[okular] [Bug 416656] New: PDF Launch Action allows to execute Mono executables

Jens Mueller bugzilla_noreply at kde.org
Thu Jan 23 17:57:30 GMT 2020 

https://bugs.kde.org/show_bug.cgi?id=416656

            Bug ID: 416656
           Summary: PDF Launch Action allows to execute Mono executables
           Product: okular
           Version: 1.3.3
          Platform: Other
                OS: Linux
            Status: REPORTED
          Severity: normal
          Priority: NOR
         Component: PDF backend
          Assignee: okular-devel at kde.org
          Reporter: jens.a.mueller+kde at rub.de
  Target Milestone: ---

Created attachment 125340
  --> https://bugs.kde.org/attachment.cgi?id=125340&action=edit
PoC document to launch usr/lib/bless/bless.exe

The PDF specification defines the "Launch Action", which allows documents to
launch arbitrary applications. The file to be launched can either be specified
by a local path, a URL or a file embedded within the PDF document itself. The
standard does not provide any security considerations regarding this obviously
dangerous feature. Therefore, it is fair to say that PDF offers "command
execution by design" – if the standard is straightforwardly implemented.

Okular uses xdg-open to handle the file to be launched, thereby delegating the
security decision to a third-party application. On my Debian GNU/Linux test
system, this results in code execution with minimal user interaction: by
referencing an Windows .exe from a Link annotation, the executed with
`/usr/bin/mono`, an emulator for .NET executables, if the user clicked
somewhere into the document.

**Steps to reproduce:**

1. `# apt-get install bless`
1. `$ okular launch-linux-mono.pdf`

I'm not sure if this is a bug/misconfiguration in xdg-open. However, it is
debatable if security-focused PDF viewers should support the Launch action at
all. It is a dangerous feature mostly used to spread malware (primarily in the
Windows world). We recently conducted a large-scale study of 294.586 PDF
documents downloaded from the Internet, in order to research if there are any
legitimate use cases at all. Only 532 files (0.18%) contained a Launch action.
It can be concluded that the Launch action is rarely used in the wild and its
support should is questionable in security-oriented PDF implementations.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the Okular-devel mailing list