Thanks to a tip from @riotz, I got my PoC PDF working on Foxit Reader. Remember, Foxit Reader issues no warning when launching a command! So I get to execute an embedded .EXE without any user interaction (except for the opening of the PDF document).
Wednesday 31 March 2010
13 Comments »
RSS feed for comments on this post. TrackBack URI
If you can live without the /Launch functionality (I can!), edit the executable:
- search for “^@Launch^@” (^@ == null byte, file offset 7040965 in 3.13.1030) in Foxit Reader.exe,
- change it to e.g. “L!unch” (no quotes),
- save AS BINARY,
done.
Comment by Thomas — Wednesday 31 March 2010 @ 12:20
Thanks for the tip Thomas. I use Foxit (and recommend it to others) because I *thought* it was safe! Trust Didier (aka PDF guru) to come up with something to prove that everything can be exploited … if you know how!
Comment by Iain — Wednesday 31 March 2010 @ 16:20
Anwendungsübergreifender PDF-Exploit: SumatraPDF nicht betroffen!…
Didier Stevens hat ein PDF-Dokument entwickelt, das – ohne eine konkrete Sicherheitslücke eines bestimmten Programmes auszunutzen – einen PC infizieren könnte. Alleine das Öffnen einer entsprechend modifizierten PDF-Datei genügt um Opfer des An……
Trackback by Eviltux. IT & Gesellschaft — Wednesday 31 March 2010 @ 16:23
Hi,
@ Thomas: please, do tell us which program you used for doing that!
Cheers
SoerenB
Comment by SoerenB — Wednesday 31 March 2010 @ 19:07
@SoerenB I’m not sure which tool he’s using, but I use xvi32.exe for hex editing. Simple and free.
Comment by Ron — Wednesday 31 March 2010 @ 20:10
[...] Escape From Foxit Reader [...]
Pingback by Un fisier PDF poate executa cod malitios — Wednesday 31 March 2010 @ 21:16
I’ve played around with the launch command before since seeing a metasploit module that used it, and I can understand how you got it to work with adobe reader, but in my tests with foxit reader I wasn’t able to get launch to work with parameters as is written in the pdf spec. Did you do this without parameters or did you figure out a way to pass parameters?
Comment by Anon — Wednesday 31 March 2010 @ 22:48
Has the test file been updated for Foxit?
Comment by ...... — Wednesday 31 March 2010 @ 23:04
How about ghostview? Is it affected too?
Comment by SJ — Thursday 1 April 2010 @ 1:45
@Anon Actually, @riotz found out how to pass parameters in Foxit, and then I updated my PoC for Foxit.
Comment by Didier Stevens — Thursday 1 April 2010 @ 8:18
@….. No, the test file already worked for Foxit.
Comment by Didier Stevens — Thursday 1 April 2010 @ 8:19
Like another commentator here, I also went in to the “Foxit Reader.exe” file with a hex editor and altered the only reference to the word. “Launch” and changed it to something else.
Could Didier or someone who has access to the test exploit confirm that this actually protects against this vulnerability?
Thanks.
Comment by booty — Thursday 1 April 2010 @ 10:48
@booty You can test it yourself. Download the test PDF from this post and see if you still get a cmd.exe. The first step in the PoC is also cmd.exe. If this fails, the whole PoC fails.
Comment by Didier Stevens — Thursday 1 April 2010 @ 13:30