ 20:16
I am not sure that if this was posted earlier or not in any of the replies but adobe did suggested a solution for this
http://blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html
Comment by xaero — Thursday 20 May 2010 @ 17:48
[…] PDF has slipped down several rungs of the security ladder. Security researcher Didier Stevens has published information on how PDF files can be crafted to successfully execute programs on a user’s PC […]
Pingback by Are PDFs secure? « SecureThinking — Monday 24 May 2010 @ 17:46
[…] the past few years I’ve done some not-so-gentle research into Adobe’s Corporate Authenticity. I share frustrations with the researcher and with Gregg Keizer’s interview regarding the ability Adobe has in answering about specifics. I […]
Pingback by PDFs Exploitable?!? I’m shocked… | ESET ThreatBlog — Tuesday 25 May 2010 @ 19:13
[…] said that Adobe’s PDF Reader will block the file from automatically opening but he warned that an […]
Pingback by Exploiting PDF files, without a vulnerability « The FORWARD project blog — Wednesday 26 May 2010 @ 18:28
[…] inside the PDF file format. This technique is similar, but not the same, as explained in this blog post. Update: In addition to the Royal Mail emails we have also seen emails that look like they […]
Pingback by Anti-Virus & Anti-Malware website. » Malicious Web Site / Malicious Code: New Zbot campaign comes in a PDF — Tuesday 1 June 2010 @ 2:39
[…] A security researcher Didier Stevens says “Escape from PDF“. […]
Pingback by A security enthusiast's Blog — Tuesday 1 June 2010 @ 8:12
[…] exploit being circulated in high volume through an ongoing spam campaign. The vulnerability, first blogged about by Mr. Didier Stevens on March 29, 2010, is CVE-2010-1240 and the malicious documents now exploiting this are detected by […]
Pingback by May 2010 Threatscape: Katusha, MultiLoader botnets emerge alongside malicious PDFs | Fortinet Security Blog — Tuesday 1 June 2010 @ 19:37
Seems like for now, the best idea would be to NOT USE ANY pdf readers other than online ones, like Google-reader ..
Comment by Constantine — Friday 4 June 2010 @ 6:32
[…] Adobe Acrobat and Reader /Launch vulnerability, its time to consider taking mitigating steps. The proof of concept presented by Didier Stevens uses the /launch functionality that is part of the specification for PDF in order to execute […]
Pingback by PDF Launch Vulnerability « Roger's Information Security Blog — Sunday 6 June 2010 @ 0:05
[…] начале года несколькими людьми была найдена «уязвимость» в формате PDF, позволяющая запускать произвольный код […]
Pingback by Exe2Pdf | Misc — Monday 7 June 2010 @ 13:23
Got a live malware as resume.pdf via email with the subject “New resume”. Uses “/c …” to give cmd.exe the bootstrap code. Creates and runs vbs1.vbs, vbs2.vbs, and finally a 200K exe.exe binary. I have no idea what exe.exe does – I’m sure it isn’t good.
Comment by Stuart Gathman — Wednesday 9 June 2010 @ 5:06
[…] 2010 Kaimi Leave a comment Go to comments Earlier this year several people have found a “vulnerability” in PDF format, which allows arbitrary code execution on file open. Two types of the […]
Pingback by Exe2Pdf « KD Development — Sunday 27 June 2010 @ 13:09
[…] Quickpost: No Escape From PDF Filed under: PDF,Quickpost,Vulnerabilities — Didier Stevens @ 18:41 Adobe has released a new Adobe Reader version with a fix for my /Launch action PoC PDF. […]
Pingback by Quickpost: No Escape From PDF « Didier Stevens — Tuesday 29 June 2010 @ 18:41
[…] the PDF vulnerability was made public in late March by security researcher Didier Stevens, who fashioned a proof-of-concept attack that relied on the […]
Pingback by The Cheap Computer Geek » Blog Archive » Adobe Reader, Acrobat updates fix 17 critical holes — Tuesday 29 June 2010 @ 21:00
[…] the PDF vulnerability was made public in late March by security researcher Didier Stevens, who fashioned a proof-of-concept attack that relied on the […]
Pingback by Thai Brothers’ Sharing Blog » Blog Archive » Adobe Reader, Acrobat updates fix 17 critical holes — Wednesday 30 June 2010 @ 2:51
Adobe releases emergency patch for Reader and Acrobat…
Adobe has released an emergency update that patches at least 17 holes in its Reader and Acrobat applications. Adobe was to release patches on July 13, but since the critical vulnerabilities were actively being exploited, the company released the fixes …
Trackback by Quick Heal Weblog — Wednesday 30 June 2010 @ 4:40
[…] the PDF vulnerability was made public in late March by security researcher Didier Stevens, who fashioned a proof-of-concept attack that relied on the […]
Pingback by Adobe Reader, Acrobat updates fix 17 critical holes | Mohinder's Blog — Wednesday 30 June 2010 @ 21:39
[…] time, the noticeable one is /Launch vulnerability (CVE-2010-1240), which is said to be found by Didier Stevens. However, the patch is not working […]
Pingback by Adobe fix still allows “Escape from PDF” | MEDOIX — Thursday 1 July 2010 @ 6:01
[…] the PDF vulnerability was made public in late March by security researcher Didier Stevens, who fashioned a proof-of-concept attack that relied on the […]
Pingback by Adobe Reader, Acrobat updates fix 17 critical holes « The BAT Channel — Thursday 1 July 2010 @ 17:36
[…] the PDF vulnerability was made public in late March by security researcher Didier Stevens, who fashioned a proof-of-concept attack that relied on the […]
Pingback by Adobe Reader, Acrobat updates fix 17 critical holes « AccessTech News — Thursday 1 July 2010 @ 17:37
[…] […]
Pingback by Adobe, make my day. Disable JavaScript by default — Friday 2 July 2010 @ 12:50
[…] PDF /Launch vulnerability that was discovered by the researcher Didier Stevens earlier this… was a discussed in a special Norman security article in […]
Pingback by The PDF /Launch vulnerability still lives | Data Protection and Recovery Center — Tuesday 6 July 2010 @ 10:04
[…] blog post titled PDF /Launch Social Engineering Attack, I mentioned that Didier Stevens had demonstrated a social engineering attack, which relied on the “/launch” functionality as described in the PDF specification (ISO […]
Pingback by Adobe Reader and Acrobat 9.3.3 and 8.2.3 « Adobe Reader Blog — Wednesday 7 July 2010 @ 17:53
[…] Didier Stevens, a well-known security researcher, demonstrated a social engineering attack, which relies on the “/launch” functionality as described in the PDF specification (ISO […]
Pingback by PDF “/Launch” Social Engineering Attack « Adobe Reader Blog — Monday 12 July 2010 @ 17:32
thanx 😉
Comment by cihip — Sunday 18 July 2010 @ 5:34
@Cyber: Nuance reader still takes up 50MB, and supports things like embedded Flash video, Javascript, and who knows what else. It may be immune to this particular attack but I’ll bet there’s a list of other holes as long as your arm in there.
Comment by Dave — Tuesday 3 August 2010 @ 14:26
[…] at the Black Hat security conference in Las Vegas last month. The release notes also reference a flaw detailed by researcher Didier Stevens back in March. Adobe said it is not aware of any active […]
Pingback by Adobe Issues Acrobat, Reader Security Patches — Krebs on Security — Thursday 19 August 2010 @ 19:58
Adobe Releases Emergency Update Patch…
Admittedly, it hasn’t been great for Adobe and its flagship PDF software for the past two weeks. Adobe Reader and Acrobat flaws have made it next to impossible to trust any incoming or web published PDFs. In response, Adobe has been rushing to pu…
Trackback by Blog — Thursday 19 August 2010 @ 20:35
Ran it on VM via sandbox and thankfully, fox it reader is blocking the “cmd.exe” from opening because its in safe reading mode.
Comment by Dave — Thursday 19 August 2010 @ 23:51
I’m not familiar with the PDF’s file format,could anybody else tell me how to control the message displayed in the DialogBox and furthermore executes the cmd.exe ?
I try to do like this:
/F (cmd.exe \n”Message to confuse the user”)
but it failed because Reader try to execute an application like:cmd.exe \n”Message to confuse the user”,not only cmd.exe
Comment by ReverseMan — Sunday 10 October 2010 @ 6:18
[…] second interesting fix, from the malware protection perspective, addresses the issue discovered by Didier Stevens. The issue, which I deliberately won't call a vulnerability, is due to the specifics of the PDF […]
Pingback by Adobe, make my day. Disable JavaScript by default | Naked Security — Sunday 17 October 2010 @ 18:06
[…] week, Didier Stevens (an independent security researcher) wrote a blog about a security hole in PDFs. In it he described […]
Pingback by Launching malicious content from PDFs | Naked Security — Sunday 17 October 2010 @ 18:20
[…] rebondis sur un article que j’ai pu lire de Didier Stevens qui mettait en lumière la capacité pour un fichier pdf […]
Pingback by PDFId : quand le python met à nu du pdf… - K-Tux — Monday 18 October 2010 @ 11:25
Hi,
I’m on windows Vista. I downloaded the make-pdf-embedded.py in “https://blog.didierstevens.com/2009/07/01/embedding-and-hiding-files-in-pdf-documents/” and start trying to use it.
I put in the same folder, the py files and calc.exe. I used it in this way:
make-pdf-embedded.py -a calc.exe test.pdf
The pdf is created but when I run it, it is only written “This files embeds calc.exe” and nothing happened. No warning message even I use the -b and -m option.
But when I download your example file “http://didierstevens.com/files/data/launch-action-cmd.zip”, it works pretty well, I have the warning and the cmd window opened.
Could you explain me what I’m doing wrong please?
Congrats for your articles and thank you for your answer.
Comment by Charles12 — Thursday 21 October 2010 @ 20:08
@Charles12 Adobe Reader doesn’t allow you to extract executable, embedded files.
Comment by Didier Stevens — Friday 22 October 2010 @ 15:03
[…] any actions (Seclabs Actions 2.0 in PDF) embedded in a PDF like for instance executing commands (2010: Didier Stevens Escape From PDF). What I'm saying is that it's not only "obvious" malware that may be a […]
Pingback by extension — Wednesday 29 December 2010 @ 16:46
[…] a découvert un moyen de modifier le texte apparaissant lorsqu’un fichier embarqué dans un PDF est exécuté. Depuis cette découverte, un certains nombre de malwares utilisant cette technique ont été […]
Pingback by Secur-IT — Thursday 6 January 2011 @ 13:25
[…] article résume l’actualité sur la vulnérabilité » Escape from PDF » [1], publiée en juillet 2010 par M. Didier Stevens, concernant les fichiers PDF […]
Pingback by escape from PDF | Linux-backtrack.com — Saturday 19 February 2011 @ 21:19
[…] Escape From PDF […]
Pingback by All PDFs are not created Equal « The Journeyler — Tuesday 15 March 2011 @ 21:32
[…] días está dando la vuelta al mundo el trabajo que ha realizado Didier Stevens para conseguir ejecutar binarios desde un documento PDF. La técnica, si se está utilizando Adobe Acrobat Reader, muestra un mensaje que puede ser, como […]
Pingback by El peligroso mundo de los PDF | LIBROS GRATIS PDF — Sunday 27 March 2011 @ 11:38
I modified Didier’s sample pdf like so:
67 /Type /Action
68 /S /Launch
69 /Mac
70
73 >>
74 endobj
Tried above on Mac OS X 10.6.7 and Adobe Reader 10.0.3 and Preview 5.0.3 and it didn’t work. In Adobe Reader it threw up a window that said it couldn’t open a file. In Preview it didn’t do anything.
Comment by Jim Kelly — Sunday 22 May 2011 @ 22:07
sorry your web page snipped out most of my code 😉
Comment by Jim Kelly — Sunday 22 May 2011 @ 22:07
I first visited this blog, as a whole after I read some articles in the fit is quite interesting to read & add value
Comment by arsavin666 — Monday 20 June 2011 @ 9:17
hi bro in windows seven cant get the cmd.exe cuz im not an administrator of this pc
Comment by micro — Thursday 15 September 2011 @ 12:53
In the case of foxit, I also did notice it executes without warning, however it doesn’t seem posible to pass parameters to whatever command you launch. If that is the case it sorts of renders the vulnerability useless, what do you think?
Comment by Übersetzung — Tuesday 27 September 2011 @ 9:14
@Übersetzung No, you should have read this too: https://blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/
Comment by Didier Stevens — Tuesday 27 September 2011 @ 18:03
[…] verbundene Gefahr wurde mir allerdings heute deutlich durch zwei interessante Video-Fundstücke: Didier Stevens zeigte vor wenigen Tagen beispielsweise, wie mittels eines Hacks eine ausführbare Datei innerhalb eines […]
Pingback by » Warum PDFs als E-Mail-Anhang eher vermieden werden sollten Campfire — Thursday 10 November 2011 @ 14:47
when i try it says this action isnt allowed by system administrator…how do i stop that?
Comment by Anonymous — Saturday 21 January 2012 @ 22:37
@Anonymous You can’t, because you are using a version where Adobe disabled this feature after I’ve reported it to them. You need to use a version released before I blogged this.
