Are PDF’s Worm-able?
Posted by jeremy on April 1st, 2010
Yesterday I posted about a thought I had that expanded upon Didier Steven’s Escape From PDF built in feature discovery where he executed a embedded executable binary using some crafty hacking. My thought was that it may very well be possible to launch an attack internally from one PDF onto another already existing PDF. I emailed Didier with my idea and some of the specifics, and he said it was definitely possible. So I decided to try my luck at creating a proof of concept and created this video to demonstrate it:
Before you ask, no I will not be disclosing the internal code that makes this possible nor will I be sharing out the PDFs within the proof of concept to the general public. Didier has already informed all of the relevant vendors about this issue and my proof of concept is just an expansion of his work, so there is no need for me to beat the vendors up with the same issue. If the vendors figure out a method to prevent Didier’s example this same fix will stop this proof of concept as well. With all that being said I look forward to receiving your comments and feedback and I hope you enjoyed the video. Oh and no this is not an APRILS FOOLS JOKE… 
April 2nd, 2010 at 4:42 am
Nice work, Jeremi. That’s the next logical step in building upon PDF’s weakness, and I do hope that Adobe&Co think hard about their measures to prevent it from becoming a widespread backdoor. IMHO opening external apps and docs via the shell should be disabled by default in all viewers and permissions should explicitely be granted on a by-directory (or URI) base similar to IE’s trusted sites concept.
April 3rd, 2010 at 11:01 am
[...] This post was mentioned on Twitter by Sandro Süffert. Sandro Süffert said: Are PDF’s Worm-able? | http://www.sudosecure.net/archives/636 (with Video Demo) <= Scary and very likely.. [...]
April 4th, 2010 at 11:44 am
[...] lập ”biến tấu” cách thức mới mà tin tặc có thể tấn công. Xem thêm thông tin và video clip tại [...]
April 4th, 2010 at 7:07 pm
[...] Are PDF’s Worm-able? [...]
April 5th, 2010 at 9:59 am
[...] of his work, so there is no need for me to beat the vendors up with the same issue,” said [...]
April 5th, 2010 at 5:58 pm
Cool.
Do you need to know the target PDF file names in order to pull this off? Or, could one simply modify *.pdf on a system?
April 5th, 2010 at 6:08 pm
No you don’t need to know the PDF file name to pull this off, but in my simple PoC I did hardcode the name. To really make this expandable logic for doing a directory listing just needs to be added, which is actually fairly trivial to pull off.
April 5th, 2010 at 6:42 pm
[...] en lo anterior, la gente de Sudosecure logró hacer que un PDF infectara otro, como muestran este [...]
April 5th, 2010 at 9:22 pm
[...] (Credit: Jeremy Conway/NitroSecurity) [...]
April 5th, 2010 at 10:56 pm
Not difficult in the slightest if someone knows a bit about programming and reads the pdf specification. There has been a metasploit module out for quite a while that uses portions of this technique. I was more impressed with the exploit on foxit.
April 6th, 2010 at 2:05 am
[...] [...]
April 6th, 2010 at 4:05 am
[...] [...]
April 6th, 2010 at 1:14 pm
[...] another researcher has posted a video showing that it’s possible to launch an attack internally from one PDF onto another already [...]
April 6th, 2010 at 1:30 pm
[...] unconfirmed research by Jeremy Conway displays the potential for a PDF worm making the vector rapidly scalable across anyone’s network. Jeremy sums up the [...]
April 6th, 2010 at 3:12 pm
Hello, good job. I create something similiar few months ago … do You using some default Windows “features” for this exploit ?
April 6th, 2010 at 3:37 pm
@Ivan It’s not an exploit, just a creative use of the PDF specification. No windows features either.
April 6th, 2010 at 7:49 pm
I made similar POC. => http://www.youtube.com/watch?v=Cn0j1eJ0FxY
April 6th, 2010 at 8:02 pm
@yunsoul Very nice… Everyone that has emailed me for specifics I have directed them to the PDF specifications guide, as that is all that is really needed to get started. Add that with some creative scripting and we have one nasty mess on our hands. Again great POC and I really like how you infected two PDF files.
April 6th, 2010 at 9:03 pm
[...] Are PDF’s Worm-able? [...]
April 6th, 2010 at 9:50 pm
[...] Are PDF’s Worm-able? [...]
April 6th, 2010 at 9:52 pm
[...] Are PDF’s Worm-able? [...]
April 6th, 2010 at 10:23 pm
Does this mean that Foxit is also vulnerable? Or is it just Adobe?
