Abstract
Attacks by PDFs are most often done from inside PDFs themselves, they are so subject to shape detection.
Now, imagine that the malicious content is not in the PDF opened by the victim. In fact, using internal
legitimate Adobe mechanisms to do so can be advantageous for an attacker. Submitting forms allows these
possibilities. It is not like the well known method URI, it is better. It allows an attacker to greatly expand
his panel of attacks from a PDF.
Basically, the purpose of this paper is to show that the simple use of an HTTP request from a PDF can be
a pretty good vector for an attacker. Furthermore, this paper deals about how it can be relatively easy to reuse
some web browsers vulnerabilities from PDFs. In addition to that, we found out a new way to determine the
Adobe Reader’s version of the victim even before any malicious action.
This paper will begin by a short description of Adobe Reader network mechanisms. Then, this paper will
deal about some new weaknesses discovered about the URL Security Manager of Internet Explorer. Finally,
two attack scenarios will be described. The first scenario is an example about the use of risky JavaScript
functions in Internet Explorer from a PDF. The second scenario shows a new way to use vulnerabilities
exploits in PDFs. It is a strategic way of attacking that emphasizes the collection of information before the
attack itself. Note that this paper is for the Black Hat Abu Dhabi 2012 conference only. A most advanced
paper will be released in the near future in the Journal in Computer Virology edited by Springer[1].
Introduction
Some recent security reports from Symantec[2] and Kapersky[3] have shown that the Portable Document
Format is all about greed because of its success, more particularly for targeted attacks. In fact, attacks by
the PDF directly are relatively varied. The PDF security analysis initiated by Eric Filiol[4, 5] and then by
Didier Stevens since 2008[6, 7] have highlighted the multiple flaws in that format. Following these publica-
tions, PDF malware threats have increased significantly[8]. But since a few time, Adobe restricts the use
of critical features in the PDF Acrobat JavaScript. Thus, Adobe requires signatures within the document
to give access rights to PDF more critical methods, especially about the JavaScript. Similarly, the method
Launch which allow you to launch a system application causes the appearance of a message box quite binding
for the abuser. Theses problem were described by Eric Filiol in 2008[5] and by Didier Stevens who presented
some identification and analysis tools at Hack.lu in 2009[9]. The recurrent remarks they done about the PDF
security is about message boxes. Indeed, it is sill not easy for an attacker to block all alert boxes. This is the
case for the Launch function. But, as we will see, there is an exception for the web connections. In fact, since
2008’s works and before, registry keys about the Adobe’s web filter are basically editable with the User rights.
The security has not improved significantly since. This is what showed the work of Frederick Raynal,
Guillaume Damien, Aumaitre Delugr´e also presented at Hack.lu in 2009[10]. In their work, they described
the multiple vulnerabilities still present in PDF documents. While keeping in mind previous studies, this
paper will present in a first part the many ways to run a web page from the PDF. Adobe know that problem.
But yet, the only thing they do is to apply a very basic filter when an URL(Uniform Resource Locator) is
requested. At this moment, only a simple alert box pops up. But for anybody, the disability of this window
is possible by editing registry keys with the User rights. Yet, the most worrying thing is that Adobe does
not care about what happens once the alert box is passed. To reassure themselves, Adobe’s developers have
recently added a shortcut to configure Microsoft Internet Settings. This allows an user to configure Internet
Explorer’s internet settings. Despite this, we will show in this paper that this does not work in a specific
situation: when an attacker uses the SubmitForm method. Indeed, in a second part, this paper will deals
with the bypassing of Internet Explorer area security management. Subsequently, a scenario will be detailed
in the last part of this article. Beside, this is a new attack that has been fully implemented and experimented
in order to be presented in this paper. A second scenario will be presented in the advanced paper. It is a
new way of using PDF vulnerabilities exploits.
2