vulnerability vectors in pdf synthesizing pdf attacks aditya k sood aka 0kn0ck sec niche security...

Vulnerability Vectors in PDFSynthesizing PDF Attacks

Aditya K Sood aka 0kn0ck

Sec Niche Security

Vulnerable Vectors in PDF EU-Sec-West 2008 , UK

EU-Sec-West London , UK [2008]

PDF

[root@0kn0ck]# whoami

Background = Independent Security Researcher.

Founder , Sec Niche Security. [http://www.secniche.org]

Front End = Works for KPMG Consulting

IS Author Hakin9 , USENIX ;login

Released Advisories : Yahoo , AOL , MSN , Google , Verisign , Microsoft etc.

Projects:

MLabs , CERA , TrioSec

Rest Google Me Out !

EU-Sec-West 2008 , UKVulnerable Vectors in PDF

Thanks to DL - PSIRT


Adobe Product Security Incident Response Team

For Contacting and Sharing Thoughts Over Talk.

Coordinated for Responsible Disclosure and Product Security

Given Enough Eye Balls , All Bugs are Shallow .

[ Eric Raymond – The Cathedral and Bazaar ]

The Application Bug Anatomy

Many Eye Balls Misses the Point All Together .

Bug Matrix is Hard to Diminish .


The Realm of Application Security

The Paradigm : Squared Approach

Security

Privacy

Reliability

Application Quality


Application : Exploitation Shift

1. Understanding the Shift . Why it is Happening ? ?

2. Memory Corruptions are Hard to Exploit.

3. Diversified Infection Vectors in Application Realm.

4. Cross Referenced Matrix Technologies.

5. Development of Complex System Security Structures.

6. Applications Provide an Interface to System Insecurities.

7. System Vulnerabilities : Vendors Red Alert.

8. Application Exploitation == Feature Manipulation.


Traversing along Talk


Dissecting PDF Internals

Breaking The Hidden.


Structural Components of PDF

1. COS – Common Object Structure Model

The incore model of PDF documents.

2. The Component Design of Predefined Symbols.

Symbols define the component layout in the document.

3. Cross Reference Table and Object Abstraction.

The cross functional dependency and object layout.

Understanding The Crux.


Structural Components of PDFCOS Object Model

1. Layered Based Structure with Hierarchical Layout.

2. Base Depends on Raw Data , Tree Model is Implemented.

3. Model(Tree) = Object(Child) + Object(Nodes)

Objects are Applied as Child and Nodes.

4. Modelling of Objects is Undertaken from Node to Child.

5. The Tree Head Object is Document Catalog.

The Tree starts from this Head Node.

6. Layers Govern the Functionality of Objects Designed.

7. Interfacial Layer Arrangement is there.


Structural Components of PDFCOS Object Model : Object Types

Looking at Explicit Definition:

1. Direct Objects

The Reference Vector is NULL. No Reference.

2. Indirect Objects

References are Uphold in these Objects. Reference Oriented.

3. Container Objects

Hold References to Other Objects. Specification is Different.

4. Notable Exceptions are Implemented.

5. Base Module is Array. Objects are Structured Over it.


Structural Components of PDFCOS Object Model : Representation



The Internal Layout : One Step Ahead



The Functional Layout

1. Object Functionality = Inheriting Properties from Root.

2. Properties are Globally Applicable.

3. Versatility in Object Designing. Backward Compatibility.

4. Properties(Object) == Arrays , Strings , Dictionary etc.

5. Process( Document Designing) == Document Drafting.

6. COS Object Tree Supports Custom Object Types.

Note : PDF Capabilities Can Be Altered By Anyone Following

Custom Object Model.



The Object Symbols

1. Symbols Comprise of Internal Entity of Root Tree.

2. Dissects The Working Functionality Type.

3. Reversing(PDF Doc) == Symbols Required.

4. The Symbols

4.1 Document Catalog.

4.2 Annotation Objects.

4.3 Page Object.

4.4 Indirect Object Indication.

4.5 Pages Object.


Structural Components of PDFCross Reference Table and Object Abstraction

Objects placement in XREF Table

1. The number of objects in the document.

2. The offsets that are defined for it.

3. The cross reference table is always placed at the end of file.

4. The parameter of cross reference table is XREF.

5. The table holds the object count on Zero Based Indexing ie from 0 to [N]


Structural Components of PDFClassification of Objects in XREF Table Offset objects are called by { n,f} parameter in the cross

reference table i.e. XREF of the objects.In this XREF table the :1. [n] The parameter n is used to reference the used bytes for

• object and specific offset related to it.

2. [f] The parameter f is used to reference the unused bytes related to the specific object.

3.Offsets are always picked from the staring offset of the document file for reducing complexity


Structural Components of PDFClassification of Objects in XREF Table


A Generic View of XREF Objects

Structural Components of PDFClassification of Objects in XREF Table


Structural Components of PDFObjects Design in PDF



Objects Design in PDF

1. The object starts with an object number. The 55,56 etc are the object numbers which get cross linked for the available byte space in the table and interferes into functioning.

2. The third party linking is specified in this. The URI linking is clear in its context.

3. The other specification used like obj<<....<<subtype is for COS Object Modelling.


Structural Components of PDFType of Objects UsedInteger - in the file as a number without a decimal point.1. Boolean – [True || False]2. Real Number -

3. Name - in the file as '/text'

4. String - in the file as either '(...characters...)' or '<...hexadecimal character codes...>' .

5. Dictionary - in the file as '<<...other objects...>>' . Dictionary entries are always in pairs, a Name Object followed by any other object type.

6. Array - in the file as '[...other objects...]'.



Type of Objects Used7. Stream – Object

Object Type is complex.

Streams are Indirect Objects.

Stream Objects use Object References.

Fused with Dictionary Objects.

Dictionary Object Carry Information for Accessing Bytes.


Structural Components of PDFRoot Model Layout



Breaking in Internals

Hit the PDF internals with PDF CAN Opener !


Application Attacks Anatomy

Why These Attacks Persist || Supporting Factors.

1. User or Client Ignorance to technology.

2. Version Compatibility Problems.

3. No Upgrade in Software's used for Working.

4. Use of OLD version of Software's.

5. Feature Manipulation for Rogue Purposes.

6. Interdependency in System and Software Functionality.

7. Complexity in Architectures.

Even Adobe Acrobat Implements Security Mechanisms in all

Versions 6.0 / 7.0 / 8.0



Little JavaScript Info Sheet

1. HTML JavaScript !== Acrobat JavaScript

2. ACRO JS cannot Access HTML JS Objects and Vice Versa.

3. Objects (ACRO JS) == app , doc , annotations etc.

4. Objects (HTML JS) == window , document etc.

5. Both do not have Inheritance Capabilities.

6. Objects have individualistic properties. No Cross Access.

7. ACRO JS is extracted from ECMA Script.

8. APP object is the main Information Object of ACRO JS.

Critical !



A Thought.

Its not a 0 Day PDF is all about EVERDAY.


Application Attacks in PDF

1. PDF Act as Launch Pad

Attacks Depend on Acrobat Versions1. 1. Easy to Manipulate for Third Party Attacks.

2. Heavily Use of JavaScript for Extensible Functionality.

3. Attacks Modes are Easy to Trigger.

4. Client Side Attacks are Quite Easy.

5. Low Level Software Vulnerabilities.

6. Affecting and Hitting Browsers at Core.

7. Well Defined Support for Pluggable Protocol Handlers

8. Applied in a Versatile Manner.



Synthesizing Application Level Attacks in PDF

FUSED DEMONSTRATIONS



CLIENT on the Verge

What is Going to Happen to ME ????



Implemented Security Model in Acrobat PDF

JavaScript Driven

1. Execution in Privileged Mode.

Methods : Console / Batch / Application etc.

2. Execution in Unprivileged Mode.

Methods : Page Open / Mouse Events etc.

3. Contexts Levels = Doc / Batch / Page / Folder / Field

Number of Attacks are Useless while Execution due to

Implemented Security.



