|
En this excellent post that came out today in Follow-Info, one of the last and most dangerous vulnerabilities of PDFs is reported, confirming what we raised in our post yesterday. I advance the moral of the story: better use the DJVU free format; it's more secure and creates smaller, better-quality files… it's just not supported by a "giant" like Adobe. |
These days it's going around the world the work that Didier Stevens has done to get binaries executed from a PDF document. The technique, if it is being used Adobe Acrobat Reader, shows a message that can be, as he himself says, partially modified. In FoxIton the contrary, no message is displayed and commands are executed without any alerts.
This technique is simple, straightforward, and therefore very dangerous more, if we take into account that the PDF format was the favorite of exploiters last year, reaching very high levels of exploitation.
Seeing this, I have remembered that in many articles on the Internet, when they talk about how to exploit vulnerabilities in PDF they say things like "Locate the version of Acrobat they are using, with FOCA, for example" and then build the exploit. The poor FOCA stuck in those eggplants ...
Something similar to that was the demo we prepared for Security Day, in which we exploited a vulnerability in Acrobat Reader (including version 9) to get a remote Shell on the vulnerable computer. The exploited vulnerability is typified as CVE-2009-0927 and its operation allows to execute any command. If the software is vulnerable, you will get a message like the one seen in the following image:
And the exploit that we use redirects the Shell to an IP and a port on which we have set the netcat to listen.
Of course, in the exploited machine, the Acrobat Reader process is running, attending to the Shell commands.
Seeing the danger of PDF exploits, I decided to upload it to VirusTotal, to see how antivirus engines behave with these exploits in pdf documents. It is especially important to take its behavior into account if we are talking about the engine used in the email manager or in the document repository, since it is in those territories where more pdf documents move. The result, with this particular exploit, was not bad, but it was surprising that there were still a good number of engines that did not detect it, but the percentage did not reach 50% and, some of them, as striking as Kaspersky, McAffe or Fortinet .
As a curiosity, it occurred to me to use a file packer to generate executables, similar to our dear redbinder of Thor, but with less functionalities called Jiji and there were seen in Cyberhades, to see what the antimalware engines did when we put the pdf exploit inside a package with an exe extension.
This new executable, when run, launches the document with the pdf exploit. The alternatives that crossed my mind were: A) they unpack it and the people from before discover it and B) They go directly to detect what is inside and sign the packer. However, the result was surprising.
Only 2 out of 42 detected it, 1 as a suspect, and only VirusBuster knew the format, and took the trouble, to unpack the content to scan it.
After seeing this, it seems to me very correct that Microsoft and Adobe are considering updating software through Windows Update and that Microsoft has opened its Windows Update Services platform to integrate other solutions such as Windows Update agent Secunia CSI, which works with System Center Configuration Manager and WSUS.
Listen to me better use the DJVU free format- is more secure and creates smaller, better quality files.
Source: Follow-Info
a clarification: pdf is also a free format.
and it would be necessary to see whose fault it is, if the format (PDF) or the programs (Acrobat Reader, Foxit, etc.) because the format can be very good, but the program that executes it is very bad, and that is not It means that there are no good programs that this does not happen to them (they all use Acrobat or Foxit, but in Linux we have many more options, will these be vulnerable?)
I never tried djvu, now I look a little to see what it is, and it has a little thing that I do not like in this little time that I look at it, you cannot copy the text, since everything is an image. I don't like it that way, I usually copy things from the pdfs that I read.
I don't know if I would use it a lot, I think I prefer to improve the pdf format, which is vector.
regards
Dear Marcos, your comments are spot on. PDF was a proprietary format, but since July 1, 2008 it is an open format.
Anyway, it's true what you say that sometimes customers / readers have a lot to do with it. A clear example is the case that is reported in this post.
And yes, I don't like not being able to copy the text of the .djvu either. 🙁 However, on the English Wikipedia page it says that: «Thus, instead of compressing a letter« e »in a given font multiple times, it compresses the letter« e »once (as a compressed bit image) and then records every place on the page it occurs.
Optionally, these shapes may be mapped to ASCII codes (either by hand or potentially by a text recognition system), and stored in the DjVu file. If this mapping exists, it is possible to select and copy text. » Which means that you could select text in the djvus.