Vigil@nce: Adobe Reader, command execution via Launch
April 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can create a PDF document launching a shell command,
and altering the displayed alert message, in order to invite the
victim to run the command.
– Severity: 2/4
– Creation date: 02/04/2010
DESCRIPTION OF THE VULNERABILITY
A PDF document can contain an OpenAction object, indicating the
command to execute:
/OpenAction /Launch ... /DOS (msdos-command) /Unix (unix-command)
/Action /Launch ... /Win (msdos-command)
When the user opens this document, Adobe Reader displays a warning
message, before executing the command (simplified):
Do you want to execute the command
msdos-command
However, an attacker can inject line feeds and a free message in
the command name. The victim can thus be lured to accept the
warning message.
An attacker can therefore create a PDF document launching a shell
command, and altering the displayed alert message, in order to
invite the victim to run the command.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Adobe-Reader-command-execution-via-Launch-9557