Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Hacker Discovers Adobe PDF Back Doors



 By: Ryan Naraine
2006-09-15
Article Rating:starstarstarstarstar / 3


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
A British security researcher finds that PDF files can be rigged to open back doors for computer attacks; Adobe is investigating.

A British security researcher has figured out a way to manipulate legitimate features in Adobe PDF files to open back doors for computer attacks.

David Kierznowski, a penetration testing expert specializing in Web application testing, has released proof-of-concept code and rigged PDF files to demonstrate how the Adobe Reader program could be used to launch attacks without any user action.

"I do not really consider these attacks as vulnerabilities within Adobe. It is more exploiting features supported by the product that were never designed for this," Kierznowski said in an e-mail interview with eWEEK.

The first back door (PDF), which eWEEK confirmed on a fully patched version of Adobe Reader, involves adding a malicious link to a PDF file. Once the document is opened, the targets browser is automatically launched and loads the embedded link.

Resource Library:
"At this point, it is obvious that any malicious code [can] be launched," Kierznowski said.

The use of Web-based exploits to launch drive-by malware downloads is a well-known tactic and the discovery of PDF back doors is further confirmation that desktop programs have become lucrative targets for corporate espionage and other targeted attacks.

A second back door demo (PDF) presents an attack scenario that uses Adobe Systems ADBC (Adobe Database Connectivity) and Web Services support. Kierznowski said the back door can be used to exploit a fully patched version of Adobe Professional.

For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

"The second attack accesses the Windows ODBC (on localhost), enumerates available databases and then sends this information to localhost via the Web service. This attack could be expanded to perform actual database queries. Imagine attackers accessing your internal databases via a users Web browser," he said.

Kierznowski claims there are at least seven more points in PDF files where an attacker can launch malicious code. "[With] a bit more creativity, even simpler and/or more advanced attacks could be put together," he said, noting that Adobe Acrobat supports the use of "HTML forms" and "File system access."

"One of the other interesting finds was the fact that you can back-door all Adobe Acrobat files by loading a back-doored JavaScript file into [a local] directory," Kierznowski said in a blog entry that includes the proof-of-concept exploit code.

A spokesperson from Adobes product security incident response team said the company is aware of Kierznowskis discovery and is "actively investigating" the issue.

"If Adobe confirms that a vulnerability might affect one of our products, details of the security vulnerability and an appropriate solution [will be] documented and published," the company, headquartered in San Jose, Calif., said in a statement sent to eWEEK.

Kierznowski said his interest in auditing PDF files for back doors comes from a fascination with the concept of "passive hacking."

"Active exploitation techniques such as buffer overflows are becoming more and more difficult to find and exploit ... The future of exploitation lies in Web technologies," he said, noting that internal users are often in a "relationship of trust" with the surrounding network.

Confirming a trend that sees Microsoft Office applications—Word, Excel, PowerPoint—used in zero-day attacks, Kierznowski sees a future of client-side hacking that expands the functionality of a service.

