David Kierznowski has published proof of concept documents for exploiting the ubiquitous software that are not traditional software code flaws, but instead demonstrate a new trend affecting desktop applications -- the use of legitimate features for dangerous ends.
Last week, a U.S. government research body found that attacks using cross-site scripting or Web-oriented scripting languages had become more prevalent than the more traditional buffer overflows, which affect desktop application code.
"Recently, there has been alot of hype involving backdooring various Web technologies," said Kierznowski in his study (http://michaeldaw.org/md-hacks/backdooring-pdf-files/). He said PDF documents seem like an obvious target because they support JavaScript, but found that exploitation wasn't straightforward, partly because Adobe supports its own JavaScript model.
"There are quite a few twists and turns," he wrote. He said Adobe Reader and Adobe Professional also have very different restrictions on which JavaScript objects are allowed.
The first attack, found here (http://michaeldaw.org/projects/backdoored1.pdf), adds a malicious link into a PDF document. "Once the document is opened, the user's browser is automatically launched and the link is accessed," wrote Kierznowski. "At this point it is obvious that any malicious code be launched."
The document works equally well with fully-patched versions of Adobe Reader on Windows or Mac OS X. It doesn't affect other PDF readers, such as Foxit or Mac OS X's Preview. Testers also noted that if the test document is launched from the desktop, it warns the user before opening the link, while if launched from the Web there's no warning. "Both Adobe 6 and 7 did not warn me before launching these URLs," Kierznowski wrote.
The second attack uses Adobe's Adobe Database Connectivity (ADBC) and Web Services support, accessing the Windows ODBC, enumerating available databases and then sending the information to "localhost" via the Web service. The test is found here (http://michaeldaw.org/projects/backdoored2.pdf).
Kierznowski said that because of the nature of the attack, using legitimate features, it was likely that similar exploits were likely to be possible using Adobe Reader's support for HTML forms, file system access and other features. "I am sure with a bit more creativity even simpler and/or more advanced attacks could be put together," he wrote.
He noted it was possible to backdoor all Acrobat files by loading a JavaScript file into Acrobat's JavaScripts directory. Adobe said it has no immediate plans to alter its products' JavaScript handling, but said it is aware of the research and is "actively investigating" the issue.
Just today, Adobe released Acrobat 8 and integrated it with its upgraded Creative Suite 2.3 Premium. The company said Acrobat 8 Professional will be available for Windows and Macintosh, with Acrobat 8 Standard for Windows, from November, in English, French, German, and Japanese.