Adobe PDF 취약점으로 인한 주의(/Launch /Action 명령어)

보안전문가 Didier Stevens가 최근 업데이트 된 Adobe 업데이트에서 /Launch /Action 명령어를 패치하였지만, 

다시 Bypass하는 방법이 나왔다고 기재하였다.

기존에 cmd.exe에 "(따옴표)를 붙이면 바로 패스된다는 것이다.

cmd.exe -> "cmd.exe" 이런 형식인것이다.

자세한 내용은 아래 글을 참조....

- 원문보기 : http://blog.didierstevens.com/2010/07/04/quickpost-preventing-the-launch-action-cmd-exe-bypass/

Adobe has released a new Adobe Reader version that contains functionality to block my /Launch action PoC, but Bkis found a bypass: just put double quotes around cmd.exe, like this:  “cmd.exe”.

I did some research and discovered that Adobe implemented a blacklist of extensions for the launch action, but that the blacklisting functionality identifies the file type of “cmd.exe” as .exe”, and not .exe

Adobe is aware of the issue, and will evaluate the need to fix the blacklisting functionality.

But meanwhile, you can apply my fix to block launching “cmd.exe”.

You can configure the blacklist of extensions via the registry. Go to HKLM\SOFTWARE\Policies\Adobe\product\version\FeatureLockDown\cDefaultLaunchAttachmentPerms and open registry value tBuiltInPermList.

This is a list of |-separated extensions, together with the action Adobe Reader should take (3 means block the extension). Add .exe”:3 to block “cmd.exe”:

With this addition, Bkis’ bypass will not work anymore:

Some further testing shows that adding 2 double quotes is also a way to bypass the blacklist: “”cmd.exe”":

So we need to block this too:

I tested 3 and 4 quotes too, but this is not accepted by Adobe Reader. But should there still be other valid characters to append to the extension, you can block them in the same way as I showed here, until Adobe fixes the blacklist functionality.

- 관련글
2010/06/15 - [악성코드소식] - PDF 프로그램 취약점으로 인한 파일생성(/Launch /Action 명령어 취약점)
2010/04/15 - [보안관련소식] - Adobe PDF 취약점으로 인한 주의(/Launch /Action 명령어)