PDF, n.
\p-di-ef\

I. Portable Document Format (PDF) is a file format created by Adobe Systems in 1993 for document exchange.

Defiling, tv.
Defile, v.
\di-ˈfī(-ə)l, dē-\

I. a.to make unclean or impure: b.to corrupt the purity or perfection of.

PDF's and more specifically PDF viewers have received a lot of attention over the past months and year. With several 0day's affecting Adobe reader ₁, Foxit reader ₂, and even Xpdf ₃. Vulnrabilities in PDF viewers isn't anything new (here are some of my favorites) ₄. But what is new is the increased interest in PDF's exploits, discovering them, detecting them and defending from them.

In the security community there has been a significant increase in the discussion and development of tools relating to pdf's. In the relm of discussion by far the most noteworthy is Didier Stevens, his blog is a treasure trove of information about the contsturction and exploitation of pdfs. However, the first talk I encountered which thoroughly covered pdf's and the ablility to use them maliciously was bh-eu-2008-Filiol ₅. Since bh-eu-2008-Filiol there have been several other talks, I've included them in the links at the end.

The tool chest includes standalone exploit payloads from Metasploit, Immunitiy CANVAS, and CORE to pdfid from Didier, and PDF Structazer.exe from Esiea Recherche and a whole myriad of others. Attack Research is going to add to this by releasing several tools and over the next few posts show the use and flexibility of them in hopes that others can benefit from our research and development. AR's tools start out primarily as a simple PDF's parser which can be rapidly built upon for fuzzing, analysis, and exploit development.

First I will start with PDF Forensics and show the analysis of several pdf malware samples using AR's tools and others. Then secondly I will move onto the use of the AR tools with the metasploit framework to deploy a simplistic exploit to show the social engineering impact of pdf's. Then finally I will show future areas where use of AR's tools can be applied with rapid exploit development and fuzzing.

Heres a list of webpages and talks I'm aware of for your edification if you know of or have your own talk/paper about pdf's please feel free to comment and include them.

Talks:

• http://www.blackhat.com/html/bh-europe-08/bh-eu-08-archives.html#Filiol
• http://blog.didierstevens.com/2008/11/18/my-issa-owasp-talk-risky-pdf/
• http://security-labs.org/fred/docs/pacsec08
• http://www.ucon-conference.org/materials/2009/HackingPDFReaders-uCon-2009.pdf

General:

• http://blog.didierstevens.com/category/pdf/
• http://www.esiea-recherche.eu/
• http://security-labs.org/fred/

Tools:

• http://www.esiea-recherche.eu/data/PDF%20Structazer.exe
• http://blog.didierstevens.com/programs/pdf-tools/

Footnotes:

¹ Adobe Reader:

customDictionaryOpen() CVE-2009-1493
GetAnnots() CVE-2009-1492

• http://ithreats.net/2009/05/03/pdf-adobe-reader-zero-day/
• http://milw0rm.com/author/1922
• http://www.securityfocus.com/bid/34736
• http://www.securityfocus.com/bid/34740

Collab.getIcon() CVE-2009-0927

• http://www.securityfocus.com/bid/34169
• http://www.zerodayinitiative.com/advisories/ZDI-09-014/

JBIG2 CVE-2009-0658

• http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20090219
• http://vrt-sourcefire.blogspot.com/2009/02/have-nice-weekend-pdf-love.html
• http://bl4cksecurity.blogspot.com/2009/03/adobe-acrobatreader-universal-exploit.html
• http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-021212-5523-99

util.printf() CVE-2008-2992

• http://www.securityfocus.com/bid/30035
• http://www.milw0rm.com/exploits/7006

² Foxit Reader

JBIG2 CVE-2009-0191

• http://secunia.com/secunia_research/2009-11/

³ Xpdf

JBIG2 CVE-2009-0146

• http://www.vupen.com/english/advisories/2009/1065
• http://www.securityfocus.com/bid/34568

⁴
Ghostscript JBIG CVE-2009-0196

• http://www.vupen.com/english/advisories/2009/0983

RIM Blackberry

• http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=764
• http://blogs.zdnet.com/security/?p=2378

Adobe Reader

Collab.collectEmailInfo() CVE-2007-5659

• http://www.f-secure.com/weblog/archives/00001449.html
• http://www.f-secure.com/weblog/archives/00001450.html

Many

StreamPredictor

• http://secunia.com/advisories/cve_reference/CVE-2007-3387/
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3387

⁵ New Viral Threats of PDF Language

• http://www.blackhat.com/html/bh-europe-08/bh-eu-08-archives.html#Filiol
• http://www.esiea-recherche.eu/data/PDF%20Structazer.exe
• http://www.esiea-recherche.eu/data/PDF%20Structazer%20Short%20User%20Manual.pdf