Jul 01 2010

Adobe fix still allows “Escape from PDF”

Published by at 12:11 am under Security Research

On June 29, 2010, Adobe has published its security updates for Adobe Reader and Adobe Acrobat (APSB10-15). Among many vulnerabilities fixed this time, the noticeable one is /Launch vulnerability (CVE-2010-1240), which is said to be found by Didier Stevens. However, it is pity that the patch is not working properly.

/Launch vulnerability was released by Didier on March 29, 2010. Since then, many viruses in the wild have taken advantage of the flaw:

It takes Adobe three months to release the patch. I think it is delayed for too long.
On the blog entry, Didier confirms that Adobe has completely fixed the flaw. Thus, I decide to check the patch carefully, and the patch turns out to be incomplete.

Firstly, I check the exploited PDF file with the latest version of Adobe Reader.

Before version 9.3.3

Version 9.3.3:

The patch seems to be working. Now, what would happen if I modify the exploit code a bit?

Specifically, I add the quotes to the parameters passed to /F.

Eg: /F(cmd.exe) becomes  /F(“cmd.exe”)

With the quotes added, Adobe Reader will not block the execution and the warning becomes as follow:

After pressing Open, cmd.exe will be executed!!!

So, Adobe Reader version 9.3.3 has fixed the fake warning massage, but the threat of exploit code execution still remains.

You can verify by:
1. Update Adobe Reader to the latest version 9.3.3.
2. Download PoC (Run Cmd.exe /c “calc.exe”)

Le Manh Tung
Senior Security Researcher

33 responses so far

33 Comments to “Adobe fix still allows “Escape from PDF””

  1. # Installed Update v9.33 for Adobe Reader. No Reboot for me but the patch is not complete? - Donna's SecurityFlashon 01 Jul 2010 at 10:27 am

    [...] here's the issue, a blog post that says its an incomplete fix or patch (Thanks to fellow CNET mod, Carol) because with the v9.33, an execution can still occur.  [...]

  2. # Peteron 01 Jul 2010 at 2:57 pm

    Didier Stevens confirmed on his Twitter that your bypass method works on the latest update of Adobe: http://twitter.com/DidierStevens.

    Thanks for this blog entry.

  3. # Bananas Development Blogon 01 Jul 2010 at 8:02 pm

    Adobe behebt PoC im Reader. Oder doch nicht ?…

    Adobe brachte am 29.06.2010 ein paar Updates raus in dem auch von CVE-2010-1240 die Rede ist. Hier und hier gibt es mehr Infos dazu Leider hat es Adobe nicht geschafft das Problem zu lösen. Das besondere daran ist, dass sich die Leute beschweren….

  4. # DASon 01 Jul 2010 at 10:48 pm

    Excellent! Thanx Bkis, you are great as usual!

  5. # Adobe Reader/Acrobat /Launch 脆弱性 パットならず « セキュリティラボ (Security Lab)on 02 Jul 2010 at 12:42 pm

    [...] http://blog.bkis.com/en/adobe-fix-still-allows-escape-from-pdf/ [...]

  6. # Adobe Reader 9.3.3. si 8.2.3. in continuare vulnerabile | I'm Safe OnLine. Securitate IT.on 02 Jul 2010 at 1:58 pm

    [...] O demonstratie este facuta de firma de securitate BKIS: Adobe fix still allows “Escape from PDF”. [...]

  7. # Adobe tura 17 falle, ma una resta aperta « Paoblogon 02 Jul 2010 at 2:15 pm

    [...] un altro ricercatore, il vietnamita Le Manh Tung, ha scoperto che il rattoppo è aggirabile semplicemente mettendo le virgolette intorno al comando ostile usato [...]

  8. # Neale Killickon 02 Jul 2010 at 4:02 pm

    I’ve just tested this with FoxIt reader and it can launch the Command prompt but not the Calc.exe. I suspect this is vulnerabke as well.

  9. # Anonymouson 02 Jul 2010 at 4:57 pm

    [...] [...]

  10. # Rishabh Dangwalon 02 Jul 2010 at 5:20 pm

    Why to even use Adobe PDF software in computer ? Its a bloatware and a system hog and comes bundled with unpatched vulns. Plus, nowadays adobe has become an inherently insecure platform, take it flash or pdf. what are these guys thinking ? Buffer overflow, remote file exec,active x vulns are crippling adobe as a reliable product creator.

    -Rishabh Dangwal

  11. # Daniel Rainbirdon 02 Jul 2010 at 6:52 pm

    Adobe have a registry value to control the launch attachment permissions, at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\FeatureLockDown\cDefaultLaunchAttachmentPerms\tBuiltInPermList

    This value contains a list of extentions and the default action (i.e. 1 allow, 3 block). One workaround is to add |.exe”:3

  12. # Adobe auto-launch peril not fully purged, researcher sayson 02 Jul 2010 at 9:31 pm

    [...] [...]

  13. # Patchen van ‘onpatchbaar lek’ in pdf mislukt « Nieuws Nederlandon 03 Jul 2010 at 4:54 am

    [...] Manh Tung van BKIS is het daar niet mee eens. In een blogpost vertelt hij hoe je de aanval toch gewoon doorgang kunt laten vinden door een heel simpele [...]

  14. # security researcher has found a way to circumvent Adobe Systems’ effort « Precise Payment Solutionson 03 Jul 2010 at 10:27 am

    [...] run embedded executables. However, BKIS Senior Security Researcher Le Manh Tung has found that the Adobe fix can be circumvented if an attacker modifies the code by adding quotes to the parameters passed to /F, for example [...]

