Re: 0day, it may not be

["I)ruid" <druid () caughq org>]

On Thu, 2010-04-01 at 07:52 -0700, dave wrote:
> https://forum.immunityinc.com/board/thread/1199/exploiting-pdf-files-without-vulnerabili/?page=1#post-1199
>
> D2 points out rightfully that everyone with the D2 CANVAS Exploit Pack
> (email admin () immunityinc com now for pricing! :>) has known about this
> particular feature of PDF's for over two years. D2 comes with an NDA, so
> it's not surprising it's not "General Knowledge" but the well-funded
> among you should at least stop acting so surprised. :>

Honestly, I thought pretty much anyone that has spent any amount of time
looking at PDFs was probably aware of the Launch action.  I wrote a
light PDF generator a couple years ago and discovered the ability to
Launch commands in relatively short order, but didn't think it anything
interesting as it required user interaction via prompting the user with
a dialog.

The interesting bits of the recent report is that the Foxit reader
specifically does *not* require user interaction[1], and the ability to
partially control the dialog message that is displayed to the user in
Adobe Reader[2].  The under-lying mechanism of being able to execute
commands from within a PDF however is fairly well-known and nothing new,
as your post also illustrates.

[1] http://blog.didierstevens.com/2010/03/29/escape-from-pdf/
[2] http://blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/

-- 
I)ruid, C²ISSP
druid () caughq org
http://druid.caughq.org

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave