Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/whiteshadow1234/pdf_shield
A user-friendly PDF DoS Detector. Contributions are most welcome!
https://github.com/whiteshadow1234/pdf_shield
chromium chromium-browser contributions-welcome cyber-security cybersecurity defender dos-attacks infinite-loop pdf pdf-attack pdf-document pdf-security pdfium pdfiumviewer python security-tools zip-bomb
Last synced: 5 days ago
JSON representation
A user-friendly PDF DoS Detector. Contributions are most welcome!
- Host: GitHub
- URL: https://github.com/whiteshadow1234/pdf_shield
- Owner: whiteSHADOW1234
- License: mit
- Created: 2023-09-26T06:01:15.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2024-05-22T16:14:22.000Z (8 months ago)
- Last Synced: 2024-05-22T17:34:08.084Z (8 months ago)
- Topics: chromium, chromium-browser, contributions-welcome, cyber-security, cybersecurity, defender, dos-attacks, infinite-loop, pdf, pdf-attack, pdf-document, pdf-security, pdfium, pdfiumviewer, python, security-tools, zip-bomb
- Language: Tcl
- Homepage:
- Size: 97.6 MB
- Stars: 1
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
## Introduction
The PDF Shield is a Python tool designed to help users identify the potential for Denial of Service (DoS) attacks and JavaScript code embedded in PDF files.
PDF files are often used as vectors for social engineering attacks, where attackers attempt to trick victims into opening malicious files.
This tool aims to provide users with an additional layer of security by analyzing downloaded PDF files and alerting them if the file contains a potential DoS attack.
## Motivation
[PDF attacks, particularly as a method within social engineering attacks, have seen a significant increase in occurrence.](https://gbhackers.com/virustotal-malware-trends/) [Cyber adversaries exploit the flexibility of PDF files, often leveraging JavaScript customization to target unsuspecting users.](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/threat-loaded-malicious-pdfs-never-go-out-of-style/) [Despite attempts to address vulnerabilities, built-in PDF reader engines in modern browsers remain vulnerable.](https://github.com/RUB-NDS/PDF101/tree/master/02-exploits/24-chrome-browser) To mitigate risks, the PDF DoS Detector aims to reduce the number of victims by alerting users to potential DoS attack methods found within PDF files.
## Attacker Model
- Victim opens malicious PDF document
- Bad things happen (attack-dependent)
- No user interaction required
## Simple Attack Method
Take JavaScript embedded attack as example:
1. Run `pip install PyPDF2` in the terminal.
2. Next, use the `.add_js()` method of the `PyPDF2` library to create a Python script:
```python
import PyPDF2
def embed_javascript(pdf_file, js_code):
pdf_reader = PyPDF2.PdfReader(pdf_file)
pdf_writer = PyPDF2.PdfWriter()
for page in pdf_reader.pages:
pdf_writer.add_page(page)
pdf_writer.add_js(js_code)
with open('embedded.pdf', "wb") as f:
pdf_writer.write(f)
javascript_code = '''
while(1){
app.alert("Hello, World!");
}
'''
pdf_file_path = 'blank.pdf'
with open(pdf_file_path, 'rb') as pdf_file:
embed_javascript(pdf_file, javascript_code)
```
3. Please ensure that you run the Python file you've recently generated.
**Don't forget to update the `FILE_NAME` accordingly!**
4. Open the `embedded.pdf` file in the listed web browsers to verify that they trigger an alert window, confirming the successful execution of the embedded JavaScript code within the PDF.
A. Microsoft Edge:
B. Google Chrome:
C. Brave:
## Defense Model
- The user downloads a potentially malicious PDF.
- The tool conducts an automated scan on the downloaded PDF, presenting the results through a user-friendly pop-up window.
- The user is empowered to make informed decisions, with options to either eliminate identified vulnerabilities within the PDF or proceed with opening it.
