diving into the portable document format
play

Diving into the Portable Document Format Toulouse Hacking Convention - PowerPoint PPT Presentation

Sep 16, 2023 •45 likes •465 views

Diving into the Portable Document Format Toulouse Hacking Convention 2017 Guillaume Endignoux @gendignoux Friday 3 rd March, 2017 1 / 34 Portable Document Format ? PDF timeline: 1991-1993: inception and first release by Adobe 1 2008: ISO

  1. Diving into the Portable Document Format Toulouse Hacking Convention 2017 Guillaume Endignoux @gendignoux Friday 3 rd March, 2017 1 / 34

  2. Portable Document Format ? PDF timeline: 1991-1993: inception and first release by Adobe 1 2008: ISO specification released (PDF 1.7) ⇒ alternative readers: Evince, PDF.js, Chrome... Soon? ISO specification for PDF 2.0 1 https://acrobat.adobe.com/us/en/why-adobe/about-adobe-pdf.html 2 / 34

  3. Portable Document Format ? PDF timeline: 1991-1993: inception and first release by Adobe 1 2008: ISO specification released (PDF 1.7) ⇒ alternative readers: Evince, PDF.js, Chrome... Soon? ISO specification for PDF 2.0 Many features (not all portable): interactive forms encryption scripting: JavaScript, Flash multimedia: video, sound, 3D artwork ... 1 https://acrobat.adobe.com/us/en/why-adobe/about-adobe-pdf.html 2 / 34

  4. Portable Document Format ? A commonly used format, but many security issues: 500+ reported vulnerabilities in Adobe Reader 2 (since 1999). Variations between implementations. Syntax facilitates polymorphism, e.g. PoC||GTFO (PDF+ZIP, PDF+JPEG...). SHA-1 collisions... I worked on PDF validation: Caradoc 3 project started in 2015 (at ANSSI), paper & presentation at LangSec Workshop 2016 4 . 2 http://www.cvedetails.com 3 https://github.com/ANSSI-FR/caradoc 4 http://spw16.langsec.org/ 3 / 34

  5. Table of contents Introduction to PDF syntax 1 Security problems: case studies 2 Caradoc: 2 years of PDF validation 3 4 / 34

  6. Table of contents Introduction to PDF syntax 1 Security problems: case studies 2 Caradoc: 2 years of PDF validation 3 5 / 34

  7. PDF syntax 101 A PDF document is made of objects. Textual format, similar to JSON but different syntax: null booleans: true , false numbers: 123 , -4.56 strings: (foo) names: /bar arrays: [1 2 3] , [(foo) /bar] dictionaries: << /key (value) /foo 123 >> references: 1 0 obj ... endobj and 1 0 R streams: << ... >> stream ... endstream 6 / 34

  8. Structure of a PDF file %PDF-1.7 1 0 obj << /Type /Catalog /Pages 2 0 R >> endobj Header 2 0 obj Object << /Type /Pages /Count 1 /Kids [3 0 R] >> endobj Object ... xref 0 6 Reference table 0000000000 65536 f 0000000009 00000 n Trailer 0000000060 00000 n ... End-of-file trailer << /Size 6 /Root 1 0 R >> startxref 428 %%EOF Organization of a simple PDF file. 7 / 34

  9. Structure of a PDF file %PDF-1.7 xref 0 6 Header 0000000000 65536 f 0000000009 00000 n Objects 0000000060 00000 n More complex structures: ... ... Original file trailer << /Size 6 /Root 1 0 R >> Table + trailer #1 incremental updates, startxref 428 End-of-file #1 %%EOF object streams, Objects xref ... 0 3 Incremental 0000000002 65536 f linearization. Table + trailer #2 0000000567 00001 n update 0000000000 00001 f 6 1 End-of-file #2 0000001234 00000 n trailer << /Size 7 /Root 1 1 R /Prev 428 >> startxref 1347 %%EOF Incremental update. 8 / 34

  10. Logical structure of a PDF file Document of 17 pages (about 1000 objects). 9 / 34

  11. Graphical instructions Vector graphics = low-level instructions, stored in a stream . Some examples: set font ABC in size 10: /ABC 10 Tf set blue color (RGB): 0 0 1 rg draw text: (Hello world) Tj move to ( x , y ) = ( 5 , 10 ) : 5 10 m draw line to ( 15 , 20 ) : 15 20 l ... I made a cheat sheet: https://github.com/gendx/pdf-cheat-sheets 10 / 34

  12. Draw your own PDF! Creating reference tables/streams is error-prone and boring... Python script to automate the process: https://github.com/gendx/pdf-corpus Source Resulting PDF template = contentstream --- BT 0 700 Td /F1 100 Tf (Hello world !) Tj ET 11 / 34

  13. Table of contents Introduction to PDF syntax 1 Security problems: case studies 2 Caradoc: 2 years of PDF validation 3 12 / 34

  14. Security problems: case studies Security problems arise from: unclear or ambiguous specification, complex or flawed designs in the standard, improper input checking by PDF readers. 13 / 34

  15. Security problems: case studies Security problems arise from: unclear or ambiguous specification, complex or flawed designs in the standard, improper input checking by PDF readers. Some case studies: malicious graph structures, graphics instructions, home-made encryption. 13 / 34

  16. Graph organization The graph of objects is organized into sub-structures, especially trees. Page tree. Catalog Root of the page tree Node Page 3 Page 4 Page 1 Page 2 14 / 34

  17. Graph organization The table of contents uses doubly-linked lists. Table of contents. Outline root Catalog Chapter Chapter Chapter Section Section Section 15 / 34

  18. Problematic structure Some PDF readers loop forever with an invalid structure... Invalid table of contents. Outline root Catalog Chapter Chapter Chapter Section Section Section 16 / 34

  19. Problematic structure This is a design flaw: Complex structures everywhere, but PDF readers do not check them... Simpler design: array of references to store pages? 17 / 34

  20. Graphics instructions Graphics instructions = core of the format ⇒ potential for many bugs! 18 / 34

  21. Graphics instructions Graphics instructions = core of the format ⇒ potential for many bugs! 18 / 34

  22. Graphics instructions I tried to write a PDF optimizer, and found more weird bugs... 19 / 34

  23. Graphics instructions What is in the graphics interpreter? A simple example: Graphics state = font, colors, translations, etc. (e.g. font modified by setfont , used by drawtext ). Graphics state stack : push and pop operators to save & restore graphics state. What if we pop too much (stack underflow)? 20 / 34

  24. Graphics instructions Example 5 for Evince: unbalanced pop seems to stop the interpreter. Pseudo-code: pop before Pseudo-code: pop after pop setfont setfont drawtext (Hello world !) drawtext (Hello world !) pop PDF PDF 5 https://github.com/gendx/pdf-corpus/tree/master/corpus/contentstream/graphic-stack 21 / 34

  25. Demonstration Demonstration Loop in the outline structure https://github.com/ANSSI-FR/caradoc/blob/master/test_files/negative/outlines/cycle.pdf Polymorphic file https://github.com/ANSSI-FR/caradoc/blob/master/test_files/negative/polymorph/polymorph.pdf Poc||GTFO 0x13 https://www.alchemistowl.org/pocorgtfo/pocorgtfo13.pdf 22 / 34

  26. Demonstration These problems may lead to several attacks: Attacks against the parser: denial of service, crash (or worse). Evasion techniques: variations PDF reader vs. malware detector. 23 / 34

  27. Encryption PDF encryption supported since v1.1. 24 / 34

  28. Encryption PDF encryption supported since v1.1. Based on 2 passwords. User password P u : decrypt and view content. Owner password P o : unlock permissions (print, modify...) ⇒ enforced only by compliant software ( P u is enough to decrypt). 24 / 34

  29. Encryption PDF encryption supported since v1.1. Based on 2 passwords. User password P u : decrypt and view content. Owner password P o : unlock permissions (print, modify...) ⇒ enforced only by compliant software ( P u is enough to decrypt). Security issues: Partial encryption : only strings and streams are encrypted, general document structure is leaked... Ad-hoc key-derivation from passwords & checksums (based on MD5+RC4). 24 / 34

  30. Home-made encryption Complex derivation of keys from passwords. P u P o K o K u A B O C D U P , ID A, C, E ≈ MD5 B ≈ RC4 K a , b a , b E D ≈ MD5+RC4 password checksum (in file) salt (in file) object key Main problem : checksum O is deterministic function of passwords, no salt! ⇒ 33% collisions for 478 files crawled from Internet... 25 / 34

  31. Table of contents Introduction to PDF syntax 1 Security problems: case studies 2 Caradoc: 2 years of PDF validation 3 26 / 34

  32. Caradoc validation I worked on Caradoc, a PDF validator. Implementation in OCaml from the PDF specification 6 . Caradoc verifies the following: File syntax. Objects consistency (type checking). Graph (page tree...). Vector graphics instructions (syntax). 6 https://www.adobe.com/devnet/pdf/pdf_reference.html 27 / 34

  33. Caradoc validation I worked on Caradoc, a PDF validator. Implementation in OCaml from the PDF specification 6 . Caradoc verifies the following: File syntax. Objects consistency (type checking). Graph (page tree...). Vector graphics instructions (syntax). Validation workflow. graph of references strict parser type graph graphics future objects PDF checking checking instructions work relaxed parser extraction of list of no error specific objects types detected normalization 6 https://www.adobe.com/devnet/pdf/pdf_reference.html 27 / 34

  34. Syntax restriction At syntax level, guarantee extraction of objects without ambiguity: Grammar formalization 7 (BNF). Structure restrictions (no updates, no linearization , etc.). Systematic rejection of “corrupted” files. 7 https://github.com/ANSSI-FR/caradoc/tree/master/doc/grammar 28 / 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

PC PORTABLE PC PORTABLE PC PORTABLE Introducing the PC Portable Lamp, one of a range of

PC PORTABLE PC PORTABLE PC PORTABLE Introducing the PC Portable Lamp, one of a range of

PC PORTABLE PC PORTABLE PC PORTABLE Introducing the PC Portable Lamp, one of a range of new light fjxtures based on Pierre Charpins original PC Task Light, a HAY classic. Like its predecessor, the PC Portable hides its engineering

271 views • 15 slides
Inside PDF Lecture @21C3 The Portable Document Format A Short Introduction Maik Musall

Inside PDF Lecture @21C3 The Portable Document Format A Short Introduction Maik Musall

Inside PDF Lecture @21C3 The Portable Document Format A Short Introduction Maik Musall &lt;maik@musall.de&gt; CCC Erlangen Overview History of PDF and it's relation to PostScript Licenses and legal issues File format syntax and

584 views • 17 slides
CONSTANT INSECURITY: THINGS YOU DIDN'T KNOW ABOUT (PECOFF) PORTABLE EXECUTABLE FILE FORMAT

CONSTANT INSECURITY: THINGS YOU DIDN'T KNOW ABOUT (PECOFF) PORTABLE EXECUTABLE FILE FORMAT

BlackHat USA 2011, Las Vegas Mario Vuksan &amp; Tomislav Pericin, ReversingLabs CONSTANT INSECURITY: THINGS YOU DIDN'T KNOW ABOUT (PECOFF) PORTABLE EXECUTABLE FILE FORMAT Constant Insecurity Maturing Code PE has been on Windows for 18

686 views • 41 slides
Portable data format by example: netcdf Latin American Introductory School on Parallel Programming

Portable data format by example: netcdf Latin American Introductory School on Parallel Programming

Portable data format by example: netcdf Latin American Introductory School on Parallel Programming and Parallel Architecture for High Performance Computing William Oquendo, woquendo@gmail.com Outline A simple example : a 2D matrix Saving

528 views • 36 slides
Portable Document Format (PDF) Security Analysis and Malware Threats Alexandre Blonce - Eric

Portable Document Format (PDF) Security Analysis and Malware Threats Alexandre Blonce - Eric

Portable Document Format (PDF) Security Analysis and Malware Threats Alexandre Blonce - Eric Filiol 1 - Laurent Frayssignes Army Signals Academy - Virology and Cryptology Laboratory About Author(s) Eric Filiol is Head Scientist Officer of the

474 views • 20 slides
Recent advances in diving medicine research DAN Europe VGE Studies A Century of Diving Medicine

Recent advances in diving medicine research DAN Europe VGE Studies A Century of Diving Medicine

Recent advances in diving medicine research DAN Europe VGE Studies A Century of Diving Medicine Research 1908 : J.S. Haldane staged decompression prevents DCS 2003 : D. Elliott After nearly 100 years of diving

