PDF File Format: Basic Structure [updated 2020] - Security Boulevard

PDF File Format: Basic Structure [updated 2020]

Introduction

We all know that there are a number of attacks where an attacker includes some shellcode in a PDF document. This shellcode uses some kind of vulnerability in how the PDF document is analyzed and presented to the user to execute malicious code on the targeted system.

The following image presents the number of vulnerabilities discovered in popular PDF reader Adobe Acrobat Reader DC, which was released in 2015 and became the only supported Acrobat Reader version after the end of support of Acrobat XI in October 2017. The number of vulnerabilities is increasing over the years. The most important vulnerabilities are the code execution vulnerabilities, which an attacker can use to execute arbitrary code on the target system (if the Acrobat Reader hasn’t been patched yet).

Figure 1: Adobe Acrobat Reader DC vulnerabilities

This is an important indicator that we should regularly update our PDF Reader, because the number of vulnerabilities discovered recently is quite daunting.

PDF file structure

Whenever we want to discover new vulnerabilities in software, we should first understand the protocol or file format in which we’re trying to discover new vulnerabilities. In our case, we should first understand the PDF file format in detail. In this article, we’ll take a look at the PDF file format and its internals.

PDF is a portable document format that can be used to present documents that include text, images, multimedia elements, web page links and more. It has a wide range of features. The PDF file format specification is publicly available here and can be used by anyone interested in PDF file format. There are almost 800 pages of the documentation for the PDF file format alone, so reading through that is not something to do on a whim.

PDF has more functions than just text: it (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Dejan Lukan. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/X24Qpluow54/