1 Title
: Escape From PDF
2 Author : Didier Stevens
3 Date
: 03/29/2010
4 Source : http://blog.didierstevens.com/2010/03/29/escape−from−pdf/
5
6 This is a special PDF hack: I managed to make a PoC PDF to execute an embedded executable without exploiting any vuln
erability!
7
8 I use a launch action triggered by the opening of my PoC PDF. With Adobe Reader, the user gets a warning asking for a
pproval to launch the action, but I can (partially) control the message displayed by the dialog. Foxit Reader display
s no warning at all, the action gets executed without user interaction.
9
10 PDF viewers like Adobe Reader and Foxit Reader donM−^Rt allow embedded executables (like binaries and scripts) to be
extracted and executed, but I found another way to launch a command (/Launch /Action), and ultimately run an executab
le I embedded using a special technique. With Adobe Reader, a launch action needs to be approved by the user, but I c
an partially control the message displayed by the dialog box.
11
12
Example 1:
13
http://didierstevens.files.wordpress.com/2010/03/20100329−211248.png?w=478&h=262
14
15
Example 2:
16
http://didierstevens.files.wordpress.com/2010/03/20100329−211313.png?w=478&h=262
17
18 Do you believe this could this mislead some of your users? Or maybe you can come up with a better message to fool you
r users.
19
20 With Foxit Reader, no warning is displayed:
21
22
Example 3:
23
http://didierstevens.files.wordpress.com/2010/03/20100329−211310.png?w=457&h=385
24
25 IM−^Rm not publishing my PoC PDF yet, but you can download a PDF that will just launch cmd.exe here. Use it to test y
our PDF reader:
26
27
http://www.exploit−db.com/sploits/launch−action−cmd.zip
28
29 With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this (I do
nM−^Rt use JavaScript in my PoC PDF), and patching Adobe Reader isnM−^Rt possible (IM−^Rm not exploiting a vulnerabil
ity, just being creative with the PDF language specs).
30
31 I shared my PoC with AdobeM−^Rs PSIRT. Maybe they