Tuesday, July 6, 2010

Preventing the /Launch Action “cmd.exe” Bypass

Via Didier Stevens' Blog (July 4th) -

Adobe has released a new Adobe Reader version that contains functionality to block my /Launch action PoC, but Bkis found a bypass: just put double quotes around cmd.exe, like this: “cmd.exe”.
[...]

I did some research and discovered that Adobe implemented a blacklist of extensions for the launch action, but that the blacklisting functionality identifies the file type of “cmd.exe” as .exe”, and not .exe

Adobe is aware of the issue, and will evaluate the need to fix the blacklisting functionality.

But meanwhile, you can apply my fix to block launching “cmd.exe”.


------------------------------------

Check out Didier Stevens' full blog for steps on how to mitigate the quote bypass threat by adding to Adobe's blacklist registry settings.

No comments:

Post a Comment