Aditya k sood aka 0kn0ck sec niche security
This presentation is the property of its rightful owner.
Sponsored Links
1 / 61

Vulnerability Vectors in PDF Synthesizing PDF Attacks PowerPoint PPT Presentation


  • 60 Views
  • Uploaded on
  • Presentation posted in: General

Aditya K Sood aka 0kn0ck Sec Niche Security. Vulnerability Vectors in PDF Synthesizing PDF Attacks. PDF. EU-Sec-West London , UK [2008]. Vulnerable Vectors in PDF. EU-Sec-West 2008 , UK. [[email protected]]# whoami. Background = Independent Security Researcher.

Download Presentation

Vulnerability Vectors in PDF Synthesizing PDF Attacks

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Aditya k sood aka 0kn0ck sec niche security

Aditya K Sood aka 0kn0ck

Sec Niche Security

Vulnerability Vectors in PDFSynthesizing PDF Attacks

PDF

EU-Sec-West London , UK [2008]

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Root@0kn0ck whoami

[[email protected]]# whoami

Background = Independent Security Researcher.

Founder , Sec Niche Security. [http://www.secniche.org]

Front End = Works for KPMG Consulting

IS Author Hakin9 , USENIX ;login

Released Advisories : Yahoo , AOL , MSN , Google , Verisign , Microsoft etc.

Projects:

MLabs , CERA , TrioSec

Rest Google Me Out !

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Thanks to dl psirt

Thanks to DL - PSIRT

Adobe Product Security Incident Response Team

For Contacting and Sharing Thoughts Over Talk.

Coordinated for Responsible Disclosure and Product Security

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

The Application Bug Anatomy

Given Enough Eye Balls , All Bugs are Shallow .

[ Eric Raymond – The Cathedral and Bazaar ]

Many Eye Balls Misses the Point All Together .

Bug Matrix is Hard to Diminish .

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

The Realm of Application Security

The Paradigm : Squared Approach

Privacy

Security

Application Quality

Reliability

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Application : Exploitation Shift

1. Understanding the Shift . Why it is Happening ? ?

2. Memory Corruptions are Hard to Exploit.

3. Diversified Infection Vectors in Application Realm.

4. Cross Referenced Matrix Technologies.

5. Development of Complex System Security Structures.

6. Applications Provide an Interface to System Insecurities.

7. System Vulnerabilities : Vendors Red Alert.

8. Application Exploitation == Feature Manipulation.

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Traversing along Talk

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Dissecting PDF Internals

Breaking The Hidden.

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Structural Components of PDF

Understanding The Crux.

1. COS – Common Object Structure Model

The incore model of PDF documents.

2. The Component Design of Predefined Symbols.

Symbols define the component layout in the document.

3. Cross Reference Table and Object Abstraction.

The cross functional dependency and object layout.

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Structural Components of PDF

COS Object Model

1. Layered Based Structure with Hierarchical Layout.

2. Base Depends on Raw Data , Tree Model is Implemented.

3. Model(Tree) = Object(Child) + Object(Nodes)‏

Objects are Applied as Child and Nodes.

4. Modelling of Objects is Undertaken from Node to Child.

5. The Tree Head Object is Document Catalog.

The Tree starts from this Head Node.

6. Layers Govern the Functionality of Objects Designed.

7. Interfacial Layer Arrangement is there.

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Structural Components of PDF

COS Object Model : Object Types

Looking at Explicit Definition:

1. Direct Objects

The Reference Vector is NULL. No Reference.

2. Indirect Objects

References are Uphold in these Objects. Reference Oriented.

3. Container Objects

Hold References to Other Objects. Specification is Different.

4. Notable Exceptions are Implemented.

5. Base Module is Array. Objects are Structured Over it.

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Structural Components of PDF

COS Object Model : Representation

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Structural Components of PDF

The Internal Layout : One Step Ahead

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Structural Components of PDF

The Functional Layout

1. Object Functionality = Inheriting Properties from Root.

2. Properties are Globally Applicable.

3. Versatility in Object Designing. Backward Compatibility.

4. Properties(Object) == Arrays , Strings , Dictionary etc.

5. Process( Document Designing) == Document Drafting.

6. COS Object Tree Supports Custom Object Types.

Note :PDF Capabilities Can Be Altered By Anyone Following

Custom Object Model.

