Jump to content
Aerosol

50 shades of grey can turn Adobe Reader into a hot mess

Recommended Posts

Greyscale pics are a great place to hide malcode

skull_87e465783465873.jpg?x=648&y=429&crop=1

Hackers can duck antivirus programs and execute malware in Adobe Reader by using greyscale images, says Danish security boffin Dénes Óvári.

Lossy compression is thought to be susceptible to the DCTDecode filter, which should nuke malware woven into images and blunt this form of attack.

However new intelligence published in the paper Script in a Lossy Stream (PDF) shows bad guys and penetration testers can use the filter within PDF documents to hide malcode using JPEG images that are set to greyscale to avoid distortion.

This process gives antivirus and human malware analysts the slip as they generally assume any malcode hiding in the JPEG filter will be compressed and scrambled.

“Following the introduction of a sandbox for JavaScript code in Acrobat Reader, the use of PDF as an attack vector decreased dramatically,” Óvári says.

“Although this is not a security breach in itself, the fact that the usage of DCTDecode for this purpose has seemingly been ruled out by the industry means that even known threats could be hidden in this way from anti-virus scanners or researchers.

“In order to provide users with maximum protection, the DCTDecode stream must no longer be overlooked: in PDF reader implementations, the referencing of uncompressed image data as parameters from objects expecting binary data should be prohibited.”

ss_4565757567.jpg

Óvári says attacks still require exploits to be used inside the DCTDecode stream, reducing the overall threat presented by the research.

He created a proof of concept attack in which he says a script was encoded as a high-quality greyscale JPEG image, placed in an image object filtered with DCTDecode, and then referenced by a JavaScript action entry.

“When opening the document, the alert dialog just pops up under the old Reader 9, proving that the code of the short script was decompressed losslessly,” he says.

The attack still works under the latest version of Reader with some small modification.

Óvári says other file formats that assume data within JPEGs uses lossy compression while a greyscale mode is available should be re-evaluated.

Source

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...