1. PDF Act as Launch Pad : Attack Vectors

1. XSS Checks in PDF and Alerts. [Input Checks]

2. JavaScript Infection Model. [Interim Attack Base ]

3. Malicious SOAP Access.

4. PDF Backdoor Anatomy.

5. PHISHING.

6. Attack comprising Pluggable Protocol Handlers.

7. PDF Spamming

8. Local Area Network Infections through PDF.

9. Rogue PDF Designing through SDK



Testing Application Strategy : PDF

1. Direct JavaScript Insertion

JS Files are Globally executable at Folder Access

2. Binding JavaScript to a Control in PDF. [ cExec = “” ]

Dynamically Execution through a Control in PDF

3. Both Strategies are Equally Driven.

4. Output Can be Seen When PDF is Opened at System Level.



1. XSS Checks in PDF

1. Prone to XSS Attacks.

2. Interim use of ALERT Object through JavaScript.

3. OPEN PDF Parameters.

4. Universal XSS at Core. Globally Applicable in PDF.

5. JavaScript (PDF) != JavaScript (HTML)

Different in Specifications and Usage

6. Triggered through Input Parameters mainly.



1. XSS / Alert Checks in PDFfunction foo() // Normal Layout{

alert(“Object”);}

function foo() // Adobe JavaScript{

app.alert(“ JavaScript Test Possible”);}1.

PDF Document Opened in Browser and Adobe Reader have

Different Functionalities.



1. Open PDF Parameters

1. Command Line Control to Users.

2. Arguments are Passed through URL Directly.

Two Ways:

1. Passing Parameters Directly.

2. Passing Parameters through URL.

URL Delimiters:

1. [ # ] http://www.target.org/doc.pdf #tag =1 2. | & | http://www.target.org/doc.pdf #tag =1 & arg = 2


http://www.target.org/doc.pdf




Open PDF Parameters

FDF option is used often by attackers .

It specifies a FDF file to be used to populate form fields in the PDF file being opened. It is used with same pattern

Example: # fdf =[Target URL]



1. Open PDF Parameters

Referenced from Advisory Release on PDF

http://[Target]/[File].pdf#########

http://[Site Name]/[File].pdf#fdf=[Target]

http://[Site Name]/[File].pdf#fdf=[Target]

http://[SiteName]/[File].pdf#FDF=javascript:document.write()

1. Acrobat 7.0 Issue.

2. Attacks Feasible for running in Older Versions.

3. Not work effectively on Latest Versions.

4. Browser Dependency is there. Interpretation of URL



Identity Checks in PDF – DEMONSTRATION

1. Acrobat Version 6.0 == Undefined.2. Acrobat Version 7.0 == User Name3. Acrobat Version 8.0 == User Name


User that is Logged in to the system


PDF Backdoor Designing

1. PDF perform stringent functions when opened.

2. Used Adobe Based Malicious JavaScript's.

3. Designing PDF with Embedded Rogue Links.

4. PDF SDK is used for Crafting a Malicious PDF File.

5. Direct Interpreting in Text Editor.

6. Manipulating Objects in PDF File Directly.

7. Binding JavaScript’s to the Various Objects i.e. Buttons.

8. Form Type Submissions / Content Downloading / Links.



PDF Backdoor : DEMONSTRATION


Backdoor Requested for Hacked.com

while PDF is opened


Triggering Events through Pluggable Protocol Handlers.

1. Affected Browsers at Core.

2. Third Party Event Generation through PDF.

3. Prime Source of Number of Attacks.

4. Working Dependency between Two Software's.

5. Base for PHISHING Attacks.

mailto: / file: / ftp: / telnet: / view-source: /chrome: gopher: / http: / https: / JavaScript: / news: / res:

Security Restrictions are Applied ! Version Specific.



Working Approach of Pluggable Protocol Handlers.



Triggering Events through PPH : DEMONSTRATION

1. PH1SHING Attacks.

2. Reading Files Locally | Remotely

3. Mailto: Support Check


Directed by PDF to Read YServer.txt

File.Well One can do it

Remotely too


Memory Exhaustion - PDF : NO DEMONSTRATION

1. PDF Can be used as Memory Exhaustion Base.

Attack Vector is Direct.

2. PDF can Direct Browser to exhaust Memory.

Attack Vector is Indirect

The Target Base is PDF



FORM Submissions - DEMONSTRATION

1. FORM can be Submitted Easily with POST Request.

2. Downloading Content Directly.

3. Making PDF a Garbage Files.


Security Warning in issued in

Latest Versions

Still Works on Older Versions


Local Denial of Service – PDF DEMONSTRATION

1. Very Easy to Trigger.

2. Specific Malicious JS file can do the Trick.

3. Affect Document Opening at Full.

4. Client Side Functionality is Lowered Down.



Executing System Files : DEMONSTRATION

System Files Can be Executed from Core.


Executable Request is Generated by PDF throughIE Browser that Executes

The FILE

A Security Warning can be generated , So a Less

Reliable from Attack Point of View

Till a Proper Vulnerability is Exploited


The Reality :-

1. Number of Attacks Failed in Acrobat with diff Versions.

2. Software Version Plays Critical Role.

3. Security Restrictions Applied on Methods.

4. Game of Privileged / Non Privileged Execution.

5. Dependency on Ingrained Vulnerabilities.

6. Acrobat 8.0 does not support Methods which Acrobat 7.0 does

The Attackers Night Mare | Security Driven

NotAllowedError: Security settings prevent access to this

property or method.



Restricted Functions in – Non Privileged Mode

1. ADBC.newConnection.

2. app.addMenuItem / app.addSubMenu

3. app.getPath / app.newDoc / app.openDoc

4. app.launchURL

There are lot more like that. Most of the attacks use these feature

to manipulate the normal functioning.

Security Restrictions applied Lay off the Attacks.



How to make Attacks more Sustainable : Attackers View Point

1. Finding Requisite Vulnerability : Hard Process.

2. Exploiting the Trusted Behaviour Designing Trusted Wrapper Functions with Restricted Codes.

3. PDF SDK Plays a Generic Role.

4. Dethroning the NOT ALLOWED ERROR in PDF.

5. Restricted Methods can be Called Easily.



Exploiting TRUST through JavaScript Dynamically

Bypassing the Security Restrictions in PDF

1. Crafting a Trusted Wrapper Function with app.Trusted()

2. Inject app.beginPriv() and app.endPriv().

3. Specify the Code between these privileged contexts.

trustedDoc = app.trustedFunction( function (width , height){

app.beginPriv();var trustedDoc = app.newDoc(width,height);app.endPriv();return trustedDoc;

})



Exploiting TRUST Behaviour in PDF : DEMONSTRATION Step 1 : Running a app.newDoc function directly [ 7.0 / 8.0 ]

Step 2 : Injected through Trusted Wrapper Function


ACR10.tmp file is created without any Error


SPAMMED PDF : DEMONSTRATION

1. Designed through PDF SDK for Rogue Purposes.

2. Distributed Along Mail Applications.



SOAP – ADBC / ODBC Checks:

1. Querying the Local Database through System ODBC.

2. Easy to Enumerate the Running Databases.

3. Web Services Play a Crucial Part in Holding Information.

4. Holding Data at Port 80 for incoming Connection.

5. Connecting through Client to Port 80 to Access XML Data

through SOAP Access.

ADBC.newConnection / ADBC.getDataSourceList()

Follow the Trusted Wrapper Paradigm


Software and Low Level Insecurities

1. Software Inconsistencies due to Exceptions.

2. Exceptional Behaviour in Handling Crafted JS Files.

3. Designing Call Back functions to Bypass things.

4. Memory Corruptions / Memory Exhaustions.

Finding an Internal Vulnerable function.

CVE 2008 – 2042 | Adobe Security Bulletins


Digging inside PDF

Further Research:

1. Storing Files inside PDF.

2. Exploiting ADBC Functionality in a Stringent Manner.

3. JavaScript for Analyzing in core PDF Software Responses.

4. PDF affect on System Optimization and Behaviour.

5. Finding Vulnerabilities and Software Issues.

6. Attaining Robustness in PDF Applications.

7. PDF Affect on Operating System Security.

8. So on && on && on ….


Resources at CORE

References:

1. Adobe JavaScript:http://www.adobe.com/devnet/acrobat/javascript.html

2. Wind Jack Solution : Resources on PDFhttp://www.windjack.com/

3. Backdooring PDF Fileshttp://michaeldaw.org/md-hacks/backdooring-pdf-files/

4. Security Bulletins of Adobehttp://www.adobe.com/support/security/


http://www.adobe.com/devnet/acrobat/javascript.html

http://www.windjack.com/

http://michaeldaw.org/md-hacks/backdooring-pdf-files/

http://www.adobe.com/support/security/

Questions / Queries

Sharing the Knowledge and Research.


[root@0kn0ck]# ./thanks


vulnerability vectors in pdf synthesizing pdf attacks aditya k sood aka 0kn0ck sec niche security...

Documents