## Defense Targets
[comment]: 
- **Note:** The following chart lists CVE information specifically related to PDFium. While it might apply to other PDF engines, our project focuses on creating a defense tool for current web browsers using PDFium, like Chrome, Brave, and Edge. Examples include **CVE-2023-41257 (Foxit Reader 12.1.2.15356)**, **CVE-2023-38573 (Foxit Reader 12.1.2.15356)**, and **CVE-2022-39016 (PDFtron in M-Files Hubshare before 3.3.10.9)**.
### JavaScript Related Attacks
| Description | Defence Method | Related CVEs or Papers |
| -------------------------------------------------------- | ------------------------------------------ | ----------------------------------------------------------- |
| JS runs stored XSS payload | Notice user there's JS embedded in the PDF | CVE-2023-45207 |
| Remote attackers use JS to cause DOS | Notice user there's JS embedded in the PDF | CVE-2012-2844 |
| Execute arbitrary JavaScript code with chrome privileges | Notice user there's JS embedded in the PDF | CVE-2013-5598 |
| XSS created by injected JS | Notice user there's JS embedded in the PDF | CVE-2007-0045 |
| Infinite loops caused by JavaScripts | Notice user there's JS embedded in the PDF | CVE-2007-0104 |
| Sharing of objects over calls into JavaScript runtime | Notice user there's JS embedded in the PDF | CVE-2019-5772 |
| Form Modification caused by JavaScripts | Notice user there's JS embedded in the PDF | Shadow Attacks: Hiding and Replacing Content in Signed PDFs |
- This project alerts users when it finds JavaScript code for two reasons. Firstly, many attacks are connected to JavaScript, according to Spider Experts. Secondly, creating a responsible PDF doesn't need JavaScript; there are built-in Named Objects that support responsible actions. JavaScript is only necessary if the PDF relies solely on it, for example, detecting keystrokes or playing videos without using YouTube or other online services.
### Name Object Infinite Loops
| Description | Defence Method | CVEs |
| ----------------------------------------------------- | -------------------------------------------- | -------------- |
| Caused by the Named Object "/Kids" | Notice user there's infinite loop in the PDF | CVE-2007-0104 |
| Action loop caused by "/Next" | Notice user there's infinite loop in the PDF | CVE-2007-0104 |
| Object streams may extend other "/ObjStms" | Notice user there's infinite loop in the PDF | CVE-2007-0104 |
| Outline entries ("/Outlines") can refer to each other | Notice user there's infinite loop in the PDF | CVE-2007-0104 |
| Incorrect object lifecycle | Notice user there's infinite loop in the PDF | CVE-2018-18336 |
| Incorrect object lifecycle | Notice user there's infinite loop in the PDF | CVE-2018-17481 |
### Deflate Bomb
| Description | Defence Method | Related CVEs |
| ---------------------------------------------------------------- | ----------------------------------------------------------------- | ------------- |
| Heap buffer overflow | Notice user there's a posiblity to have a deflate bomb in the PDF | CVE-2020-6513 |
| PDFium does not properly handle certain out-of-memory conditions | Notice user there's a posiblity to have a deflate bomb in the PDF | CVE-2015-1271 |
## How to Use
### I. Clone this repo and Automatically scan any downloaded PDF file
1. `git clone` this repository and don't forgot to run `pip install -r requirements.txt`.
2. Execute the `main.py` file.
3. And now download a PDF file.
4. Sit back, relax, and wait for the scanning process to be completed.
### II. Manually drag-and-drop a PDF file for scanning
1. Download the [`PDF Shield` zipped file](https://github.com/whiteSHADOW1234/PDF_Shield/blob/main/output/PDF%20Shield.zip) located in the `output` directory.
2. Unzip it on your device.
3. Locate the `PDF Shield.exe` in the unzipped folder and right-click on it to `Create a Shortcut` on your Desktop.
4. Drag-and-drop the PDF you want to scan onto the icon.
5. Sit back, relax, and wait for the scanning process to be completed.
### III. Automatically scan any downloaded PDF file
1. Download the [`PDF Shield` zipped file](https://github.com/whiteSHADOW1234/PDF_Shield/blob/main/output/PDF%20Shield.zip) located in the `output` directory.
