WARNING - PDF exploits - Adobe and Foxit [and others] readers

This particular style of exploit has been around for quite sometime in
various forms. I have previously to advise of this style of attack.
Yet another party has posted the methodology and provided example coding.
Specially and EASILY crafted PDFs can be created to include calls to
external applications which are not blocked by JAVA or other
restrictions, yet can be run, forcing other unwanted activities [such as
opening IE or running commands] or exploiting other vulnerabilities
within other applications. This type of exploit can be used in
conjunction with other exploits, compounding the potential malicious
usage. These exploits can be modified to work within any OS, though
system restrictions and other security may mitigate some of the
potential exploits.

Adobe Reader and Foxit Reader are vulnerable to this style of exploit,
as may others. Foxit appears to be more exploitable than Adobe to this
particular issue.

Sumatra is apparently immune or doesn't support this type of exploit,
and others may be as well.

Metasploit and several other have provided other or additional styles
of this type of exploit.

REFERENCES/EXAMPLES:

http://blog.didierstevens.com/2010/0...cape-from-pdf/
take particular note of the comment section for indications of how easy
the coding and modifications are.

http://www.metasploit.com/

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---

FoxitReader has a new update.

On 04/03/2010 04:51 PM, Dan wrote:
FoxitReader has a new update.

Does it supposedly deal with these issues?


--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---

MEB wrote:
This particular style of exploit has been around for quite sometime
in various forms. I have previously to advise of this style of
attack.

Yet another party has posted the methodology and provided example
coding. Specially and EASILY crafted PDFs can be created to include
calls to external applications which are not blocked by JAVA or
other restrictions, yet can be run, forcing other unwanted
activities [such as opening IE or running commands] or exploiting
other vulnerabilities within other applications. This type of
exploit can be used in conjunction with other exploits, compounding
the potential malicious usage. These exploits can be modified to
work within any OS, though system restrictions and other security
may mitigate some of the potential exploits.

Adobe Reader and Foxit Reader are vulnerable to this style of
exploit, as may others. Foxit appears to be more exploitable than
Adobe to this particular issue.

Sumatra is apparently immune or doesn't support this type of
exploit, and others may be as well.

Metasploit and several other have provided other or additional
styles of this type of exploit.

REFERENCES/EXAMPLES:
http://blog.didierstevens.com/2010/0...cape-from-pdf/
take particular note of the comment section for indications of how
easy the coding and modifications are.

http://www.metasploit.com/

Dan wrote:
FoxitReader has a new update.

MEB wrote:
Does it supposedly deal with these issues?

You did not quote the issues you refer to in your response. I have put that
part back (above.)

You can easily check for yourself, as can anyone else. Foxit Software has a
security page he
http://www.foxitsoftware.com/pdf/reader/security.htm

Now that you can see the security page for Foxit Software and what patches
they have released and for what reasons those patches were released and the
referenced 'these issues' - do the updates deal with what you reported on
April 1, 2010?

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

On 04/04/2010 08:57 PM, Shenan Stanley wrote:
MEB wrote:
This particular style of exploit has been around for quite sometime
in various forms. I have previously to advise of this style of
attack.

Yet another party has posted the methodology and provided example
coding. Specially and EASILY crafted PDFs can be created to include
calls to external applications which are not blocked by JAVA or
other restrictions, yet can be run, forcing other unwanted
activities [such as opening IE or running commands] or exploiting
other vulnerabilities within other applications. This type of
exploit can be used in conjunction with other exploits, compounding
the potential malicious usage. These exploits can be modified to
work within any OS, though system restrictions and other security
may mitigate some of the potential exploits.

Adobe Reader and Foxit Reader are vulnerable to this style of
exploit, as may others. Foxit appears to be more exploitable than
Adobe to this particular issue.

Sumatra is apparently immune or doesn't support this type of
exploit, and others may be as well.

Metasploit and several other have provided other or additional
styles of this type of exploit.

REFERENCES/EXAMPLES:
http://blog.didierstevens.com/2010/0...cape-from-pdf/
take particular note of the comment section for indications of how
easy the coding and modifications are.

http://www.metasploit.com/

Dan wrote:
FoxitReader has a new update.

MEB wrote:
Does it supposedly deal with these issues?

You did not quote the issues you refer to in your response. I have put that
part back (above.)

I didn't because they were already removed.


You can easily check for yourself, as can anyone else. Foxit Software has a
security page he
http://www.foxitsoftware.com/pdf/reader/security.htm

Now that you can see the security page for Foxit Software and what patches
they have released and for what reasons those patches were released and the
referenced 'these issues' - do the updates deal with what you reported on
April 1, 2010?


Since you have returned the links to the materials, would you say or
advise that the issues have been fixed pursuant the original linked
materials and your link?

Apr. 2, 2010
"Authorization Bypass When Executing An Embedded Executable.
SUMMARY

Fixed a security issue that Foxit Reader runs an executable embedded
program inside a PDF automatically without asking for user’s permission.
AFFECTED SOFTWARE VERSION

Foxit Reader 3.2.0.0303."