Comment by Didier Stevens — Saturday 21 January 2012 @ 22:40
This may seem like an idiotic question but how can i download a version of adobe reader that this will work with?
Comment by Anonymous — Thursday 26 January 2012 @ 1:39
I downloaded Adobe reader 8 to try to get this to work and now its telling me that the file is damaged and could not be opened
Comment by Anonymous — Thursday 26 January 2012 @ 1:50
Adobe has an FTP server with older versions.
Comment by Didier Stevens — Thursday 26 January 2012 @ 7:56
So if I use Adobe Reader 9.3.1 and Windows 7 this will still work?
Comment by Anon — Friday 27 January 2012 @ 0:44
I have got Adober Reader 9.3.1 but it wont install, it throws up an error message so does that mean this exploit is now technically impossible because it seems Adobe or Windows wont allow Adobe 9.3.1 to be installed anywhere
Comment by Anon — Friday 27 January 2012 @ 0:48
No, it does not. Windows does not prevent you from installing vulnerable apps.
Comment by Didier Stevens — Sunday 29 January 2012 @ 7:30
Calc.pdf is missing a xref entry for the font object, yet it is referenced elsewhere within the document. It never ceases to amaze me how lenient some readers are, and how that leniency sometimes affects the viability of malware.
Sorry for the late response, I just recently started using your pdf-parser.py tool and reading your posts regarding the PDF format.
Comment by Scott — Saturday 11 February 2012 @ 15:26
Oops, edit to my last.
It wasn’t your calc.pdf, it was the launch-action-cmd.pdf offered by a commenter.
Comment by Scott — Saturday 11 February 2012 @ 16:16
Can you make the CMD launch commands when its run to or does this exploit just run the cmd
Comment by Anonymous — Wednesday 11 April 2012 @ 13:35
@Anonymous Watch the complete video, you’ll see.
Comment by Didier Stevens — Wednesday 11 April 2012 @ 16:32
[…] PDF has slipped down several rungs of the security ladder. Security researcher Didier Stevens has published information on how PDF files can be crafted to successfully execute programs on a user’s PC […]
Pingback by Are PDFs secure? - Let's Talk security — Wednesday 29 August 2012 @ 12:06
[…] is already known that the recent vulnerability (Ref. Lexsi 13190) in Adobe Acrobat/Reader when handling /Launch /Action is being exploited in the wild. Since yesterday, a new spam run exploiting this vulnerability has […]
Pingback by /Launch malware | Weblog LexsiWeblog Lexsi — Wednesday 26 September 2012 @ 13:18
[…] técnica es la que descubrió Didier Stevens (@DidierStevens) allá en el 2010 cuando descubrió que, si […]
Pingback by Análisis de PDF sospechosos | Security Art Work — Monday 31 March 2014 @ 14:09
[…] Jusqu’à la version 9.3.4 de Adobe PDF, on pouvait également exécuter n’importe quelle application à partir d’un PDF, moyennant une petite pop-up de confirmation dans laquelle on pouvait afficher le texte que l’on souhaitait. (https://blog.didierstevens.com/2010/03/29/escape-from-pdf/) […]
Pingback by Utiliser un PDF pour pirater votre boss comme un nul(l) | Pirater comme un nul(l) — Sunday 2 November 2014 @ 16:07
[…] días está dando la vuelta al mundo el trabajo que ha realizado Didier Stevens para conseguir ejecutar binarios desde un documento PDF. La técnica, si se está utilizando Adobe Acrobat Reader, muestra un mensaje que puede ser, como […]
Pingback by El peligroso mundo del PDF — Tuesday 3 March 2015 @ 15:37
[…] descrita en la especificación del formato pdf. La información correspondiente se publicó el 29 de marzo y al cabo de unos días los usuarios empezaron a recibir mensajes con un […]
Pingback by Desarrollo de las amenazas informáticas en el segundo trimestre de 2010 - Securelist — Thursday 27 August 2015 @ 8:42
[…] técnica es la que descubrió Didier Stevens (@DidierStevens) allá en el 2010 cuando descubrió que, si […]
Pingback by Analicis de un Archivo PDF malicioso | Blog Informatica — Monday 2 November 2015 @ 2:52
[…] Didier Stevens. (2010). Escape From PDF. Tiré de https://blog.didierstevens.com/2010/03/29/escape-from-pdf/ […]
Pingback by Analyse d’une attaque par courriel de type reverse shell – Projets en cours — Wednesday 21 June 2017 @ 4:32