A British security researcher has figured out a way to manipulate legitimate features in Adobe PDF files to open back doors for computer attacks.
David Kierznowski, a penetration testing expert specializing in Web application testing, has released proof-of-concept code and rigged PDF files to demonstrate how the Adobe Reader program could be used to launch attacks without any user action.
“I do not really consider these attacks as vulnerabilities within Adobe. It is more exploiting features supported by the product that were never designed for this,” Kierznowski said in an e-mail interview with eWEEK.
The first back door (PDF), which eWEEK confirmed on a fully patched version of Adobe Reader, involves adding a malicious link to a PDF file. Once the document is opened, the targets browser is automatically launched and loads the embedded link.
“At this point, it is obvious that any malicious code [can] be launched,” Kierznowski said.
The use of Web-based exploits to launch drive-by malware downloads is a well-known tactic and the discovery of PDF back doors is further confirmation that desktop programs have become lucrative targets for corporate espionage and other targeted attacks.
A second back door demo (PDF) presents an attack scenario that uses Adobe Systems ADBC (Adobe Database Connectivity) and Web Services support. Kierznowski said the back door can be used to exploit a fully patched version of Adobe Professional.
“The second attack accesses the Windows ODBC (on localhost), enumerates available databases and then sends this information to localhost via the Web service. This attack could be expanded to perform actual database queries. Imagine attackers accessing your internal databases via a users Web browser,” he said.
Kierznowski claims there are at least seven more points in PDF files where an attacker can launch malicious code. “[With] a bit more creativity, even simpler and/or more advanced attacks could be put together,” he said, noting that Adobe Acrobat supports the use of “HTML forms” and “File system access.”
“One of the other interesting finds was the fact that you can back-door all Adobe Acrobat files by loading a back-doored JavaScript file into [a local] directory,” Kierznowski said in a blog entry that includes the proof-of-concept exploit code.
A spokesperson from Adobes product security incident response team said the company is aware of Kierznowskis discovery and is “actively investigating” the issue.
“If Adobe confirms that a vulnerability might affect one of our products, details of the security vulnerability and an appropriate solution [will be] documented and published,” the company, headquartered in San Jose, Calif., said in a statement sent to eWEEK.
Kierznowski said his interest in auditing PDF files for back doors comes from a fascination with the concept of “passive hacking.”
“Active exploitation techniques such as buffer overflows are becoming more and more difficult to find and exploit … The future of exploitation lies in Web technologies,” he said, noting that internal users are often in a “relationship of trust” with the surrounding network.
Confirming a trend that sees Microsoft Office applications—Word, Excel, PowerPoint—used in zero-day attacks, Kierznowski sees a future of client-side hacking that expands the functionality of a service.
“This form of hacking merely manipulates the users client to perform a certain function, effectively using the users circle of trust,” he said.