"This form of hacking merely manipulates the users client to perform a certain function, effectively using the users circle of trust," he said.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Hacker Discovers Adobe PDF Back Doors
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}kw6DىCO-Ȗܭmy,u{:gR$$1HI٭Ο_?q-qv'%,zP(|G޻$i9rskj΢>w߽ [f8mTEK\ߤ~Am;t =4mMFNHB~}@~sfwD%x_'Щ=ѩ&€wɔZiКلؗ>}~qb .pqLQm/ xuGpaFA|Q/Ǣu)t#(D-Dm:]'w*GUFn3pa_ʞy5ExLԤ#|xB'gxdYg3 (ƻfՉziZg#2]pj:TN`UFfn =KQFr[BM*-M Dƞ4ICKh;Eýȵ }:|p 09ju j=nf,n@w0\'p}j b@rhưcip'|2XpiG?j%5ᆑO?IƒN8CYnݰ뺷}=-:ҍۉ}4 .j.9bm ͻS /dRrhXdq}9e,4a[mѡlطǚZjuE9.C|x,^/[̿X\hoF_JU4E9_v?\H #[wn ZI;^}ꜟGr ] + o%&W ZDTQRx& Rc@G'$@Bݓ >o VQ+aISc ԏ40"J3zĢ!Is2hOs}uwȠs9CF,[SA4 衊Ġ+`Wk2h^tܜo.9nMI{#)|v>5M0\ܱ¬8֪V7`KK'^C/3Q?&:aZ+CI-Cw:|!޺xr=%IoJ?> . !_w nr@ i/]"/KŗG)LY4C! ,тmdƱ(|ǺrNe9AcM'C6kiJuV!`FCܺkN$9(ȟk4R\ 9jb vfM)iK3_^*-ͿEh+bԜөɛ!"ƈO9x|!XsI((G&μlOyx>zY[5'jdamE՘iH .Cu&ͳNk&e.:~}T364>H ,I!eݴ%稫V&cTf~\CU9-zQnũl :2X bXP7XaQ/?0 t3ϼc|>55F㤞F!|emxq=Z.VS4!&-a^i1[ <ۋJPIxZ3xv&z$t@ h&rkIO7.[A0? ; O`r]ɝ5E05ݻ#i`y1yj 8=*~s`=w}   lk6G~[>l0sţ q0yzۢ dSJJd 4.'H(AH 9[h ]99Y ŊP~ݑvZ)JHT*nOq$wV*_*esMX)gQY,p[/)Pf%5{~4 cbB|#'&Xr`Y \d+|h)lc l[6؛ri:|:ioBg< 0 uU-$-Xb I[$%\EwTm::ޟ=F~Lh?wܰH}G  +ZsξS :ˋj|X#,TfB7g ƩeLI|EpL2jԽǦ5\'1nuK\4=fX7*hMO5XScXO`D~wzb8ugm/n1`V|\u\g˦zkfXؽ/ 7J@]֥P+ rLZԵ1 E$$"Y `}.eOqHLīd-~6pȞZc7l`(`R5) KA+٫ X3ld xAqFFݔ`ADLl5TWթz4}&.H{LgH~qP9>룔YXp$8hS*}a3*403<`m1Lx>Hx# d\6V,'Ё*8t̳tgyq88_Y:žtْүxNpڊ:Dۣh2f ñeH׽iA̫UXȏE}T5A" D ȸla,riL*wڶ{>QidY(yR+r!9 gֈQ8U1']g ĕQ/ay@٘*# k Bo`" 2l3sG/.ftw݉M% i4Q.)J5E` L] T< ty;= :6. 3H#60/`k.^@>%%@#P0"AcK鬡cKU1SOm{hCy-X\(Tt a"!1}ڧ>nssQ*r7+ )T;fz^*k 6UUR;.Z {}|8=ehLQ8tc}y __ Q͠83hÿ>+CzCp`>s@.}O>zN¢ ,{h'Ȑ]-'LiG Ó2R1P^Cs2]((:H3 |jVQ=/YQwfSa "gԶwq 5\ EY;_Q>Z6i` :2.eۏSWNK@(Aܚ:z,,H0?N#3hh 03-dqCUjʾ_n+> )& Lu0Ȉ%=WlTjo1՟l$R*mCĮ01^*==@7_)-ʶ~g˦׆'ayϤ͋h|5]|jsHP MG9F)T,ۀ ^0;3kF_H]mM;fr/cS>/#W5KHBO"+>aL:T{7 s0X3f~ru+u086 ([wOtvXuL-&oZc d6ōfπiΈǖ2mC L P; `E'8wD15۝S,K8ߋIUP3)æRQu@VI^Aұg /@C׳@.l̼ITCGTUeH5iH3k9 =EZЋqc*&jĮOmqTYe) @qg@fr/퉚&RA3aMٸU~J봺%I? OM= h+QˤܓG\\7hoy!?"X7P)~39Ȕ)xT-kZl[Ԫc"iqC` IZVS"YK@rvzJ5+ ePexp|{W !&1ǷWXL]tKMWF@"'!M43,`jRUܘ㏌&}=NMПBP`&ю0pmɪO@T ~1tc1μYV̶\f~GQWkﻛn{ሔ4}ֻHg#<d^=G #W~w]A18M0^x_Ҹ'^@C~?H׽m{zGY^9gP K Rcbw}Wsj56zv9D 72SH4z7.iwOeGJ:7]w9&Q!λ/XG}9=ﴮM1&03hĂ@⑩!g<`ziB*XKݹĂqK՜4"z ON3"nPU88єmjkoc8 Z`!_BߐtPVc (ʱ=`` Ɉvu α@$B@npkz!NU 㯈e,e$+e32p&;' <"9gxDwDp/r~#<B</Mp<& ]l=8Y,rluF;DzNbp lwycr!,-D3_w jEާ5PZIR"9oũ-pOӖO\gax!um(q%ӝr*(BٺCO[ ,m-f̑s$SѤ\ GAgJȄaye5a5R!MLCYOC/D$a;B6z{ giMO.m2gjt/6DrF\`ql)JZQ""A|J| a=mG@)Rr';$#}@J^KKHeW&BZ0><-@s`:S<B@+GCQ=,{'RÚv{3 >= ](3vS6l\N*rb*9,_}=RvӅc `С';$st7#gLةEݘtvh=' 9 X 1#6q= pv#({A\[µ𣉣S㻞Pa +0q)ym43ˁm.w@;-->eُ ! G LeRvQqJo>gs]J{)uO].;Iĩ&}!/͝_X)i'b ICkxʁecJ)t&Bp z&p'L09E Kb:F1mM^}m%;-n*as:-7ɄEY8nI ,zDB17tu@$iNJbB: ~I ]e^51U P-$@^M\`\*i?3-8kg:&%H(cx;JGl+N ENL;Ò3 n3 6˵dDZ\?S %WCޮ8]yWª$R;0%^?K ;<𥋔UGd%;9OtҔDba߭ģy^6(_B@mC 9$a6OTZS*ʇ}j>8F?n([4^'qg}6C&K7> ? j#N^V;.m 57o9]!Ռ(K#„hD9g{e) EC4e}JmzGmC Q飇ᧁ$ xI}HJJ) @iaY+f`v2D@L*`JQ= hE0K!V4%^"t= E'z3nIUaoӧrV{}0H 〤Unj=+js;LUR4I)mK2g'4`֓)8욟aPA8#S0egln[sGJImK*. }N]}ı|x͇l9sO`I-J<l(]`K쎙GYKI*.m"eO>٭o$I#$5cK }6wn@XH]R4Z@bQLLW~~%dͨځ4?r~|thPv2y9j<߂9/6/7dSSl9#,Xˆ4oKW{[.aS><r5,i5,+o` ?-`IX +3؋ &H1ϊϊsBےj_'Pss`t 7ĚHxSֵeL A`P?5"&ew 2N~=@>aI×Dp|6P[yK}3Nx[`nIG} WBQ;4K&-.ܔܔܔܔMksS`;ġ7\RgWi~8m=U7k1}nZ+FQ_KciyZZELu2di6,h0*U')ckku0͕G_![}iqwBwHQ-Fl+@ $28FjcX|yކTR+҅h>sL +z6@L  s >Bv{s7^-)=VqI%ѥ޹:C+sgl&EbXԒN`D{}TDx xk#ngFS$0~%VbǧjE/tyR0zUioh4f^v m2I{>b=j$q6^r[ޫt P(EFtZ9rBsoki_f^7W+C۝ZVA ]eD&Rş-/Tz3)禥ܯW{ߗrK ߁)}u:;-ܝ`Rid'*ĉ2-a y/̰d66<^II-=ڶ/h `|F0U-c l S8UT#y=&U6忍#+tѕd]oJY*VC}_ߩ\m.`c~C2o%hj6_fؐ)j%"Q0M #cqX'1ͯrzXy";HG+)z`3;k҃%:?w}L$5h Νko(j {/jg闶UxÉO}KAȼ m-^Nܓ]فa`"nb1E+l@.hr}˜.