In an article published Friday, eWEEK confirmed the first such exploit publicized by penetration testing expert, David Kierznowski. The test, run on Adobe Reader with all available patches applied, involved a PDF that, when opened in Adobe Reader or Acrobat, automatically launched the user’s browser and directed it to a URL embedded in the PDF. Kierznowski called the action a proof of concept that any string of malicious code could be executed by the PDF–not just opening a browser and URL without user consent (see the link to Kierznowski’s first proof-of-concept PDF in the sidebar, “Sites and Resources Discussed in this Article”).
Because both Adobe Reader PDF-reading and Acrobat creation software from Adobe include host computer file system access and the Adobe Database Connectivity (ADBC) that allows direct access to Window’s computer’s Object Data Connectivity (ODBC), PDF users are at significantly more risk for data theft. ODBC is a gateway through which applications can exchange data with databases ranging from Microsoft’s Access, Excel, FoxPro, MS-SQL, and even Outlook and Exchange e‑mail systems, as well as third-party ODBC-enabled databases such as Lotus Notes, Lotus Domino, and FileMaker Pro, among others. A PDF carrying a malware payload can use the ADBC connection to the host computer’s ODBC to tunnel out into any other ODBC-connected database, potentially accessing every piece of confidential data on the targeted system.
Sites and Resources Discussed in this Article:
Kierznowski’s original Operation n blog entry, “Backdooring PDF Files”.
eWEEK article, “Hacker Discovers Adobe PDF Back Doors.”.
Kierznowski’s first proof-of-concept PDF.
Kierznowski’s second proof-of-concept PDF.
Kierznowski even demonstrated the ADBC exploit in a prepared PDF, stopping short of actually stepping out of ODBC into another data source (see the link to Kierznowski’s second proof-of-concept PDF in the sidebar, “Sites and Resources Discussed in this Article”).
Most chilling of all was Kierznowski’s assertion that one “can back-door all Adobe Acrobat files by loading a back-doored JavaScript file into [the local] \Acrobat\Javascripts directory.”
Beyond these, Kierznowski claims to have found seven more points for launching malicious code from withing otherwise legitimate PDF files, and hinted that Acrobat’s JavaScript model may allow even more.
In a comment on his own blog post, Kierznowski said of the potential to exploit PDFs: “I still think we are only scratching the surface.”
eWEEK reports that a spokesperson from Adobe’s product security incident response team is “actively investigating” Kierznowski’s discoveries. The unnamed Adobe spokesperson also stated: “If Adobe confirms that a vulnerability might affect one of our products, details of the security vulnerability and an appropriate solution [will be] documented and published.”
The discovery has sparked a furor of interest in just a a few days.
On his Operation n blog entry, Kierznowski provides proof-of-concept JavaScript code necessary to prove his theories–and actualize attacks. The entry did not go unnoticed. As of this writing, twenty comments and trackbacks from other sites have been appended to the original entry since its publication 13 September 2006, with unknown numbers of people reading but not commenting on the Operation n blog entry, entries on trackbacked English and German Websites, and eWEEK. At least one splog, or “spam blog,” Websites whose content is comprised primarily of unauthorized reprints of entries and articles originally published on legitimate blogs and Websites, has already pilferred and republished Kierznowski’s entire article.