• Home
  • About 404TS
  • Contact

404 Tech Support

Where IT Help is Found

  • Articles
    • Code
    • Entertainment
    • Going Green
    • Hardware, Gadgets, and Products
    • Management
    • Network
    • News
    • Operating Systems
    • Security and Privacy
    • Software
    • System Administration
    • Talking Points
    • Tech Solutions
    • Web
    • Webmaster
  • Reviews
  • Media
    • Infographics
    • Videos
  • Tech Events
  • Tools
    • How do I find my IP address?
    • Browser and plugin tests
  • Get a Technical Consultation
You are here: Home / Articles / Security and Privacy / Exploit PDF Files, Without Vulnerability

Exploit PDF Files, Without Vulnerability

2010-03-31 by Jason

A fully patched Adobe Reader and FoxIt Reader are currently capable of launching an executable embedded within a PDF while not making use of any vulnerability. Didier Stevens, a security researcher from Belgium, explained the exploit without publishing how to do it on his blog Monday. The trick doesn’t rely on Javascript, which has been the culprit in many of the recent Adobe Reader exploits.

With a little social engineering, the demo PDF is able to trick users into running the executable in Adobe Reader, while FoxIt doesn’t display any message or wait for confirmation.

I use a launch action triggered by the opening of my PoC PDF. With Adobe Reader, the user gets a warning asking for approval to launch the action, but I can (partially) control the message displayed by the dialog. Foxit Reader displays no warning at all, the action gets executed without user interaction.

You can see what a loaded PDF looks like through this video that Mr. Stevens created:

His website also offers a simple demo PDF that you can download that will attempt to launch the Command Prompt through a PDF. (Note: You’ll only be able to see this demo on Windows machines because other OS’s won’t have a cmd.exe in the same path. According to several comments, the path can be adjusted for Mac and Linux systems though.) The issue was reported to Adobe’s Security team and we’ll have to wait and see if they have a response.

(Via Threatpost)

Filed Under: Security and Privacy

Trending

  • 3 different types of hackers [infographic]
    In Infographics
  • On WordPress security
    In Infographics
  • USB 3 Type-C docks arriving for MacBooks
    In Hardware, Gadgets, and Products

Latest Media Posts

Find Out Where To Download SNES ROMs

Find Out Where To Download SNES ROMs

Multifunctional Video Conversion Tools – Wondershare Video Converter

Multifunctional Video Conversion Tools – Wondershare Video Converter

  • Popular
  • Latest
  • Today Week Month All
  • How to ‘Unblock’ multiple files at a time with PowerShell How to 'Unblock' multiple files at a time with PowerShell
  • Increase IIS Private Memory Limit to improve WSUS availability Increase IIS Private Memory Limit to improve WSUS availability
  • SOLVED: “This modification is not allowed because the selection is locked.” SOLVED: "This modification is not allowed because the selection is locked."
  • Configure Outlook to recurring appointments for the last weekday of the month Configure Outlook to recurring appointments for the last weekday of the month
  • Creating and editing views in phpMyAdmin Creating and editing views in phpMyAdmin
  • 3d rendering circuit cloud for cloud computing technology Build and Deploy a Modern Web 3.0 Blockchain App in 2022
  • Telecom Application Development: When to Outsource Telecom Application Development: When to Outsource
  • Printer printing document wirelessly from mobile phone or smartphone wifi connection vector flat cartoon illustration, file air print on fax or ink jet via cellphone bluetooth modern design Why Your Business Needs Online Fax Services In 2022
  • 6 Best Ways to Protect Your Business Account 6 Best Ways to Protect Your Business Account
  • How to download videos from Instagram How to download videos from Instagram
Ajax spinner

Elevator Pitch

404 Tech Support documents solutions to IT problems, shares worthwhile software and websites, and reviews hardware, consumer electronics, and technology-related books.

Subscribe to 404TS articles by email.

Recent Posts

  • Build and Deploy a Modern Web 3.0 Blockchain App in 2022
  • Telecom Application Development: When to Outsource
  • Why Your Business Needs Online Fax Services In 2022

Search

FTC Disclaimer

404TechSupport is an Amazon.com affiliate; when you click on an Amazon link from 404TS, the site gets a cut of the proceeds from whatever you buy. This site also uses Skimlinks for smart monetization of other affiliate links.
Use of this site requires displaying and viewing ads as they are presented.

Copyright © 2022 · Magazine Pro Theme on Genesis Framework · WordPress · Log in