612 views • 44 slides
Executable File Formats Portable Executable (PE) Executable

Executable File Formats Portable Executable (PE) Executable

Executable File Formats Portable Executable (PE) Executable file format of choice for Windows Executable and Linkable Format (ELF) Executable file

330 views • 16 slides
Day 2: Diving Deeper into Day 2: Diving Deeper into Data Visualization with R Data Visualization

Day 2: Diving Deeper into Day 2: Diving Deeper into Data Visualization with R Data Visualization

Day 2: Diving Deeper into Day 2: Diving Deeper into Data Visualization with R Data Visualization with R Introduction Introduction Presented by Di Cook Department of Econometrics and Business Statistics 12 Nov 2020 @ Statistical Society of

250 views • 8 slides
6 and 8 Times Table and Division Facts Diving into Mastery Guidance for Educators Diving Deeper

6 and 8 Times Table and Division Facts Diving into Mastery Guidance for Educators Diving Deeper

6 and 8 Times Table and Division Facts Diving into Mastery Guidance for Educators Diving Deeper Deepest Aim This week we are really focusing on securing the 6 and 8 multiplication tables . It is really important to be able to recall these

198 views • 16 slides
Southern Diving Group SDU1 (Plymouth) / SDU2 (Portsmouth) Commander Del McKnight RN Fleet Diving

Southern Diving Group SDU1 (Plymouth) / SDU2 (Portsmouth) Commander Del McKnight RN Fleet Diving

Southern Diving Group SDU1 (Plymouth) / SDU2 (Portsmouth) Commander Del McKnight RN Fleet Diving Squadron UDT Conference 2 The Strategic Responsibility Island Nation 90% per volume of world trade by sea Freedom of Navigation/access

505 views • 24 slides
7, 11 and 12 Multiplication Tables Diving into Mastery Guidance for Educators Diving Deeper

7, 11 and 12 Multiplication Tables Diving into Mastery Guidance for Educators Diving Deeper

7, 11 and 12 Multiplication Tables Diving into Mastery Guidance for Educators Diving Deeper Deepest Aim This week we are really focusing on securing the 7, 11 and 12 multiplication tables . It is really important to be able to recall these

665 views • 18 slides
Diving into Mastery Guidance for Educators Diving Deeper Deepest Aim Read Roman numerals to

Diving into Mastery Guidance for Educators Diving Deeper Deepest Aim Read Roman numerals to

Diving into Mastery Guidance for Educators Diving Deeper Deepest Aim Read Roman numerals to 1000 (M) and recognise years written in Roman numerals. Roman Numerals to 1000 Diving Correctly match the Roman numerals to the words and digits.

520 views • 13 slides
Portable fuel cell system s Jaeyoung Lee September 19, 2006 http:/ / w w w .h2 fc.re.kr Energy

Portable fuel cell system s Jaeyoung Lee September 19, 2006 http:/ / w w w .h2 fc.re.kr Energy

E lectrochemical R eaction &amp; T echnology L aboratory (ERTL) System development of Portable fuel cells System development of Portable fuel cells System development of Portable fuel cells System development of Portable fuel cells Portable

547 views • 41 slides
PORTABLE MANAGEMENT BEX/BTA Oversight Committee May 17, 2019 Agenda Portable Management

PORTABLE MANAGEMENT BEX/BTA Oversight Committee May 17, 2019 Agenda Portable Management

PORTABLE MANAGEMENT BEX/BTA Oversight Committee May 17, 2019 Agenda Portable Management Recent History of Portable Management McKinistry Condition Assessment Scores Budget P er P ortable Classroom Draft P ortable

205 views • 18 slides
Diving into Mastery Guidance for Educators Each activity sheet is split into three sections,

Diving into Mastery Guidance for Educators Each activity sheet is split into three sections,

Diving into Mastery Guidance for Educators Each activity sheet is split into three sections, diving, deeper and deepest, which are represented by the following icons: These carefully designed activities take your children through a learning

156 views • 15 slides
Portable Parallel I/O SIONlib May 26, 2014 Wolfgang Frings, Florian Janetzko, Michael Stephan

Portable Parallel I/O SIONlib May 26, 2014 Wolfgang Frings, Florian Janetzko, Michael Stephan

