Lets do a very short script for a play to set the scene for this one. Positions everyone:
*interlocks his finger*
CornerPirate: Let’s weave them together. What could possibly go wrong?
What could possibly go wrong indeed. No point dallying you can find out how that could go wrong at these places:
These are all way more detailed than I would choose to go on the subject and are worth a read.
Probably a great idea to make sure that your email, and Internet proxy blocks them coming inbound then isn’t it?
Get the tool
You can get the source and the built jar from the repository below:
Download the zip or clone it down it is your choice.
Goto the “dist” directory and run the jar file. In Windows you can double click on the jar if you have the Java Runtime installed. Alternatively you can run:
java -jar JS2PDFInjector.jar
When it launches it will:
- Ask you to select a PDF file to inject into.
- Create the new PDF with “js_injected_” into the file name and make a new file in the same directory as the original PDF.
Pretty simple I think. It could be a command line tool. But meh I wanted file choosers for some reason that day. You have the source so go fix it if you like.
As a pentester it is usually sufficient for me to simply evaluate the defences strip all JS from a PDF or quarantine the file on the way in. If your solution does not then I can infer that you could be doing more to protect yourself.
So for me it has been enough to go with a simple alert message like this one:
If you want to weaponize this by injecting malicious things, then you do so at your own legal risk and I am not responsible for your actions.
I just felt that if this was in anyway useful to someone then I should share it!
How to use your file legitimately
- Test your Anti-Virus [Local Only Test]
- Upload your PDF onto a server or workstation you want to test by USB or whatever works in your environment locally.
- Right click and scan with your anti-virus solution and see if it says anything.
- For bonus points if your AV is configured to log events centrally make sure someone has seen the log alert and has kicked off an investigation.
- Test your Email Filtering
- Use an external email address to email your PDF into a work address.
- If you have a complex system which has multiple in-line inspection points before it reaches a user. If the email arrives with the attachment intact and it triggers an alert or whatever your payload is in Adobe Reader? Then you should repeat step one (Local AV scan). Your company is at risk as you have found people can email in potentially dangerous PDF files. Repeating the AV scan manually will see if it will ever find that file. At this point the payload has already run and you have been compromised.
- Test your Internet proxy Filtering
- Upload your PDF file to an Internet web server. It has to be the Internet because Microsoft’s various web browsers implements a “zone” model for security. The Internet zone is the least trusted so the fairest evaluation.
- Download the file in the default web browser for your users going through all Internet proxy and inspection routes.
- Again. If the payload did not execute. Try to investigate where in the chain it happened, and then look for staff to have reacted to that alert.
You can take these techniques and alter them for all other routes into your organisation. A file-upload on a website? An SFTP service etc.
Hope that helps