Public Service Announcment: PDF Vulnerability

[athelind]

Vulnerability found that allows PDF documents to run arbitrary code.

There's no hacking, cracking, or exploits here: this is just using features built into the format.

I just opened the test file using Adobe Reader under Ubuntu 9.04, and nothing popped up. This seems to be another Windows-Exclusive feature, brought to you by the fine folks in Renton. Any Mac users out there to try it?

Thanks to theweaselking for pointing this out. I'm just passing on the word.

Edit: aeto and theweaselking have pointed out that, of course, the embedded command in the text file is, specifically, a Windows command. Of course it's not going to work in Mac or Linux.

The question is, if the function call is replaced by the appropriate 'Nix command, will it work? And if it doesn't work, is that due to "superior OS security", or just the erratic feature support that us Linux users all bitch about when it interferes with things we want to do, and gloat about when it interferes with potential hazards?

I lack the 'Fu to make the appropriate test files myself, but one of the commenters linked to a file that includes the commands for Windows, Mac and Linux.

Using that, under Ubuntu 9.04:

In Evince: nothing.

In Acrobat Reader 9.3.1: warning pop-up, but nothing opens when I click the button to allow it to open.

I've confirmed that xcalc is, indeed, in usr/bin/, as the text file assumes.

So: is this a Linux security feature, or a Linux compatibility bug?

---

I need a real warning icon for posts like this.

---

Comments

[aeto.livejournal.com]

The test file will only work on Windows, as it tries to start cmd.exe, which is a windows-only thing.

No clue if it would work on other systems, using different commands, and you can't tell from the sample file.

[athelind.livejournal.com]

I suspected that was part of it, but I don't grok enough 'Nix Shell to figure out what the appropriate commands would be, myself.

[araquan.livejournal.com]

There are tags for executing things on Mac and Unix (they are, surprisingly enough, called /Mac and /Unix, as opposed to /Win) but as of the 2006 PDF spec (v1.7, 31MB PDF- see page 659) their behavior is not defined as they are for Windows. In what little tinkering I've had time to do (which I will admit has been very little, and probably won't be much more before the evening) I've yet to induce a test PDF to do anything untoward on a Mac, but I haven't fed them into a genuine Adobe reader (I don't use those regularly). No attempt yet made on Linux.

[theweaselking.livejournal.com]

Uh, the "test file" runs "/launch 'c:\Windows\cmd.exe'"

NO KIDDING IT DOESN'T WORK UNDER LINUX.

If it had run "/launch '/usr/bin/rm -rf /*'" you'd be able to say it was "a Linux/Mac only problem" with about as much accuracy.

The hole presumably exists in the Linux version of the program, since it's the same program with the same spec. You simply lack a test for it.

[athelind.livejournal.com]

Urf. Mea culpa.

Like I said to Aeto, that had occurred to me. Gettin' snarky about Windows was, in this case, not only premature, but skirting the edges of dishonesty. I've updated my original post accordingly, and I'm going to make the observation in the comments in the OP.

I lack the Fu to make a test case for Linux, alas. If we DID substitute the commands, it still might not work in Linux -- not necessarily for any superior security protocols, but because 'Nixware is notorious for being cranky about calling up other 'Nixware and implementing more arcane features.

[theweaselking.livejournal.com]

Anyway. Assuming Linux doesn't behave *worse* than Windows, Adobe Reader will pop up a warning box, and the latest Foxit will as well.

[athelind.livejournal.com]

I tested it with a file that has commands for Windows, Mac and Linux; I got a warning box in Adobe Reader, but it didn't open the external app even when I confirmed it.

Evince, like the proverbial goggles, did nothing.

Security feature, or compatibility issue? With Linux, it's hard to tell.