Mitglied der Helmholtz-Gemeinschaft Portable Parallel I/O SIONlib May 26, 2014 Wolfgang Frings, Florian Janetzko, Michael Stephan Outline Introduction Motivation SIONlib in a Nutshell SIONlib file format Details Interface Example Tools

938 views • 89 slides
L T A A brief tour David Griffiths Mathematics Division University of Dundee L A T EX

L T A A brief tour David Griffiths Mathematics Division University of Dundee L A T EX

EX presentations with Prosper L T A A brief tour David Griffiths Mathematics Division University of Dundee L A T EX presentations with Prosper p. 1/16 Introduction The PROSPER package has been written by Frdric Goualard, CWI,

700 views • 50 slides
Sweave User Manual Friedrich Leisch R Version 1.5.0 Contents 1 Introduction 2 2 Noweb files

Sweave User Manual Friedrich Leisch R Version 1.5.0 Contents 1 Introduction 2 2 Noweb files

Sweave User Manual Friedrich Leisch R Version 1.5.0 Contents 1 Introduction 2 2 Noweb files 2 3 Sweave files 3 3.1 A simple example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.2 Sweave options . . .

796 views • 14 slides
L15 July 10, 2017 1 Lecture 15: Data Visualization CSCI 1360E: Foundations for Informatics and

L15 July 10, 2017 1 Lecture 15: Data Visualization CSCI 1360E: Foundations for Informatics and

L15 July 10, 2017 1 Lecture 15: Data Visualization CSCI 1360E: Foundations for Informatics and Analytics 1.1 Overview and Objectives Data visualization is one of, if not the , most important method of communicating data science results.

441 views • 19 slides
Novel Encryption Method of GPS Information in Image File Using Format-preserving Encryption

Novel Encryption Method of GPS Information in Image File Using Format-preserving Encryption

Novel Encryption Method of GPS Information in Image File Using Format-preserving Encryption Changhyun Lee, Yeonju Choi, Hyeongmin Park, Kangbin Yim, and Sun-Young Lee Soonchunhyang University IMIS 2019 Presenter: Brandon Falk (

645 views • 21 slides
1 &lt;Insert Picture Here&gt; Visual Development of JavaFX Applications David Kaspar Software

1 &lt;Insert Picture Here&gt; Visual Development of JavaFX Applications David Kaspar Software

1 &lt;Insert Picture Here&gt; Visual Development of JavaFX Applications David Kaspar Software Engineer JavaOne and Oracle Develop Latin America 2010 December 79, 2010 3 JavaOne and Oracle Develop Beijing 2010 December 1416, 2010 4 The

415 views • 26 slides
Maxiplot: Maxima and Gnuplot in L A T EX. September 21, 2013 1 Introduction For those who do

Maxiplot: Maxima and Gnuplot in L A T EX. September 21, 2013 1 Introduction For those who do

Maxiplot: Maxima and Gnuplot in L A T EX. September 21, 2013 1 Introduction For those who do not know Maxima , it is a symbolic calculation program which can be used to compute derivatives and integrals, solve equations, find limits, work with

455 views • 9 slides
MPEG- -4 Standards 4 Standards MPEG-4 Standards MPEG Fernando Pereira Fernando Pereira

MPEG- -4 Standards 4 Standards MPEG-4 Standards MPEG Fernando Pereira Fernando Pereira

MPEG- -4 Standards 4 Standards MPEG-4 Standards MPEG Fernando Pereira Fernando Pereira Fernando Pereira Klagenfurt, Austria, October 2008 Klagenfurt, Austria, October 2008 Audiovisual Compression: from Basics to Systems, Fernando Pereira

573 views • 32 slides
SCALABLE VECTOR GRAPHICS WEB STANDARD FOR CARTOGRAPHY Otakar Cerba University of West

SCALABLE VECTOR GRAPHICS WEB STANDARD FOR CARTOGRAPHY Otakar Cerba University of West

SCALABLE VECTOR GRAPHICS WEB STANDARD FOR CARTOGRAPHY Otakar Cerba University of West Bohemia Plzen, Czech Republic International Cartographic Conference 26.-30. 8. 2013, Dresden, Germany goal Scalable Vector Flash Graphics (SVG) ?

638 views • 17 slides

More recommend