The vast majority of the most popular Windows-native PDF viewers were vulnerable to multiple attack techniques exploiting standard PDF features, a team of security researchers has discovered.
Several PDF software brands were vulnerable to the most serious attacks, which resulted in local file leakage, file write access, and remote code execution (RCE), academics from Ruhr University Bochum in Germany found.
PDF viewers built into leading web browsers and applications for macOS and Linux were only susceptible to comparatively trivial attacks such as denial of service (DoS).
The viewers incorporated into Safari and Edge, meanwhile, were the only applications among 28 tested to resist all exploits, which targeted features that “directly or indirectly allow access to a file handle”, as a blog post explains.
Susceptible to eight of 10 attack techniques, the worst culprits overall were PDF-Xchange Viewer and PDF-Xchange Viewer for Windows.
PDFelement and iSkysoft, prone only to DoS, were honorable exceptions to the otherwise unimpressive Windows scorecard.
‘Code execution by design’
“I was surprised how many viewers did straightforwardly implement ‘code execution by design’ – because they simply followed the PDF reference and thereby introduced a dangerous feature (the ‘Launch action’) without, [for example], correctly asking the user for confirmation,” Jens Müller, one of the researchers, told The Daily Swig.
As a result, the blog post describes how a malicious file could successfully “be specified by a local path, a network share, a URL, or a file embedded within the PDF document itself” against six of 18 Windows viewers probed.
Information disclosure attacks, meanwhile, could be used to track PDF document use “by silently invoking a connection to the attacker’s server once the file is opened, or to leak PDF document form data, local files, or NTLM credentials to the attacker”.
The most dangerous technique, successfully deployed against three Windows viewers and partially successful against another three, exploited various methods defined by the PDF standard for embedding external files or accessing files on the host’s file system.
“If a malicious document managed to firstly read files from the victim’s disk and secondly, send them back to the attacker, such behavior would arguably be critical,” reads the blog post.
Data manipulation attacks
Data manipulation attacks involved silently modifying form data, displaying different content depending on the application used to open the document, and exploiting ambiguity in how the PDF standard allows form data submission to external webservers in order to write to local files on the host’s file system.
Attackers successfully executed one or both DoS techniques against every single application, bar the Safari and Edge viewers. This included exploiting how document elements reference themselves and other similar elements to cause an ‘infinite loop’, and a twist on the ‘zip bomb’ attack that compresses stream objects rather than zip files.
‘A better choice’
Müller said the “more severe issues should be fixed by now”, while “less impactful issues such as form modification are basically features”, and will therefore not likely be remedied.
He suggests that applications built into browsers, which offer sandboxing protections, “may be a better choice for a suspicious document than a native third-party PDF viewer”.
The research also highlights an education gap around the risks posed by what Müller refers to as “a quite complex data format with tons of interesting features”.
“For example, people are aware that Office files (e.g in email attachments) can contain macros, but public knowledge of similar functionality in PDF documents is less widespread,” he noted.
The other researchers involved are Dominik Noss, Christian Mainka, Vladislav Mladenov, and Jörg Schwenk.
