Researcher exploits PDF file without using a vulnerability

Didier Stevens, security researcher and expert on malicious PDF files, has succeeded in creating a proof-of-concept PDF file that uses the launch action triggered by the opening of the file to execute the embedded malicious executable.

What makes this piece of news really interesting is that he didn’t exploit a security vulnerability in the PDF file, but he found a way to start the /Launch /Action command and embed the malicious file using a special technique.

The only thing standing in the way of an immediate execution of the embedded file is the warning pop-up displayed by Adobe Reader – but even this can be (partially) modified by the attacker, as shown here:

The lower part of the message can be thus changed into a text that could use a number of social engineering approaches to make the user proceed with the opening of the file.

“Disabling JavaScript will not prevent this (I don’t use JavaScript in my PoC PDF), and patching Adobe Reader isn’t possible (I’m not exploiting a vulnerability, just being creative with the PDF language specs),” says Stevens in his blog post.

The situation is worse with Foxit Reader, where such a message doesn’t pop-up and the malicious file is executed automatically:

Stevens hasn’t published the PoC PDF yet, but has shared it with Adobe’s Response Team. He also mentions that to prevent this kind of attack, one must simply prevent Adobe Reader from creating new processes, but doesn’t mention what to do if you use Foxit.