xpdf and acrobat reader hole

Sam Halliday fommil at yahoo.ie
Mon Jun 16 18:08:05 PDT 2003


James Iwanek wrote:
> Jochen Schroeder wrote:
> > There is a whole in acrobat reader and xpdf which let's you execute
> > any shell command from within a pdf-dokument. Nice thing if you
> > embed rm -rf$HOME/* within an pdf-file. Am still not quite sure if
> > this really is a hole or considered a feature ;-). Anyways here's
> > the relevant link:
> > http://lists.netsys.com/pipermail/full-disclosure/2003-June/010397.html
> any fool knows you have a more robust hack if you were to replace
> monkey with $USER ;-)

`rm -rf $HOME/$USER`

can't see that doing much :-/
(e.g. expanded=`rm -rf /home/samuel/samuel`)

however, a REAL fool would use the opportunity to plant a backdoor or
mail a secret GPG key back home... the simplicity of this exploit is
quite scary, i imagine that most applications/formats have similar
issues; especially with everything trying so hard to interoperate on a
point-and-click basis.

i wonder if large archives like arXiv.org are going to parse for this
kind of thing? they generate PDF files on demand (with some level of
caching) from the source .tex files. however, someone actually using
this kind of exploit with their name attached to it is enough to lose
them a career in research, but it is scary that such an exploit is
possible to begin with...

Sam... thinking about moving this to lfs-chat
-- 
Trespassers will be shot. Survivors will be SHOT AGAIN!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/lfs-security/attachments/20030617/b44ae856/attachment.sig>


More information about the lfs-security mailing list