2. Unzip it on your device.
3. Double-click the `PDF Shield.exe` in the unzipped folder to start the scanning program.
4. Now, download a PDF file.
5. Sit back, relax, and wait for the scanning process to be completed.
## Demo
### JavaScript Embedded Attack
- *Take JavaScript Infinite Loop as an example*
[](https://youtu.be/YECyB_2DBI4)
### Name Object Infinite Loops
- *Take the PDFs from [RUB-NDS/PDF101](https://github.com/RUB-NDS/PDF101/tree/master/01-testsuite/01-dos/01-infinite-loop) as an example*
[](https://youtu.be/fmv2-pQEf5s)
### Deflate Bomb
- *Take the PDFs from [RUB-NDS/PDF101](https://github.com/RUB-NDS/PDF101/tree/master/01-testsuite/01-dos/02-deflate-bomb) as an example*
[](https://youtu.be/VrxnMXuYC44)
### Other Compound Attacks
- *Take `JavaScript Embedded Attack` plus `Deflate Bomb` as an example*
[](https://youtu.be/eGnJiNEzw_Q)
## References & Relative News
- [PDF101](https://github.com/angea/PDF101)
- [ [TROOPERS15] Ange Albertini, Kurt Pfeifle - Advanced PDF Tricks ](https://www.youtube.com/watch?v=k9g9jZdjRcE&ab_channel=TROOPERSITSecurityConference)
- [Artifacts for "Portable Document Flaws 101" at Black Hat USA 2020](https://github.com/RUB-NDS/PDF101)
- [CVE searching results for "PDF"](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=PDF)
- [Malicious PDFs | Revealing the Techniques Behind the Attacks](https://www.sentinelone.com/blog/malicious-pdfs-revealing-techniques-behind-attacks/)
- [Common Tactics Used by Threat Actors to Weaponize PDFs](https://cybersecuritynews.com/threat-actors-weaponize-pdfs/)
- [How can I extract a JavaScript from a PDF file with a command line tool?](https://stackoverflow.com/questions/29342542/how-can-i-extract-a-javascript-from-a-pdf-file-with-a-command-line-tool)
- [Threat-Loaded: Malicious PDFs Never Go Out of Style](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/threat-loaded-malicious-pdfs-never-go-out-of-style/)
- [One of the easiest and most powerful ways to customize PDF files is by using JavaScript.](https://helpx.adobe.com/acrobat/using/add-debug-javascript.html)
- [Adobe Reader and Acrobat JavaScript Vulnerabilities](https://www.cisa.gov/news-events/alerts/2009/05/13/adobe-reader-and-acrobat-javascript-vulnerabilities)
- [Hackers Use Weaponized PDF Files to Attack Manufacturing, and Healthcare Organizations](https://cybersecuritynews.com/hackers-use-weaponized-pdf-files-to-attack-organizations/)
- [66% of malware delivered via PDF files in malicious emails: Report](https://ciso.economictimes.indiatimes.com/news/vulnerabilities-exploits/66-of-malware-delivered-via-pdf-files-in-malicious-emails-report/100837365)
- [How to protect yourself from the Adobe Reader PDF JavaScript Vulnerability](https://www.bleepingcomputer.com/forums/t/205515/how-to-protect-yourself-from-the-adobe-reader-pdf-javascript-vulnerability/)
- [PDFium](https://pdfium.googlesource.com/pdfium/)
- [Portable-Document-Flaws-101](https://paper.bobylive.com/Meeting_Papers/BlackHat/USA-2020/us-20-Mueller-Portable-Document-Flaws-101.pdf)
## Contributions
Contributions to the PDF DoS Detector are welcome. Whether it's bug fixes, feature enhancements, or other improvements, feel free to contribute to make the tool more effective in protecting users from PDF-based DoS attacks.
Stay secure, and happy browsing!