-twwGxq{Q3c*F]{N9-(d ~kK[,ze+pAaD0> GvG#0k~/ЍoR"j\UjsC:SsWF%3{H JD 4{CX^qP3"IO~4Gcu\_SS[׆Zo [3rh!@ ,%=n,"%xa /]yu%ϸHFPxIg2(`3, ^ZJ715ǜSK:r\(.IQ:+Ȓ~We=_@֋S+ nMUJ9t[`ɧj** IT x-5֠6ǝOj6j=!Ƀ`5<ؕSvn&%+k]қ≡ĚU֝u~ؓRcB-*);,OueC-Mą@I[+`63~OR!g@%UX7\ 0>j4-lV/ժX+)Z{ʋzhX4z O\YkJMU0}j1> Z#zaMz`JBOK.dڣGF^NF<0JE+;o/p#T؀0qr}K;RJP`o3ɿcbķd1ǖC/0经UKzt׳cw+襃u8p@Jo$xޝ+j߶$|tŒCfs'I#m:s_`i*pm[d{=y-h<#Թ|יEiw9r}{Ω03r1S %'ev2j /0̊~Ux[jhwyHD,4];~  A[ut >? jg~RߊMX0W0a2VԞk4*xp=@!K|\_ŌVS\>fFkYAcˠO׈1| }(G n%yVmIz.kx>ahR~V7>2a:$.+J17 Nwa-=2.Ʋк|U/~m#k^Kʑf [ѹ*% cDTw/sOaD9P=SAbX"bZ1ֈQ(px ~3&gN;"&(a kE$06oN#cߝF$%Sb`" a9=g1;my^p$KgOȧ^1rKT-#@a=Q#3)-+9Fp_A(Hm*RvqU@y+DD͂zG(c~JDFx_|g4`yn F"O-x})5lDM<2BskQ>閣FMQtV#ߛ~p3,ȏe*nL rH$`x=9aicƀta~X{SdO 0  Ka1c~Po֔J$2 >*%3ʰLXU+S/0ͪG2q2¥JV J`xFA dhz?;)HIPu0՝%?5iN?OWnt{7x Zӷhlԝsk>]}>^vBAcQl\_dj(,Ǜ,# rvٺ0;eNq*g:.ͅdUx,ys9,tG14yxUüzWzqL[njIA~ݾZ>Z[NAw/|veQS̑:jS#ZuR_GM&7bc9HShF&5+:r<)))-VNy{9HmAS~ 姛?g9yBCwsy]hv9пnN?ӽ)wsKS?o.?9A5/r3 { E~.`9ȡ ϋD'(S? S~909{ s?09׃rˑ?=/rqCWU@?9Ӈs߇s?P>'(W3OO9rߛorڿɡ=>k]T$RhK "S^9,.r&]\͠mC7ao/c+FS÷p\;]gsR&M;,U~f.g-Wq41F;(Dr(9Pdz l1Ax#Lx΅s`" >oٚ^^g NG*K Y6-47ܲ%s˸ [5dZ#jXMr3 9;GZ$'D^āAB3s|̪\DDF~Gq!je: ҩ/ixmTώ;[; L7QgQ?C3lf͘K:Fƫl/&c?HwR C ed3b}^(u 61-dx$[ K}~jɞ"3)D]Û'dOW>[o,*1 {;sH.4s砿-C{1L9 H\}l.I "2HH 2s{D|%{j=Sn Ee v"щe:4%.*p+~甽aCz+F2jSo:h}rW-~PƂ)mød9|Y«E/_}'!1Fq_Hs3n=GIk'_7 B3q4 Y8[V"?U ztB%:*م7xT*Hq&x0D~ElG`A.{ayH(t&Iw cNSc? `nwf9xOe]XaYѶy S~j](#o 66x}҂ .apgU6y6s*>`HA1YE}2\Dxkyf%3+~`[wt-(5x>;nGLe(|_a[0~OX+JbA<\n2?>%i3H|@ }( of4z5`y+@LW pS`p#+2ucBR(cto@ U!?c]'nFQXƦi#®u4mlveѩ&/ߵS7qݼD]Y>Ѝ ϰ!ngNb*χŀ𞭟{Ⱦ16af+9uOUl g)dv̅2 !Iyyu~ҕ^)I&acQd+$*)ؐW k`LbV@1,F Tv7@ 'Ɣ ϰ" s+׶),S[TS'>UAw|pm j 6Wx/{c|[wD85baF(/z0 \\OkÔpaf#3/& Ax& =`#hxj"nRi1 Lf'l%I >d3a#7Dj0Br+d[Hڅu&ck^೨b//bA,xr&r*_xWI"cXMb0X :L+O  +R bep?|Ykh ʳ@:k]t?J`hh>!>T!6xNњy:Fnғ/{/RTF^ZP$Du zWv{>]7L~s Whc< xL -2VjwNVtƦI21qzr륭{Q'b"mR?-۔̑r&s.cKMfZ)֦O*LΙ㇅c>lg Mt )>)vmb-6C-{p7)