Schneier on Security
A blog covering security and security technology.
« NIST on Protecting Personally Identifiable Information |
| The Doghouse: Lock My PC »
April 22, 2010
Booby-trapping a PDF File
EDITED TO ADD (5/13): More info.
Posted on April 22, 2010 at 1:31 PM
• 35 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
From the article (dated March 31st 2010): "Upon hearing of a possible security concern, [FoxIT] development team went to work and a resolution was determined in less than 24 hours and an updated version of the Foxit Reader will be made public in the next 72 hours."
Looks like they were true to their word.
Although I think we'd all agree that prompting the user isn't the most ingenious resolution for this exploit.
This, and nearly all other vulnerabilities in PDF, are really just an obvious side-effect of function creep.
PDF - Portable Document Format, used to maintain typesetting / print layouts across multiple platforms independent of installed fonts / formatting chars / printers / etc.
Why on earth you can embed full on mp3s, movies, etc inside of them and run executable code is completely beyond me, and IMHO, absolutely unnecessary and detrimental.
PDFs (*Proprietary* Document Format) are a huge FU to the readers, and I wish people would stop using them. They are designed for a print-based world that is no longer useful.
Its like making e-readers that flip pages, as if people read "pages" instead of paragraphs. Pages are an artifact of the physical reality of the book form, and are totally inappropriate for e-readers.
PDF actually stands for Perilously Dangerous Format.
Isn't this stuff really old news?
FYI: Alternative readers that don't support a lot of the dangerous features allowed for by the PDF specs are listed here: http://pdfreaders.org/
PDF has its drawbacks - some of which could be resolved by requiring PDF/A - PDF for archiving.
If our readers had an option "warn of functionality greater than PDF/A", it would be a handy shortcut to enforce the safer version.
I think Shane makes a completely valid point re. the embedding of unnecessary formats in pdfs.
Playing music or movies from within pdfs is simply not required.
Haha, he's keeping the technique 'secret'. The PDF that starts cmd.exe has this object in it:
8 0 obj
Clearly his modification of the dialog text is just adding newlines in the command so that the actual 'cmd.exe' is pushed up out of view.
The rest of the technique probably involves prepending a small exe to the front of the PDF (PDFs are read from the end). This exe can then find and execute the main one which is embedded as a comment in the PDF.
Ok, that didn't work. Object should have been:
8 0 obj
But with angle brackets instead of square ones.
They need to add fog and strobe lights to secure those pdfs!
I was also looking into PDF/A for a safer alternative. Although, I think it's more restrictive than necessary for non-archival applications. We could allow hyperlinks, maybe a very restricted form of scripting [non-hyperlink] elements within the document, and allow non-embedded fonts. If we can't replace PDF, then such a restricted subset would be a nice compromise. We could also build tools that strip regular PDF's of dangerous functionality in a robust way.
I settled on subsetting due to my experience earlier today. I was googling for alternatives to PDF that weren't so permissive in nature and maybe easy to parse. I was specifically looking for sites talking about replacing PDF for security purposes. In five or ten minutes of searching, I found nothing. That's not a good sign. The only thing people were talking about were formats like PDF/A or alternative readers of regular, insecure PDF specification. Imho, standardization on PDF is just another loss for IT security...
Btw, people looking into alternative readers or learning about PDF to build a secure reader might want to check out SumatraPDF. It's a very lightweight, minimalist, standalone PDF reader. This thing loads and moves FAST!
Where PDF goes wrong (imo) is in not having recognized that they needed to adopt the *entire* web security model. HTML still has even more scriptability than PDF, and yet your web browser manages not to be the cesspit of security holes that Acrobat does ... because web browser authors knew to pay attention to this stuff from eight o'clock, day one.
Well sure pr0n. Doesn't matter what format you put it in...you'll get a social disease.
Hey, I've got a social disease!
Zack, why would you want to use .PDF to do presentation slides?
Half the problem here is that PDF started out as a 'safe' document format - safer than .DOC, with its myriad macros, anyway. That Adobe added scripting, audio, video, and embedded executables violates the 'principle of least surprise'...
If you asked a stereotypical office user how to embed video into a .PDF, they would most likely say "But why would you want to? That's what Powerpoint is for!"... and - given we have to design our security models on them - they would be right!
"""because web browser authors knew to pay attention to this stuff from eight o'clock, day one."""
I assume you mean 8 pm?
Web browsers were a "cesspit of security holes", just as (some/most/many) PDF readers are now, and for precisely the same reason: 'usability' trumps 'security'.
The desire to compete with PowerPoint and Word, which requires adding all sorts of features, has turned PDF from "a really good way to store documents because it's safe and WYSISWG" to "just another disaster waiting to happen. again."
I guess it's back to plain ASCII...
Although we're in the minority, there are some of us who do not use powerpoint (or its clones) and don't want to. PDF is a good option for slides in that situation.
I was infected with one of the blackmailing "security" programs from a pdf file that automatically opened in Foxit Reader. My husband managed to cripple it and then we found an article from Microsoft that gave us the info on how to get rid of it.
"Zack, why would you want to use .PDF to do presentation slides?"
Never used LaTeX Beamer to create a presentation? I can churn out a perfect slide a minute on Beamer if I know what I want to say (more if I had time to think about it). And all slides look terrific with real LaTeX polish.
PDF presentations work on any platform without dropping all the special fonts. You know, all airplanes and devil heads where your text or formula was.
Powerpoint is not available on Linux. OO.o often not available on "presenting" computers. And powerpoint will mess up the layout of your slides on EVERY computer you did not test it on.
@ Winter and Zack
So, we have people that like to use PDF's way out of their original scope and we have reasons not to use PowerPoint. I'm still not seeing a reason to put all this risky functionality in what's been advertised as a good document format to replace "proprietary" or "risky" formats as PDF proponents have said in the past. I don't see why we can't support two formats: one a little stronger than PDF/A and one more like modern PDF. That way we could use the simpler one when trust was an issue & interoperability was still essential.
Good point on the browser. When I read that part of Zack's post, I was thinking: "what the hell is he talking about? haven't browsers been the greatest source of compromises over the past few years?" Last thing we need is another browser. (read: modern PDF's)
Plain ASCII, RTF, or a watered-down version of HTML are actually what I use for long-term, security-oriented document storage. I don't remember the last time I though: "Oh man, this document is an RTF file. Should I open it!?" Most recent memory went more like this: "The RTF version is only 8KB!? The Word document was originally 150K!" And that was before compression. I still love many "obsolete" standards. I remember when I used RTF exclusively to send drafts to my team in college. They looked at the size of the first one and told me they wouldn't even bother reading such an empty document. It took some convincing that Word was just "that bloated" before they opened it. Still get a laugh out of that. :)
The problem is that too many people want to use a particular format for everything. PDF gets popular as a secure document format, and as it gets more popular it attracts more users who are not as interested in security. These uses (customers) push the supplier to add feature creep.
Oh, just realized I'm using Acrobat not Acrobat Reader, so maybe Reader doesn't allow you to disable functions.
@Ron Helwing " designed for a print-based world that is no longer useful."
Okay Igon. Been hearing that since Guttenberg invented the thing.
This isn't even mostly true. Although there is more and more information being committed to electronic forms the advantage to not losing access to your words just because your battery dies and you're over nine feet away from a power socket is not neglible.
Too Have you ever spent an hour reading hard copy and an hour reading off your monitor? Which left you more tired. Likely the monitor. The active screen is more taxing to our eyes than a book which passively reflects ambiant light.
Finally and, to my mind, most important. Centuries of practice have helped define the art of making things readable and legible. And it's translatable to electronic forms. Why do fonts have little serif widgets on the top and bottom of each letter? It makes it readable. Why don't we see that in good websites (because sans serifs are easier to read there). How many times have you seen a website with yellow lettering against a light blue background? Yuck. I'm all for experimentation but the unuseful print world realized long ago that that combination should be used rarely, very rarely.
"Every program attempts to expand until it can read mail. Those programs which cannot so expand are replaced by ones which can."
"A lot of the "feature creep" in PDF is necessary for particular use cases."
Simply because people wish to use things in ways other than they were intended does not make the integration of those misuses as features 'necessary'.