Have you personally tested for these vulnerabilities [see for example,
the metasploit link] with/after the supposed fix/update?

I would opine that they may deal with SOME of those reported issues, I
would not go so far as to claim they were completely fixed when taken in
conjunction with other exploits/vulnerabilities or per indications of
other versions affected; or per other exploits using similar methods
[since there appeared to be several methods to achieve the results],
would you?

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---

From: "MEB"

| On 04/04/2010 08:57 PM, Shenan Stanley wrote:
MEB wrote:
This particular style of exploit has been around for quite sometime
in various forms. I have previously to advise of this style of
attack.

Yet another party has posted the methodology and provided example
coding. Specially and EASILY crafted PDFs can be created to include
calls to external applications which are not blocked by JAVA or
other restrictions, yet can be run, forcing other unwanted
activities [such as opening IE or running commands] or exploiting
other vulnerabilities within other applications. This type of
exploit can be used in conjunction with other exploits, compounding
the potential malicious usage. These exploits can be modified to
work within any OS, though system restrictions and other security
may mitigate some of the potential exploits.

Adobe Reader and Foxit Reader are vulnerable to this style of
exploit, as may others. Foxit appears to be more exploitable than
Adobe to this particular issue.

Sumatra is apparently immune or doesn't support this type of
exploit, and others may be as well.

Metasploit and several other have provided other or additional
styles of this type of exploit.

REFERENCES/EXAMPLES:
http://blog.didierstevens.com/2010/0...cape-from-pdf/
take particular note of the comment section for indications of how
easy the coding and modifications are.

http://www.metasploit.com/

Dan wrote:
FoxitReader has a new update.

MEB wrote:
Does it supposedly deal with these issues?

You did not quote the issues you refer to in your response. I have put that
part back (above.)

| I didn't because they were already removed.


You can easily check for yourself, as can anyone else. Foxit Software has a
security page he
http://www.foxitsoftware.com/pdf/reader/security.htm

Now that you can see the security page for Foxit Software and what patches
they have released and for what reasons those patches were released and the
referenced 'these issues' - do the updates deal with what you reported on
April 1, 2010?


| Since you have returned the links to the materials, would you say or
| advise that the issues have been fixed pursuant the original linked
| materials and your link?

| Apr. 2, 2010
| "Authorization Bypass When Executing An Embedded Executable.
| SUMMARY

| Fixed a security issue that Foxit Reader runs an executable embedded
| program inside a PDF automatically without asking for user’s permission.
| AFFECTED SOFTWARE VERSION

| Foxit Reader 3.2.0.0303."

| Have you personally tested for these vulnerabilities [see for example,
| the metasploit link] with/after the supposed fix/update?

| I would opine that they may deal with SOME of those reported issues, I
| would not go so far as to claim they were completely fixed when taken in
| conjunction with other exploits/vulnerabilities or per indications of
| other versions affected; or per other exploits using similar methods
| [since there appeared to be several methods to achieve the results],
| would you?

http://www.us-cert.gov/current/index...t_reader_3_2_1

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

From: "MEB"

| On 04/04/2010 08:57 PM, Shenan Stanley wrote:
MEB wrote:
This particular style of exploit has been around for quite sometime
in various forms. I have previously to advise of this style of
attack.

Yet another party has posted the methodology and provided example
coding. Specially and EASILY crafted PDFs can be created to include
calls to external applications which are not blocked by JAVA or
other restrictions, yet can be run, forcing other unwanted
activities [such as opening IE or running commands] or exploiting
other vulnerabilities within other applications. This type of
exploit can be used in conjunction with other exploits, compounding
the potential malicious usage. These exploits can be modified to
work within any OS, though system restrictions and other security
may mitigate some of the potential exploits.

Adobe Reader and Foxit Reader are vulnerable to this style of
exploit, as may others. Foxit appears to be more exploitable than
Adobe to this particular issue.

Sumatra is apparently immune or doesn't support this type of
exploit, and others may be as well.

Metasploit and several other have provided other or additional
styles of this type of exploit.

REFERENCES/EXAMPLES:
http://blog.didierstevens.com/2010/0...cape-from-pdf/
take particular note of the comment section for indications of how
easy the coding and modifications are.

http://www.metasploit.com/

Dan wrote:
FoxitReader has a new update.

MEB wrote:
Does it supposedly deal with these issues?

You did not quote the issues you refer to in your response. I have put that
part back (above.)

| I didn't because they were already removed.


You can easily check for yourself, as can anyone else. Foxit Software has a
security page he
http://www.foxitsoftware.com/pdf/reader/security.htm

Now that you can see the security page for Foxit Software and what patches
they have released and for what reasons those patches were released and the
referenced 'these issues' - do the updates deal with what you reported on
April 1, 2010?


| Since you have returned the links to the materials, would you say or
| advise that the issues have been fixed pursuant the original linked
| materials and your link?

| Apr. 2, 2010
| "Authorization Bypass When Executing An Embedded Executable.
| SUMMARY

| Fixed a security issue that Foxit Reader runs an executable embedded
| program inside a PDF automatically without asking for user’s permission.
| AFFECTED SOFTWARE VERSION

| Foxit Reader 3.2.0.0303."

| Have you personally tested for these vulnerabilities [see for example,
| the metasploit link] with/after the supposed fix/update?

| I would opine that they may deal with SOME of those reported issues, I
| would not go so far as to claim they were completely fixed when taken in
| conjunction with other exploits/vulnerabilities or per indications of
| other versions affected; or per other exploits using similar methods
| [since there appeared to be several methods to achieve the results],
| would you?

http://www.us-cert.gov/current/index...t_reader_3_2_1

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

On 04/04/2010 08:57 PM, Shenan Stanley wrote:
MEB wrote:
This particular style of exploit has been around for quite sometime
in various forms. I have previously to advise of this style of
attack.

Yet another party has posted the methodology and provided example
coding. Specially and EASILY crafted PDFs can be created to include
calls to external applications which are not blocked by JAVA or
other restrictions, yet can be run, forcing other unwanted
activities [such as opening IE or running commands] or exploiting
other vulnerabilities within other applications. This type of
exploit can be used in conjunction with other exploits, compounding
the potential malicious usage. These exploits can be modified to
work within any OS, though system restrictions and other security
may mitigate some of the potential exploits.

Adobe Reader and Foxit Reader are vulnerable to this style of
exploit, as may others. Foxit appears to be more exploitable than
Adobe to this particular issue.

Sumatra is apparently immune or doesn't support this type of
exploit, and others may be as well.

Metasploit and several other have provided other or additional
styles of this type of exploit.

REFERENCES/EXAMPLES:
http://blog.didierstevens.com/2010/0...cape-from-pdf/
take particular note of the comment section for indications of how
easy the coding and modifications are.

http://www.metasploit.com/

Dan wrote:
FoxitReader has a new update.

MEB wrote:
Does it supposedly deal with these issues?

You did not quote the issues you refer to in your response. I have put that
part back (above.)

I didn't because they were already removed.


You can easily check for yourself, as can anyone else. Foxit Software has a
security page he
http://www.foxitsoftware.com/pdf/reader/security.htm

Now that you can see the security page for Foxit Software and what patches
they have released and for what reasons those patches were released and the
referenced 'these issues' - do the updates deal with what you reported on
April 1, 2010?


Since you have returned the links to the materials, would you say or
advise that the issues have been fixed pursuant the original linked
materials and your link?

Apr. 2, 2010
"Authorization Bypass When Executing An Embedded Executable.
SUMMARY

Fixed a security issue that Foxit Reader runs an executable embedded
program inside a PDF automatically without asking for user’s permission.
AFFECTED SOFTWARE VERSION

Foxit Reader 3.2.0.0303."

Have you personally tested for these vulnerabilities [see for example,
the metasploit link] with/after the supposed fix/update?

I would opine that they may deal with SOME of those reported issues, I
would not go so far as to claim they were completely fixed when taken in
conjunction with other exploits/vulnerabilities or per indications of
other versions affected; or per other exploits using similar methods
[since there appeared to be several methods to achieve the results],
would you?

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---

MEB wrote:
This particular style of exploit has been around for quite sometime
in various forms. I have previously to advise of this style of
attack.

Yet another party has posted the methodology and provided example
coding. Specially and EASILY crafted PDFs can be created to include
calls to external applications which are not blocked by JAVA or
other restrictions, yet can be run, forcing other unwanted
activities [such as opening IE or running commands] or exploiting
other vulnerabilities within other applications. This type of
exploit can be used in conjunction with other exploits, compounding
the potential malicious usage. These exploits can be modified to
work within any OS, though system restrictions and other security
may mitigate some of the potential exploits.

Adobe Reader and Foxit Reader are vulnerable to this style of
exploit, as may others. Foxit appears to be more exploitable than
Adobe to this particular issue.

Sumatra is apparently immune or doesn't support this type of
exploit, and others may be as well.

Metasploit and several other have provided other or additional
styles of this type of exploit.

REFERENCES/EXAMPLES:
http://blog.didierstevens.com/2010/0...cape-from-pdf/
take particular note of the comment section for indications of how
easy the coding and modifications are.

http://www.metasploit.com/

Dan wrote:
FoxitReader has a new update.

MEB wrote:
Does it supposedly deal with these issues?

You did not quote the issues you refer to in your response. I have put that
part back (above.)

You can easily check for yourself, as can anyone else. Foxit Software has a
security page he
http://www.foxitsoftware.com/pdf/reader/security.htm

Now that you can see the security page for Foxit Software and what patches
they have released and for what reasons those patches were released and the
referenced 'these issues' - do the updates deal with what you reported on
April 1, 2010?

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

On 04/03/2010 04:51 PM, Dan wrote:
FoxitReader has a new update.

Does it supposedly deal with these issues?


--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---