Thnx
Philip
April 6th, 2010 at 11:00 pm
[...] into the wild: Acrobat PDF files can be used as viruses: Jeremy of sudosecure.net has demonstrated a proof of concept of a PDF virus: a malicious PDF containing an embedded executable which modifies other PDFs to include [...]
April 7th, 2010 at 6:40 am
@philip It works with Foxit as well. Didier Stevens has some good info here with regards to Foxit’s update and how it changed his POC: Didier Stevens Blog
April 7th, 2010 at 7:08 am
[...] Conway, productmanager bij Nitro Security, heeft een nieuwe proof of concept van een gevaarlijke pdf-exploit online gezet. Hij bouwt daarin voort op de bevindingen van [...]
April 7th, 2010 at 11:21 am
[...] Jeremy von SudoSecure.net baute auf Basis dieses Hacks einen Wurm, der sich von PDF zu PDF fortpflanzt: [...]
April 8th, 2010 at 3:31 am
[...] The vulnerability can also, in principle, be exploited to spread PDF worms, as demonstrated in avideo from blogger Jeremy Conway. The vendor is advising users to deactivate the "Allow opening of [...]
April 8th, 2010 at 4:57 am
[...] security-expert Didier Stevens is door collega Jeremy Conway aangepast om PDF-bestanden een besmettingsfunctie te geven. Daarvoor is geen JavaScript nodig; het PDF-formaat volstaat. Conway geeft geen details of code [...]
April 8th, 2010 at 9:10 am
[...] I decided to make my own proof of concept which can be seen in a video on my personal blog here: Are PDFs Worm-Able. In this proof of concept I have one benign PDF document titled “empty.pdf” and another evil [...]
April 8th, 2010 at 11:01 am
[...] a technique by which code executed in one PDF can modify another “safe” PDF. His demonstration changes the other PDF so it launches a Web page at the sudosecure.net security blog. Conway [...]
April 8th, 2010 at 11:14 am
[...] a technique by which code executed in one PDF can modify another “safe” PDF. His demonstration changes the other PDF so it launches a Web page at the sudosecure.net security blog. Conway [...]
April 9th, 2010 at 2:12 am
[...] all’utente: un documento PDF diventa insomma un worm. Lo spiegone e il video sono qui su Sudosecure.net (nome quanto mai azzeccato, visto che questa magagna farà sudare di sicuro molti [...]
April 9th, 2010 at 4:32 am
[...] Are PDF’s Worm-able? [...]
April 9th, 2010 at 2:06 pm
[...] Conway, especialista en seguridad y escritor en sudosecure.net ha demostrado y probado que se pueden incrustar virus ejecutables dentro de archivos de Adobe Reader, o como la mayoría los conocemos, [...]
April 9th, 2010 at 2:11 pm
[...] Conway, especialista en seguridad y escritor en sudosecure.net ha demostrado y probado que se pueden incrustar virus ejecutables dentro de archivos de Adobe Reader, o como la mayoría los conocemos, [...]
April 9th, 2010 at 2:28 pm
[...] Conway, especialista en seguridad y escritor en sudosecure.net ha demostrado y probado que se pueden incrustar virus ejecutables dentro de archivos de Adobe Reader, o como la mayoría los conocemos, [...]
April 20th, 2010 at 1:26 pm
[...] on how to exploit PDF’s launch action feature to execute any program. This was followed by Proof-of-concept by Jeremy Conway, product manager at NitroSecurity showing how to perform such an attack in action. [...]
April 21st, 2010 at 11:19 pm
[...] unconfirmed research by Jeremy Conway displays the potential for a PDF worm making the vector rapidly scalable across anyone’s network. Jeremy sums up the [...]
April 25th, 2010 at 2:53 am
[...] Ayer me envió sobre un pensamiento que tenía que incrementarse cuando Escape Didier Steven De PDF construido en función de descubrimiento de donde se ejecuta un binario ejecutable incrustado usando algo de hacking astuta. Mi pensamiento era que muy bien puede ser posible lanzar un ataque contra el interior de un PDF a otro ya existente PDF. I [. . . ] URL del artículo original http://www.sudosecure.net/archives/636 [...]
May 3rd, 2010 at 9:52 am
[...] View full post on sudosecure.net [...]
May 14th, 2010 at 4:00 am
[...] having to exploit any vulnerabilities. Didier Steven’s Escape From PDF hack and Jeremy Conway's POC show a way to control the message presented to the end user. When combined with clever social [...]
May 26th, 2010 at 12:28 pm
[...] few days later another researcher Jeremy Conway posted an attack showing that PDFs are “wormable”. It’s possible to launch an attack [...]
July 2nd, 2010 at 1:24 pm
[...] Are PDF’s Worm-able? [...]