I have spent 15 years working with PDF structure. I am impressed with how little various "hackers" and "security" people really know about its internal format - how little the tools really do.
Most tools simply dump out superficial dumps of streams and other content structures.
The real vulnerability of PDF is the CosObj structure and how its processed. Most constructs are poorly defined in the "standard" and therefore subject to "issues". Acrobat has been a source of consistent issues for me for the last decade and a half or so...
Monday, July 11, 2011
Sunday, July 10, 2011
PDF at the Forefront of iOS/iPhone Hacks...
I have neglected this blog for many, many months. But today I have some startling news PDF.
Virtually every version of iPhone/iOs/iPad/ from Apple appears to have a serious PDF security issue.
I found this due to the site jailbreakme - not that I am interested in jailbreaking per se - but it just showed up likechloroform chlorophyll on Casey Anthony's web browser.
The issue has to do with JavaScript (surprise, surprise). The problem can also surface in things like Safari and other iOS applications (presumably) that use browser technology. You just go to this site, click on some links and viola - your iDevice is jailbroken. (No messary hacking or mucking about with reds0wn and so forth.)
I have tracked down several sites (this, this, and this) with gory technical details but basically it works like this:
1) Inside a PDF you embedded some malicious JavaScript. There are a number of ways to do this. As an expert I am duty bound not to spill the beans.
2) When the PDF is loaded the JavaScript either calls some specific JS functions known to corrupt memory or use something called HeapSpray to fill memory with things you would like to execute.
3) Once the memory in the JavsScript memory in the PDF interpreter is corrupted and local OS ARM code is inserted by JavaScript the code is ARM code executed. The code then uses an exploit to access "root" space which is the highest-privileged operating mode for iOS.
Typically this exploit (as of July 9th, 2011) is the iOS IOSurface exploit - which creates bogus parameters for the IOSurface API call. Since IOSurfaces work in kernel, aka root, space, the hack is basically complete.
4) The IOSurface, now corrupted, executes code for the hack as root. It checks for a previously installed hack (via the existence of bash). If none is found it then downloads something called 'wad.bin' which contains more executable code as well as a Cydia installer for jailbreaking.
Interestingly enough these PDF JavaScript problems have been around for years.
My guess is that there are a huge variety of PDF hacks one could create by carefully manipulating a PDFs structure to cause any number of equivalent to JavaScript hacks.
I have believed for many years that Adobe no longer cares about PDF or print. And, because of this, their policies for upgrading the CS suites, and the fact that PDF and PS are outsourced to a foreign land where no one cares about print - we have holes that go unpatched for a long, long time.
Now certainly there are more consequences to jailbreaking than I am implying here - irreversible things, at least for iPad 2's - so don't just rush out to try this.
However, I am confused by some of this. Certainly it would seem that the right thing to do on an iPhone would be to install some App that runs other apps in kernel mode - rather than mucking up the security of the iOS in general by jailbreaking. That is, create an App that is root-owned, that runs in kernel mode, but is otherwise a normal app. Then fire up that app when you wanted to do things.
That way you're not breaking security....
At any rate... Some day Adobe will fix all this. There have been problems like this before (see the links) and there will surely be more in the future.
At any rate its nice to see that PDF, Adobe's legacy, is getting a whole new lease on life in the iOS world.
Virtually every version of iPhone/iOs/iPad/ from Apple appears to have a serious PDF security issue.
I found this due to the site jailbreakme - not that I am interested in jailbreaking per se - but it just showed up like
The issue has to do with JavaScript (surprise, surprise). The problem can also surface in things like Safari and other iOS applications (presumably) that use browser technology. You just go to this site, click on some links and viola - your iDevice is jailbroken. (No messary hacking or mucking about with reds0wn and so forth.)
I have tracked down several sites (this, this, and this) with gory technical details but basically it works like this:
1) Inside a PDF you embedded some malicious JavaScript. There are a number of ways to do this. As an expert I am duty bound not to spill the beans.
2) When the PDF is loaded the JavaScript either calls some specific JS functions known to corrupt memory or use something called HeapSpray to fill memory with things you would like to execute.
3) Once the memory in the JavsScript memory in the PDF interpreter is corrupted and local OS ARM code is inserted by JavaScript the code is ARM code executed. The code then uses an exploit to access "root" space which is the highest-privileged operating mode for iOS.
Typically this exploit (as of July 9th, 2011) is the iOS IOSurface exploit - which creates bogus parameters for the IOSurface API call. Since IOSurfaces work in kernel, aka root, space, the hack is basically complete.
4) The IOSurface, now corrupted, executes code for the hack as root. It checks for a previously installed hack (via the existence of bash). If none is found it then downloads something called 'wad.bin' which contains more executable code as well as a Cydia installer for jailbreaking.
Interestingly enough these PDF JavaScript problems have been around for years.
My guess is that there are a huge variety of PDF hacks one could create by carefully manipulating a PDFs structure to cause any number of equivalent to JavaScript hacks.
I have believed for many years that Adobe no longer cares about PDF or print. And, because of this, their policies for upgrading the CS suites, and the fact that PDF and PS are outsourced to a foreign land where no one cares about print - we have holes that go unpatched for a long, long time.
Now certainly there are more consequences to jailbreaking than I am implying here - irreversible things, at least for iPad 2's - so don't just rush out to try this.
However, I am confused by some of this. Certainly it would seem that the right thing to do on an iPhone would be to install some App that runs other apps in kernel mode - rather than mucking up the security of the iOS in general by jailbreaking. That is, create an App that is root-owned, that runs in kernel mode, but is otherwise a normal app. Then fire up that app when you wanted to do things.
That way you're not breaking security....
At any rate... Some day Adobe will fix all this. There have been problems like this before (see the links) and there will surely be more in the future.
At any rate its nice to see that PDF, Adobe's legacy, is getting a whole new lease on life in the iOS world.
Subscribe to:
Posts (Atom)