MALICIOUS URI RESOLVING IN PDFS presented at Blackhat Abu Dhabi 2012

by Valentin Hamon,

Tags: PDF Adobe

Summary : "Attacks by PDFs are most often done from inside PDFs themselves, they are so subject to shape detection. Now, imagine that the malicious content is not in the PDF opened by the victim. In fact, using internal legitimate Adobe mechanisms to do so can be advantageous for an attacker. Submitting forms allows these possibilities. It is not like the well known method URI, it is better. It allows an attacker to greatly expand his panel of attacks from a PDF.
Basically, the purpose of this paper is to show that the simple use of an HTTP request from a PDF can be a pretty good vector for an attacker. Furthermore, this paper deals about how it can be relatively easy to reuse some web browsers vulnerabilities from PDFs. In addition to that, we found out a new way to determine the Adobe Reader's version of the victim even before any malicious action.
This paper will begin by a short description of Adobe Reader network mechanisms and the security related. Then, this paper will deal about some new weaknesses discovered about the URL Security Manager of Internet Explorer. Finally, two attack scenarios will be detailed. The first scenario is an example about the use of risky JavaScript functions in Internet Explorer from a PDF. The second scenario shows a new way to use vulnerabilities exploits in PDFs. It is a strategic way of attacking that emphasizes the collection of information before the attack itself."