sudosecure.net

              is anything truly secure…

«
»

Another Proof of Concept

Posted by jeremy on April 6th, 2010

Just a few minutes ago I learned via a comment submitted on my “Are PDFs Worm-Able?” posting that another proof of concept was created performing the same style of attack.  Have a look for yourself:

As you can see YunSoul demonstrates this attack can be conducted on multiple PDF files, just as I claimed.  I provided no help and/or guidance to YunSoul and this was the first interaction I had with him, so it clearly demonstrates how easy this attack is to pull off and how likely it is that we will soon see malicious code writers taking advantage of this creative use of the PDF specification.  YunSoul also has a blog posting regarding his proof of concept here: PDF.  I couldn’t get google translate to translate the blog posting, so I don’t know what the specifics are.  If I have time I will try to read it later with another translator service.

Another point I would like to make is that these hacks do not require the Launch action to work, as any application or program that has write access permissions could be utilized to perform the misuse of the incremental update feature in a PDF.  The reason I chose to use the Launch action is I figured it was a nice compliment to Didier’s original proof of concept.  I wrote a little more about another use case that could utilize the incremental update feature in a malicious way here: Clarifying and Dealing with the Recent PDF Hackery.

This entry was posted on Tuesday, April 6th, 2010 at 9:00 pm and is filed under Disclosure, PDF. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

8 Responses to “Another Proof of Concept”

  1. Plaats hier software gerelateerd nieuws! - Page 19 Says:
    April 7th, 2010 at 11:03 am

    [...] [...]

  2. Launching malicious content from PDFs - VirusDB.INFO Says:
    April 8th, 2010 at 2:01 pm

    [...] on &#102&#114om &#68idie&#114’s &#98&#108og othe&#114 &#114esea&#114che&#114s (&#74e&#114e&#109y Conway an&#100 Yun&#83ou&#108 [Not&#101: Babl&#101f&#105sh t&#114anslat&#105on Ko&#114&#101an to [...]

  3. Launching malicious content from PDFs | Random Chaos Says:
    April 8th, 2010 at 11:37 pm

    [...] on from Didier’s blog other researchers (Jeremy Conway and YunSoul [Note: Bablefish translation Korean to English]) have shown how to use this [...]

  4. Jeremy Allen Says:
    April 13th, 2010 at 12:52 pm

    We (Intrepidus Group) released a PoC for embedding an executable in PDFs today: http://intrepidusgroup.com/insight/2010/04/an-executable-wolf-in-a-pdf-sheeps-clothing/.

  5. Hack In The Box » Launching malicious content from PDFs Says:
    April 23rd, 2010 at 4:49 pm

    [...] on from Didier’s blog other researchers (Jeremy Conway and YunSoul [Note: Bablefish translation Korean to English]) have shown how to use this [...]

  6. Un'altra prova di concetto Says:
    April 27th, 2010 at 7:28 pm

    [...] A pochi minuti fa ho appreso tramite un commento presentato il mio "sono in formato PDF Worm-Able?" Distacco che un altro proof of concept è stato creato eseguendo lo stesso stile di attacco. Date un'occhiata voi stessi: Come si può vedere YunSoul illustra questo attacco può essere condotto su più file PDF, così come mi ha sostenuto. Ho fornito [. . . ] URL articolo originale http://www.sudosecure.net/archives/653 [...]

  7. Another Proof of Concept | Computer Security Articles Says:
    May 3rd, 2010 at 8:38 am

    [...] View full post on sudosecure.net [...]

  8. Launching malicious content from PDFs | Data Protection and Recovery Center Says:
    May 11th, 2010 at 12:12 pm

    [...] on from Didier’s blog other researchers (Jeremy Conway and YunSoul [Note: Bablefish translation Korean to English]) have shown how to use this [...]

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

«
»