GoogleCodeExporter
commented
8 years ago Hello,
actually 'embed.rb' does not just embed the target file into the document. It
will
also inject a little script that will try to run the file at document opening.
However, Acrobat Reader has some restrictions about which files are granted to
be
extracted and run. This security filtering is merely based on the filename
extension.
Some extensions are blacklisted, some are whitelisted, others will pop up an
alert
box to ask for user approval before running the file.
This list of extensions cannot be modified from the Reader interface, you can
find it
on Windows into the registry key:
HKLM\SOFTWARE\Policies\Adobe\Acrobat
Reader\9.0\FeatureLockDown\cDefaultLaunchAttachmentPerms
On Unix systems, it can be found in the preference file in the directory where
Reader
is installed.
On my Linux system: /opt/Adobe/Reader9/Reader/GlobalPrefs/reader_prefs
Only PDF and FDF files are whitelisted by default (which means you can extract
and
run an embedded document from an existing document with no user warning).
In a nutshell, if you plan to embed a malicious file into a document, you have
two
options:
1) Find a flaw in Acrobat Reader to bypass security checks. That's the way I
did when
I began working on the 9.0 version, but it has now been fixed by Adobe.
2) Use a non-blacklisted filename extension for your attachments. Before the 9
version of Reader, I used to embed malicious JAR archives into documents as
*.jar
files were not blacklisted. Still the file has to be launched by Windows
Explorer
thereafter, so you can't set whatever extension you wish. Anyway, on Unix
systems,
the filename extension filter is just a joke.
Regards,
GuillaumeOriginal comment by guilla...@security-labs.org on 11 May 2010 at 12:41
- Changed state: Done
Original issue reported on code.google.com by
xzero...@gmail.comon 6 May 2010 at 5:13Attachments: