2. What is PDF?
Portable Document Format
Document representation independent software, hardware,
OS
ISO/IEC 32000-1:2008
de-facto standard for printable document
3. PDF File Structure
Header
%PDF-1.0 to %PDF-1.7
Body
Contains indirect objects
Cross-Reference Table
Random access to indirect objects
xref0 20000000000 65535 f 0000910913 00000 n
File Trailer
trailer
<</Size 181/Root 179 0 R
/Info 180 0 R
/ID [ <55ED49327E86414ED7562EB23237FA2C>
<55ED49327E86414ED7562EB23237FA2C> ]
/DocChecksum /3B2D0F3E6C208965E0CE735F1364D709
>>
startxref
919337
%%EOF
4. App Object Model
Javascript runs under the context of App Object Model
PDF js cannot access HTML DOM objects
File Attachment
XML Capabilities
Forms
Web Services
Database connections
5. What's cracking up?
Vulnerable APIs
getIcons() (CVE-2009-0927)
getAnnots() (CVE-20091492)
customDictionaryOpen() (CVE-2009-1493)
Doc.media.newPlayer (CVE-2009-4324)
File parsing vulnerabilities
JBIG2( Over a dozen CVE)
libTiff (CVE-2010-0188)
Social engineered arbit. command execution
PDF escape by Didier Stevens
Not a bug (feature)
Exploitation in the wild
Embedded Files
libTiff (CVE-2010-0188)
7. Prevention and Mitigation
Patch up!
Disable Javascript
Disable attachment opening with external application
Use DEP
Disable display of PDF in browser. (Make your IPS happy!)
Don't open pdf from strangers
Least privileges
8. So what's next?
Less rely on Javascript for exploitation
Issues with embedded files is here to stay
Built in non-tunable Flash support another issue
Portfolio's anyone!
Vulnerability with multiple file parsing
XFA SOAP
Interaction with other applications
Adobe finally learning some SDL #FTW!
Sandbox ??
9. Where can I get more samples
contagiodump.blogspot.com/
offensivecomputing.net/