PaulDotCom mailing list archives

Re: Advice on doc format to see for review to security folks

From: byte.bucket () 4a44 com
Date: Mon, 22 Nov 2010 13:07:04 -0500

If you can own anyone reading this list with a PDF exploit then they
deserve it!

Robin


I think this is a little unfair; how do you not get owned using Adobe
Acrobat?

I had a hard time writing up a mitigation recommendation for a customer
recently.  I owned the network with a HSRP MITM attack, followed by
Ettercap+etterfilter injection to serve up malicious PDF's in 1x1
iframes*.  The attack went great, but then I had to tell the customer
what to do differently to prevent them from being compromised through
Adobe Acrobat in the future.

I don't believe Foxit Reader isn't in a better position than Adobe
Acrobat reader from a security perspective.  Online PDF rendering
options returning funky JS+AJAX images wouldn't work due to the
sensitive nature of the PDF content.  I ended up recommending the use of
Adobe Acrobat with the Microsoft Mitigation Experience Toolkit, but I
thought that was kinda lame too.

What recommendations are people making to customers who get owned
through PDF exploits but require a local PDF reader?

Thanks,

-Josh

* Ettercap+etterfilter, HSRP/VRRP exploits and more are all labs in the
new SANS course I contributed to, Advanced Penetration Testing, Exploits
and Ethical Hacking - http://bit.ly/aOwAnB


Hot on the heels of your question, Adobe has released Acrobat/Reader "X".
There is a nice series of articles here:
http://blogs.adobe.com/asset/2010/11/adobe-reader-x-is-here.html . 
Protected mode is by no means a "cure all", but it does look like a step
in the right direction.

On a separate but related note, what did you tell this customer about
mitigating malicious iframes?  It seems to me that your attack vector (
malicious iframes) is/was the real issue here and that the vulnerable
application (Acrobat) is probably one of several you could taken advantage
of.

-- 
byte_bucket

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

Re: Advice on doc format to see for review to securityfolks, (continued)
- - - Re: Advice on doc format to see for review to securityfolks d4ncingd4n (Nov 16)
    - Re: Advice on doc format to see for review to securityfolks Michael Salmon (Nov 17)
    - Re: Advice on doc format to see for review to securityfolks Sven Aluoor (Nov 17)
- Re: Advice on doc format to see for review to security folks Robin Wood (Nov 16)
  - Re: Advice on doc format to see for review to security folks Tim Krabec (Nov 16)
    - Re: Advice on doc format to see for review to security folks xgermx (Nov 16)
    - Re: Advice on doc format to see for review to security folks Sven Aluoor (Nov 17)
    - Re: Advice on doc format to see for review to security folks Ulisses Castro (Nov 17)
  - Re: Advice on doc format to see for review to security folks Joshua Wright (Nov 16)
    - Re: Advice on doc format to see for review to security folks Kenneth Voort (Nov 17)
    - Re: Advice on doc format to see for review to security folks byte . bucket (Nov 22)
    - Re: Advice on doc format to see for review to security folks bytes abit (Nov 26)
    - Re: Advice on doc format to see for review to security folks Michael Salmon (Nov 30)
- Re: Advice on doc format to see for review to security folks Jack Daniel (Nov 16)
  - Re: Advice on doc format to see for review to security folks Joel Esler (Nov 16)
    - Re: Advice on doc format to see for review to security folks Sven Aluoor (Nov 17)
  - Re: Advice on doc format to see for review to security folks Sven Aluoor (Nov 17)