Just because Johnny Numbnuts and his buddies want to plow their driveways with their Prius', doesn't mean that every Prius should come standard with a front-mounted shovel and tire chains that cannot be removed by the consumer.
"Where PDF goes wrong (imo) is in not having recognized that they needed to adopt the *entire* web security model."
No, where PDF went wrong was in its attempt to be an encapsulated, proprietary alternative to HTML, instead of sticking to what it was relatively good at, which was being a portable document format.
When you start having to rethink the entire codebase to fit in a set of features that never really needed to be there in the first place, it's time to write a new application with the intended scope in mind from the start.
"Okay Igon. Been hearing that since Guttenberg invented the thing."
Gutenberg. Guttenberg is a not particularly talented actor.
"Perhaps we should publish this in PDF..."
"We can do more damage that way."
I think Acrobat became slow and buggy enough for me to start hating PDF somewhere around 2002. Anyway, that was about when I uninstalled it. Nowadays when I google for something and find a PDF, I either check Google's de-PDFed version, or skip it altogether.
Quite simply, no-one has time to keep loading and unloading PDF files when skimming the web for information. If you used robots.txt to stop Google from doing a cached, non-PDF version, then it's "Goodbye, I'll try your competitors instead."
Now, if Google's cached version shows me that it really is something I am looking for and need to keep, then I will download it -- but I open it in GSView, which is really a Postscript reader. I have GSView so I can read academic papers in Postscript format, but it also opens PDF -- much faster than any Adobe product, and without all the bells, whistles and crap.
But I have a much greater hatred of PDF than simply that it is an inappropriate web publishing format. What I REALLY hate is that very often it reflects a corporate obsession of form over substance, even to the point of massive waste. It represents the mindset that really does believe that it is important for your document to look exactly the same, every time it is printed.
This is actually true, for some things. Legal contracts, perhaps. Bar coded tickets, probably. Maybe great works of art.
It is NOT true for inter-office memos, leave applications, project proposals, technical reports, or even -- dare I say it?!? -- presentations.
Need to submit a form? Well it doesn't matter if all the fields are copy-and-pasted from some other doc and some don't even make sense, you used the correct form, so you're golden. Writing a new business case? Sure, just spend 2 days making sure the formatting is just like the one in the examples (PDFed, of course, so this time you can't easily just use it as a template), and 30 minutes thinking about whether or not this proposal actually makes business sense. Or you could spend the 2 days actually thinking about the project and send it in as plain text email, but then some jerk will reply "Wall of text!! TLDR !!*"
* For those even less hip than I, apparently this stands for "Too Long, Didn't Read"; which I take to be a confession that the (non-)reader is a semi-literate moron without adequate mental concentration for making important decisions.
The bulk of my work is on PDF. The papers i download. Even when i submit papers for review. Its either ascii or pdf. A fringe outside is ps.
PDF is not quite the security problem everyone makes out if you use 3rd party readers etc, since they generally don't support *any* of these fancy features. And you can still make nice presentations without these features. I use it for all my lectures and talks.
But as for slow? Compared to word or OO? I don't think so.
"But as for slow? Compared to word or OO? I don't think so."
Depends, use the fancy PDF features and you can get a one legged dog...
Likewise with MS Word and OOo.
Me I stick with MS Office 97 and RTF when I need anything other than ASCII text files I need to send to someone.
Even though MS keep changing RTF it is still one of the few things they kind of got right with file formats (ie you can get in there with a text editor and MK1 eyeball if you have problems)
"Why do fonts have little serif widgets on the top and bottom of each letter? It makes it readable."
People with visual impairments - for whom I provide large-print versions of our publications - say that for them, a sans-serif typeface is more readable than a serif one.
MY GOD, MAN! Office 97!? Have you any ideas how many latent defects that thing might have? I'd be surprised if they are still supporting it. Upgrade to at least 2003: it's cheap, maybe still supported, and Word loads in like 1-2 seconds on a core duo machine (you know, the ones that were $800 2 years ago). I'm with you on the RTF, though. If it's just a simple message, some notes, etc. with formatting I use RTF because Wordpad is quite efficient, the format safe and file sizes ultra small. I use PNG for images due to small size, but their implementations keep having problems. Keep wondering if I should switch to BMP for secure viewers... lulz
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.