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Structural Components of PDF

The Object Symbols

1. Symbols Comprise of Internal Entity of Root Tree.

2. Dissects The Working Functionality Type.

3. Reversing(PDF Doc) == Symbols Required.

4. The Symbols

4.1 Document Catalog.

4.2 Annotation Objects.

4.3 Page Object.

4.4 Indirect Object Indication.

4.5 Pages Object.

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Structural Components of PDF

  • Cross Reference Table and Object Abstraction

  • Objects placement in XREF Table

  • 1. The number of objects in the document.

  • 2. The offsets that are defined for it.

  • 3. The cross reference table is always placed at the end of file.

  • 4. The parameter of cross reference table is XREF.

  • 5. The table holds the object count on Zero Based Indexing ie

  • from 0 to [N]

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Structural Components of PDF

  • Classification of Objects in XREF Table

  • Offset objects are called by { n,f} parameter in the cross

  • reference table i.e. XREF of the objects.

  • In this XREF table the :

  • 1. [n] The parameter n is used to reference the used bytes for

  • object and specific offset related to it.

  • 2. [f] The parameter f is used to reference the unused bytes

  • related to the specific object.

  • 3.Offsets are always picked from the staring offset of the

  • document file for reducing complexity

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Structural Components of PDF

  • Classification of Objects in XREF Table

A Generic View of XREF Objects

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Structural Components of PDF

  • Classification of Objects in XREF Table

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Structural Components of PDF

  • Objects Design in PDF

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Structural Components of PDF

  • Objects Design in PDF

  • 1. The object starts with an object number. The 55,56 etc are

  • the object numbers which get cross linked for the available

  • byte space in the table and interferes into functioning.

  • 2. The third party linking is specified in this. The URI linking is

  • clear in its context.

  • 3. The other specification used like obj<<....<<subtype is for

  • COS Object Modelling.

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Structural Components of PDF

  • Type of Objects Used

  • Integer - in the file as a number without a decimal point.

  • 1. Boolean – [True || False]

  • 2. Real Number -

  • 3. Name - in the file as '/text'

  • 4. String - in the file as either '(...characters...)' or

  • '<...hexadecimal character codes...>' .

  • 5. Dictionary - in the file as '<<...other objects...>>' .

  • Dictionary entries are always in pairs, a Name Object

  • followed by any other object type.

  • 6. Array - in the file as '[...other objects...]'.

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Structural Components of PDF

  • Type of Objects Used

  • 7. Stream – Object

  • Object Type is complex.

  • Streams are Indirect Objects.

  • Stream Objects use Object References.

  • Fused with Dictionary Objects.

  • Dictionary Object Carry Information for Accessing Bytes.

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Structural Components of PDF

  • Root Model Layout

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Structural Components of PDF

  • Breaking in Internals

  • Hit the PDF internals with PDF CAN Opener !

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Application Attacks Anatomy

  • Why These Attacks Persist || Supporting Factors.

  • 1. User or Client Ignorance to technology.

  • 2. Version Compatibility Problems.

  • 3. No Upgrade in Software's used for Working.

  • 4. Use of OLD version of Software's.

  • 5. Feature Manipulation for Rogue Purposes.

  • 6. Interdependency in System and Software Functionality.

  • 7. Complexity in Architectures.

  • Even Adobe Acrobat Implements Security Mechanisms in all

  • Versions 6.0 / 7.0 / 8.0

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Application Attacks Anatomy

  • Little JavaScript Info Sheet

  • 1. HTML JavaScript !== Acrobat JavaScript

  • 2. ACRO JS cannot Access HTML JS Objects and Vice Versa.

  • 3. Objects (ACRO JS) == app , doc , annotations etc.

  • 4. Objects (HTML JS) == window , document etc.

  • 5. Both do not have Inheritance Capabilities.

  • 6. Objects have individualistic properties. No Cross Access.

  • 7. ACRO JS is extracted from ECMA Script.

  • 8. APP object is the main Information Object of ACRO JS.

  • Critical !

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Application Attacks Anatomy

  • A Thought.

  • Its not a 0 Day

  • PDF is all about EVERDAY.

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Application Attacks in PDF

  • PDF Act as Launch Pad

  • Attacks Depend on Acrobat Versions

  • 1. Easy to Manipulate for Third Party Attacks.

  • 2. Heavily Use of JavaScript for Extensible Functionality.

  • 3. Attacks Modes are Easy to Trigger.

  • 4. Client Side Attacks are Quite Easy.

  • 5. Low Level Software Vulnerabilities.

  • 6. Affecting and Hitting Browsers at Core.

  • 7. Well Defined Support for Pluggable Protocol Handlers

  • 8. Applied in a Versatile Manner.

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Application Attacks in PDF

  • Synthesizing Application Level Attacks in PDF

  • FUSED DEMONSTRATIONS

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Application Attacks in PDF

  • CLIENT on the Verge

  • What is Going to Happen to ME ????

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Application Attacks in PDF

  • Implemented Security Model in Acrobat PDF

  • JavaScript Driven

  • 1. Execution in Privileged Mode.

  • Methods : Console / Batch / Application etc.

  • 2. Execution in Unprivileged Mode.

  • Methods : Page Open / Mouse Events etc.

  • 3. Contexts Levels = Doc / Batch / Page / Folder / Field

  • Number of Attacks are Useless while Execution due to

  • Implemented Security.

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Application Attacks in PDF

  • PDF Act as Launch Pad : Attack Vectors

  • 1. XSS Checks in PDF and Alerts. [Input Checks]

  • 2. JavaScript Infection Model. [Interim Attack Base ]

  • 3. Malicious SOAP Access.

  • 4. PDF Backdoor Anatomy.

  • 5. PHISHING.

  • 6. Attack comprising Pluggable Protocol Handlers.

  • 7. PDF Spamming

  • 8. Local Area Network Infections through PDF.

  • 9. Rogue PDF Designing through SDK

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Application Attacks in PDF

  • Testing Application Strategy : PDF

  • 1. Direct JavaScript Insertion

  • JS Files are Globally executable at Folder Access

  • 2. Binding JavaScript to a Control in PDF. [ cExec = “” ]

  • Dynamically Execution through a Control in PDF

  • 3. Both Strategies are Equally Driven.

  • 4. Output Can be Seen When PDF is Opened at System Level.

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Application Attacks in PDF

  • XSS Checks in PDF

  • 1. Prone to XSS Attacks.

  • 2. Interim use of ALERT Object through JavaScript.

  • 3. OPEN PDF Parameters.

  • 4. Universal XSS at Core. Globally Applicable in PDF.

  • 5. JavaScript (PDF) != JavaScript (HTML)

  • Different in Specifications and Usage

  • 6. Triggered through Input Parameters mainly.

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Application Attacks in PDF

  • XSS / Alert Checks in PDF

  • function foo()// Normal Layout

  • {

  • alert(“Object”);

  • }

  • function foo() // Adobe JavaScript

  • {

  • app.alert(“ JavaScript Test Possible”);

  • }

  • PDF Document Opened in Browser and Adobe Reader have

  • Different Functionalities.

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Application Attacks in PDF

  • Open PDF Parameters

  • 1. Command Line Control to Users.

  • 2. Arguments are Passed through URL Directly.

  • Two Ways:

  • 1. Passing Parameters Directly.

  • 2. Passing Parameters through URL.

  • URL Delimiters:

  • 1. [ # ] http://www.target.org/doc.pdf #tag =1

  • 2. | & | http://www.target.org/doc.pdf #tag =1 & arg = 2

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Application Attacks in PDF

  • Open PDF Parameters

  • FDF option is used often by attackers .

  • It specifies a FDF file to be used to populate form fields in the

  • PDF file being opened. It is used with same pattern

  • Example: # fdf =[Target URL]

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Application Attacks in PDF

  • Open PDF Parameters

  • Referenced from Advisory Release on PDF

  • http://[Target]/[File].pdf#########

  • http://[Site Name]/[File].pdf#fdf=[Target]

  • http://[Site Name]/[File].pdf#fdf=[Target]

  • http://[SiteName]/[File].pdf#FDF=javascript:document.write()

  • 1. Acrobat 7.0 Issue.

  • 2. Attacks Feasible for running in Older Versions.

  • 3. Not work effectively on Latest Versions.

  • 4. Browser Dependency is there. Interpretation of URL

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Application Attacks in PDF

  • Identity Checks in PDF – DEMONSTRATION

  • 1. Acrobat Version 6.0 == Undefined.

  • 2. Acrobat Version 7.0 == User Name

  • 3. Acrobat Version 8.0 == User Name

User that is

Logged in to the system

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Application Attacks in PDF

  • PDF Backdoor Designing

  • 1. PDF perform stringent functions when opened.

  • 2. Used Adobe Based Malicious JavaScript's.

  • 3. Designing PDF with Embedded Rogue Links.

  • 4. PDF SDK is used for Crafting a Malicious PDF File.

  • 5. Direct Interpreting in Text Editor.

  • 6. Manipulating Objects in PDF File Directly.

  • 7. Binding JavaScript’s to the Various Objects i.e. Buttons.

  • 8. Form Type Submissions / Content Downloading / Links.

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Application Attacks in PDF

  • PDF Backdoor : DEMONSTRATION

Backdoor Requested

for Hacked.com

while PDF is opened

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Application Attacks in PDF

  • Triggering Events through Pluggable Protocol Handlers.

  • 1. Affected Browsers at Core.

  • 2. Third Party Event Generation through PDF.

  • 3. Prime Source of Number of Attacks.

  • 4. Working Dependency between Two Software's.

  • 5. Base for PHISHING Attacks.

  • mailto: / file: / ftp: / telnet: / view-source: /chrome:

  • gopher: / http: / https: / JavaScript: / news: / res:

  • Security Restrictions are Applied ! Version Specific.

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Application Attacks in PDF

  • Working Approach of Pluggable Protocol Handlers.

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Application Attacks in PDF

  • Triggering Events through PPH : DEMONSTRATION

  • 1. PH1SHING Attacks.

  • 2. Reading Files Locally | Remotely

  • 3. Mailto: Support Check

Directed by PDF

to Read YServer.txt

File.

Well One can do it

Remotely too

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Application Attacks in PDF

Memory Exhaustion - PDF : NO DEMONSTRATION

1. PDF Can be used as Memory Exhaustion Base.

Attack Vector is Direct.

2. PDF can Direct Browser to exhaust Memory.

Attack Vector is Indirect

The Target Base is PDF

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Application Attacks in PDF

FORM Submissions - DEMONSTRATION

1. FORM can be Submitted Easily with POST Request.

2. Downloading Content Directly.

3. Making PDF a Garbage Files.

Security Warning in

issued in

Latest Versions

Still Works on Older

Versions

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Application Attacks in PDF

Local Denial of Service – PDF DEMONSTRATION

1. Very Easy to Trigger.

2. Specific Malicious JS file can do the Trick.

3. Affect Document Opening at Full.

4. Client Side Functionality is Lowered Down.

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Application Attacks in PDF

  • Executing System Files : DEMONSTRATION

  • System Files Can be Executed from Core.

Executable Request is

Generated by PDF through

IE Browser that Executes

The FILE

A Security Warning can

be generated , So a Less

Reliable from Attack

Point of View

Till a Proper Vulnerability

is Exploited

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Application Attacks in PDF

  • The Reality :-

  • 1. Number of Attacks Failed in Acrobat with diff Versions.

  • 2. Software Version Plays Critical Role.

  • 3. Security Restrictions Applied on Methods.

  • 4. Game of Privileged / Non Privileged Execution.

  • 5. Dependency on Ingrained Vulnerabilities.

  • 6. Acrobat 8.0 does not support Methods which Acrobat 7.0 does

  • The Attackers Night Mare | Security Driven

  • NotAllowedError: Security settings prevent access to this

  • property or method.

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Application Attacks in PDF

  • Restricted Functions in – Non Privileged Mode

  • 1. ADBC.newConnection.

  • 2. app.addMenuItem / app.addSubMenu

  • 3. app.getPath / app.newDoc / app.openDoc

  • 4. app.launchURL

  • There are lot more like that. Most of the attacks use these feature

  • to manipulate the normal functioning.

  • Security Restrictions applied Lay off the Attacks.

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Application Attacks in PDF

  • How to make Attacks more Sustainable : Attackers View Point

  • 1. Finding Requisite Vulnerability : Hard Process.

  • 2. Exploiting the Trusted Behaviour

  • Designing Trusted Wrapper Functions with Restricted Codes.

  • 3. PDF SDK Plays a Generic Role.

  • 4. Dethroning the NOT ALLOWED ERROR in PDF.

  • 5. Restricted Methods can be Called Easily.

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Application Attacks in PDF

  • Exploiting TRUST through JavaScript Dynamically

  • Bypassing the Security Restrictions in PDF

  • 1. Crafting a Trusted Wrapper Function with app.Trusted()

  • 2. Inject app.beginPriv() and app.endPriv().

  • 3. Specify the Code between these privileged contexts.

  • trustedDoc = app.trustedFunction( function (width , height)

  • {

  • app.beginPriv();

  • var trustedDoc = app.newDoc(width,height);

  • app.endPriv();

  • return trustedDoc;

  • })

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Application Attacks in PDF

  • Exploiting TRUST Behaviour in PDF : DEMONSTRATION

  • Step 1 : Running a app.newDoc function directly [ 7.0 / 8.0 ]

  • Step 2 : Injected through Trusted Wrapper Function

ACR10.tmp file is created

without any Error

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Application Attacks in PDF

  • SPAMMED PDF : DEMONSTRATION

  • 1. Designed through PDF SDK for Rogue Purposes.

  • 2. Distributed Along Mail Applications.

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Application Attacks in PDF

  • SOAP – ADBC / ODBC Checks:

  • 1. Querying the Local Database through System ODBC.

  • 2. Easy to Enumerate the Running Databases.

  • 3. Web Services Play a Crucial Part in Holding Information.

  • 4. Holding Data at Port 80 for incoming Connection.

  • 5. Connecting through Client to Port 80 to Access XML Data

  • through SOAP Access.

  • ADBC.newConnection / ADBC.getDataSourceList()

  • Follow the Trusted Wrapper Paradigm

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Software and Low Level Insecurities

  • 1. Software Inconsistencies due to Exceptions.

  • 2. Exceptional Behaviour in Handling Crafted JS Files.

  • 3. Designing Call Back functions to Bypass things.

  • 4. Memory Corruptions / Memory Exhaustions.

  • Finding an Internal Vulnerable function.

  • CVE 2008 – 2042 | Adobe Security Bulletins

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Digging inside PDF

  • Further Research:

  • 1. Storing Files inside PDF.

  • 2. Exploiting ADBC Functionality in a Stringent Manner.

  • 3. JavaScript for Analyzing in core PDF Software Responses.

  • 4. PDF affect on System Optimization and Behaviour.

  • 5. Finding Vulnerabilities and Software Issues.

  • 6. Attaining Robustness in PDF Applications.

  • 7. PDF Affect on Operating System Security.

  • 8. So on && on && on ….

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Resources at CORE

  • References:

  • 1. Adobe JavaScript:

  • http://www.adobe.com/devnet/acrobat/javascript.html

  • 2. Wind Jack Solution : Resources on PDF

  • http://www.windjack.com/

  • 3. Backdooring PDF Files

  • http://michaeldaw.org/md-hacks/backdooring-pdf-files/

  • 4. Security Bulletins of Adobe

  • http://www.adobe.com/support/security/

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

Questions / Queries

  • Sharing the Knowledge and Research.

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


Vulnerability vectors in pdf synthesizing pdf attacks

  • [[email protected]]# ./thanks

Vulnerable Vectors in PDF

EU-Sec-West 2008 , UK


  • Login