ExeFilter vs. the Escape from PDF (CVE-2010-1240)

On the 29 March 2010, Didier Stevens revealed in his blog that he found a way to launch an executable file stored in a PDF document, without using any JavaScript or buffer overflow. This short article shows how ExeFilter can be used to sanitize such PDF files to block this type of attack.

Didier Stevens' Escape from PDF  (see also CVE-2010-1240) is based on a PDF native feature called "launch action".  It has been known since 2000 that this feature in PDF is a security issue. What is new is that Didier Stevens has shown it may be used to launch an executable file in the PDF document itself (without providing details for now). He also discovered that Foxit Reader before version did not ask any confirmation before launching the executable. He finally showed that Adobe Reader 9.3.1 has a bug which makes it possible to tweak the warning message and fool users so that they click on "Open" (the actual CVE-2010-1240).

Foxit Reader was patched a few days later, and Adobe suggested a workaround on April 6. Jeremy Conway showed it is possible to combine launch actions with incremental updates to create a PDF virus, and Sophos reported malicious usage of launch actions in the wild on April 12. Adobe Reader 9.3.3 was released on June 29 with a fix for CVE-2010-1240, and a new blacklist system to avoid launching some file formats such as executable files. (but a way to bypass it has been found)

ExeFilter is a tool designed to sanitize most common file formats such as PDF, and remove any active content. Since it disables launch actions by default, it is effective against the attack described by Didier Stevens.

You may test it easily by yourself by following these steps:

  1. Download the sample PDF file from http://didierstevens.com/files/data/launch-action-cmd.zip and unzip it.
  2. Clean it using "python ExeFilter.py launch-action-cmd.pdf -o cleaned.pdf".
  3. Open the file cleaned.pdf on a vulnerable machine: since the launch action is disabled in the file, the command is not triggered.
  4. You may also try it with the sample provided here: http://intrepidusgroup.com/insight/2010/04/an-executable-wolf-in-a-pdf-s...

See the ExeFilter page and documentation for more details.