  15. # security researcher has found a way to circumvent Adobe Systems’ effort « Monterrey Museon 03 Jul 2010 at 10:32 am

    [...] run embedded executables. However, BKIS Senior Security Researcher Le Manh Tung has found that the Adobe fix can be circumvented if an attacker modifies the code by adding quotes to the parameters passed to /F, for example [...]

  16. # Security Updates for Adobe Reader and Acrobat | Malware Blog | Trend Microon 03 Jul 2010 at 6:24 pm

    [...] reports indicate that the current fix does not completely solve the problem, as proof-of-concept code bypassing [...]

  17. # Tweets that mention Bkis Blog » Adobe fix still allows “Escape from PDF” -- Topsy.comon 04 Jul 2010 at 4:36 am

    [...] This post was mentioned on Twitter by Didier Stevens, Wolfgang Kandek, Timeless Prototype, Alexandre Dulaunoy, MacLemon and others. MacLemon said: If these claims are true, Adobe did a good job in keeping PDF as a Penetration Document Format. Acrobat 9.3.3 Update… http://j.mp/90cJd6 [...]

  18. # Quickpost: Preventing the /Launch Action “cmd.exe” Bypass | Computer Security Articleson 05 Jul 2010 at 6:22 pm

    [...] contains functionality to block my /Launch action PoC, but Bkis found a bypass: just put double quotes around cmd.exe, like [...]

  19. # Parche de Adobe Reader sigue sin resolver el fallo más peligroso | Biteliaon 05 Jul 2010 at 7:01 pm

    [...] dicha protección puede saltarse facilmente con la simple inclusión de unas comillas, según explicó el investigador Le Manh Tung.Este inconveniente fue reconocido por Adobe, prometiendo investigar [...]

  20. # Parche de Adobe Reader sigue sin resolver el fallo más peligroso « siskatecon 05 Jul 2010 at 9:28 pm

    [...] protección puede saltarse facilmente con la simple inclusión de unas comillas, según explicó el investigador Le Manh [...]

  21. # Parche de Adobe Reader sigue sin resolver el fallo más peligroso @ Blog DDS.mediaon 05 Jul 2010 at 11:31 pm

    [...] dicha protección puede saltarse facilmente con la simple inclusión de unas comillas, según explicó el investigador Le Manh [...]

  22. # Fayer » Parche que corregía vulnerabilidad de Adobe Acrobat/Reader no funcionaon 06 Jul 2010 at 12:22 am

    [...] Adobe fix still allows “Escape from PDF” (Vía CHW) var a2a_config = a2a_config || {}; a2a_localize = { Share: "Compartir", Save: [...]

  23. # Adobe Reader continua vulnerável, apesar da correção :: Tutoriais CTDO - Sua Base de Tutoriais Onlineon 06 Jul 2010 at 4:22 am

    [...] saber mais detalhes, acesse o blog de [...]

  24. # Fayer » Parche de Adobe Reader sigue sin resolver el fallo más peligrosoon 06 Jul 2010 at 10:44 am

    [...] dicha protección puede saltarse facilmente con la simple inclusión de unas comillas, según explicó el investigador Le Manh [...]

  25. # The PDF /Launch vulnerability still lives | Data Protection and Recovery Centeron 06 Jul 2010 at 5:56 pm

    [...] few days after – 1st July - information on Bkis Global Task Force Blog showed that only [...]

  26. # Adobe's protection against embedded scripts incompleteon 06 Jul 2010 at 8:47 pm

    [...] protection against embedded scripts incomplete In a post on their blog, Security firm Bkis report that the protection against /launch attacks, introduced in Adobe Reader and Acrobat with update [...]

  27. # Steineron 09 Jul 2010 at 7:02 am

    Congrat guy!

  28. # Adobe Reader – Lücke trotz Patchon 13 Jul 2010 at 4:53 am

    [...] die den Fehler beheben sollten. Wie der vietnamesische Sicherheitsexperte Le Manh Tung nun herausgefunden hat, lassen sich die Sicherheitsbeschränkungen, die Adobe in das Update eingebaut hat, mit [...]

  29. # Virus and Malware Removal Services in Dallas – Ft Worth Metro Area » Blog Archive » Security Updates for Adobe Reader and Acrobaton 01 Aug 2010 at 1:12 am

    [...] reports indicate that the current fix does not completely solve the problem, as proof-of-concept code bypassing [...]

  30. # leaon 24 Aug 2010 at 4:04 pm

    Hello,

    Is there any way your releasing your PoC code, it seems really interesting.

    Thank you.

  31. # Charles12on 22 Oct 2010 at 5:31 am

    Hi,

    I’m interested on your method. I tried and successed with txt or jpeg file using make-pdf-embedded.py vut nothing happened when I want to use an exe file.

    What is the correct procedure to call it and create a pdf with an exe (maybe proper exe and not one already located in the computer like calc or notepad)

    I used it :

    make-pdf-embedded.py -b test.exe test.pdf

    Thanks for your answer

  32. # Le Manh Tungon 22 Oct 2010 at 3:39 pm

    Hi,

    In fact, with your command line (make-pdf-embedded.py -b test.exe test.pdf), the content of test.exe file is still embedded into test.pdf file, but the security policy of Adobe Reader as well as many other pdf readers will not allow you to execute .exe file embedded in pdf.

    Since at default, Adobe does not allow an .exe file to be run upon opening a .pdf file, Didier’s findings about the file execution in / Launch is considered a vulnerability.

  33. # toronto escortson 10 Dec 2010 at 11:00 am

    Adobe brachte am 29.06.2010 ein paar Updates raus in dem auch von CVE-2010-1240 die Rede ist. Hier und hier gibt es mehr Infos dazu Leider hat es Adobe nicht geschafft das Problem zu lösen.

Trackback URI | Comments RSS

Leave a Reply

CAPTCHA Image
*