Welcome to HBH! If you had an account on hellboundhacker.org you will need to reset your password using the Lost Password system before you will be able to login.

pdf exploiting

  1. Home
  2. Forum
  3. Hacking in general
  4. pdf exploiting

ghost's Avatar

ghost

0 0

I was wondering if it's possible to perform an attack similar to XSS or something but use a page of a pdf. At work we have people that can generate pdfs based on answers provided in an online form they fill out. Is it possible to put malicious code into an answer space on one of these forms so that malicious code will be executed when the pdf is viewed? If so, would the filters that PHP has be enough to fix this problem?

Thanks!


ghost's Avatar

ghost

0 0

Doesn't sound like it would be possible since it is not parsed as html rather as a pdf file. If you take a look at a pdf in a hex editor you'll see that it is not human readable anyway, unlike a html/php file so it wouldn't be possible to even execute it as html/php. However, recently there have been a few vulnerabilities involving adobe pdf, if you google it I'm sure it'll come up with something. I could be wrong, just thinking out loud.


ghost's Avatar

ghost

0 0

cyb3rl0rd1867 wrote: Doesn't sound like it would be possible since it is not parsed as html rather as a pdf file. If you take a look at a pdf in a hex editor you'll see that it is not human readable anyway, unlike a html/php file so it wouldn't be possible to even execute it as html/php. However, recently there have been a few vulnerabilities involving adobe pdf, if you google it I'm sure it'll come up with something. I could be wrong, just thinking out loud.

Thanks for your help! I wasn't thinking that the malicious code would be written in html or php. I was thinking more along the lines of some sort of "pdf code" would be used. So when the code is parsed by adobe or something it would execute the malicious code. Does that make sense?


spyware's Avatar

spyware

Banned
0 0

This -was- possible but patched in recent versions of whatever. Check sla.ckers.org and/or ckers.org, there's some PoC on there.


Futility's Avatar

Futility

:(
80 120

pdf files used to be able to run javascript without user permission, putting them in a security realm similar to that of a browser. I read this book a while back detailing the whole process, but everything talked about Adobe Acrobat Reader 7, which, unless I'm mistaken, is old. I don't currently use adobe (foxit owns pretty hard), so I can't really test things in a modern setting, but the book mentioned this whitepaper. You might like to take a look. (Note, it's pretty old) There's a ton more in the book, but I feel quoting 20 pages or so would be… bad?

If you feel like looking it up, it's called "XSS Attacks: Cross Site Scripting Exploits and Defense"