Hacker News new | past | comments | ask | show | jobs | submit login

I didn't think PDF files could contain executable code.

Are PDFs as attack vectors common?

Exploits for media format handling code often just use memory safety bugs to get code execution. It can and does happen with simpler formsts too, eg image and video formats.

Adobe acrobat is infamous for being infested with vulnerabilities.

(But yes, PDFs support scripting)

The PDF spec includes a full on (but slightly different) version of JavaScript tragically enough.

> I didn't think PDF files could contain executable code.

Sadly this is how most attacks against {file formats, protocols, standards} work.

  - Lots of parts of the Unicode spec (LTR/RTL swap, phishing attacks with homographs)
  - Interpretation of character set by browser+server
  - XML External Entities to do XXE
  - YAML references to create YAMLBombs
  - Zip massive compression ratios to create ZIP bombs
  - JWT where user assigns no encryption algorithm
  - PHP accepting URLs from user then piping them to PHP filters
  - file upload with polymorphic files
  - file upload where filename suffix doesn't match magic bytes

> Are PDFs as attack vectors common?

This is not news. PDF-based attacks against Acrobat / Acrobat Reader, FoxIt, etc have been common for over a decade.

> Files based on Reader were exploited in almost 49 per cent of the targeted attacks of 2009[1]

> According to a newly released report by Symantec's MessageLabs, malicious PDF files outpace the distribution of related malicious attachments used in targeted attacks.[2] (2011)

> JavaScript and XFA Forms / Adobe LifeCycle[3]

[1] https://www.schneier.com/blog/archives/2010/03/pdf_the_most_...

[2] https://www.zdnet.com/article/report-malicious-pdf-files-bec...

[3] https://www.sentinelone.com/blog/malicious-pdfs-revealing-te...

I think it wasn't so much the normal text content of the PDF itself, but, attackers targeted specific media features of PDF readers that would open files or attachments within or linked from the PDF. Image attachments, etc.

Fun times: https://www.cvedetails.com/vulnerability-list/vendor_id-53/p...

PDF is postscript + other stuff. And postscript is turning complete.

Brainfuck is also turing complete, but it's not Tetris complete. That's a very important distinction for possible attack vectors.

PDFs on the other hand are tetris complete.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact