SSTIC 2009 Keynote – Mischievous Origami in PDF

Presentation : Fred RAYNAL
Guillaume DELUGRE
Damien AUMAITRE

Some common misconceptions about PDFs:
Format open and documented
Format static (therefore secure)

In fact, it's a descriptive language, and dynamic, Everything is an object within the format. It's possible to perform several types of actions, including: Goto, submit, videos, sounds, 3D, JavaScript, etc.

Virus propagation is then possible, using malicious pdfs (without exploiting vulnerabilities), sometimes with a bit of social engineering (validation of a fake update, which is actually a virus).

Once the malicious pdf has been "executed", all other documents signed in the same way (signature and trust system integrated into Adobe) will be able to perform any action without user interaction; this is a major flaw in the system.

Adobe's built-in Javascript engine is poorly documented, but it allows you to do quite a lot.
It is possible, for example, to create a malicious PDF that would launch local/network attacks invisibly to users, just as malicious Javascript code would in a browser (XSS-like).

PDF is therefore a very important attack vector, not to mention the flaws in the software itself (rather, the bypassing of proposed features).