PDF File Format and
   Exploitation



      by h3m4n
What is PDF?

 Portable Document Format
 Document representation independent software, hardware,
 OS
 ISO/IEC 32000-1:2008...
PDF File Structure
     Header
%PDF-1.0 to %PDF-1.7
     Body
           Contains indirect objects
     Cross-Reference Ta...
App Object Model

 Javascript runs under the context of App Object Model
 PDF js cannot access HTML DOM objects
 File Atta...
What's cracking up?

 Vulnerable APIs
    getIcons() (CVE-2009-0927)
    getAnnots() (CVE-20091492)
    customDictionaryOp...
Analysis

  Tools
     pdf-parser.py
     pdfid.py
     pdfminer
     debuggers
     PDFuzzer
Prevention and Mitigation

  Patch up!
  Disable Javascript
  Disable attachment opening with external application
  Use D...
So what's next?

  Less rely on Javascript for exploitation
  Issues with embedded files is here to stay
  Built in non-tu...
Where can I get more samples

 contagiodump.blogspot.com/
 offensivecomputing.net/
References

 http://partners.adobe.
 com/public/developer/en/acrobat/sdk/AcroJSGuide.pdf
 http://en.wikipedia.org/wiki/Por...
Thank You!

contact: heman@null.co.in
Upcoming SlideShare
Loading in...5
×

PDF File Format And Exploitation - Hemanshu Asolia

1,889

Published on

PDF File Format Details and some of the exploits described.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,889
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
51
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

PDF File Format And Exploitation - Hemanshu Asolia

  1. 1. PDF File Format and Exploitation by h3m4n
  2. 2. What is PDF? Portable Document Format Document representation independent software, hardware, OS ISO/IEC 32000-1:2008 de-facto standard for printable document
  3. 3. PDF File Structure Header %PDF-1.0 to %PDF-1.7 Body Contains indirect objects Cross-Reference Table Random access to indirect objects xref0 20000000000 65535 f 0000910913 00000 n File Trailer trailer <</Size 181/Root 179 0 R /Info 180 0 R /ID [ <55ED49327E86414ED7562EB23237FA2C> <55ED49327E86414ED7562EB23237FA2C> ] /DocChecksum /3B2D0F3E6C208965E0CE735F1364D709 >> startxref 919337 %%EOF
  4. 4. App Object Model Javascript runs under the context of App Object Model PDF js cannot access HTML DOM objects File Attachment XML Capabilities Forms Web Services Database connections
  5. 5. What's cracking up? Vulnerable APIs getIcons() (CVE-2009-0927) getAnnots() (CVE-20091492) customDictionaryOpen() (CVE-2009-1493) Doc.media.newPlayer (CVE-2009-4324) File parsing vulnerabilities JBIG2( Over a dozen CVE) libTiff (CVE-2010-0188) Social engineered arbit. command execution PDF escape by Didier Stevens Not a bug (feature) Exploitation in the wild Embedded Files libTiff (CVE-2010-0188)
  6. 6. Analysis Tools pdf-parser.py pdfid.py pdfminer debuggers PDFuzzer
  7. 7. Prevention and Mitigation Patch up! Disable Javascript Disable attachment opening with external application Use DEP Disable display of PDF in browser. (Make your IPS happy!) Don't open pdf from strangers Least privileges
  8. 8. So what's next? Less rely on Javascript for exploitation Issues with embedded files is here to stay Built in non-tunable Flash support another issue Portfolio's anyone! Vulnerability with multiple file parsing XFA SOAP Interaction with other applications Adobe finally learning some SDL #FTW! Sandbox ??
  9. 9. Where can I get more samples contagiodump.blogspot.com/ offensivecomputing.net/
  10. 10. References http://partners.adobe. com/public/developer/en/acrobat/sdk/AcroJSGuide.pdf http://en.wikipedia.org/wiki/Portable_Document_Format http://bugix-security.blogspot.com/ http://blog.didierstevens.com/ http://www.securiteam.com/tools/6R0052KN5I.html
  11. 11. Thank You! contact: heman@null.co.in
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×