Hacker tips CERT's hand on Linux/PDF flaw

Confidential vulnerability information managed by the CERT Coordination Center has again been leaked to the public, following a flurry of such leaks in March.

The latest information concerns a flaw in PDF (Portable Document Format) readers for Unix and could allow a remote attacker to trick users into executing malicious code on their machines, according to a copy of the leaked vulnerability report.

As with confidential CERT information that was leaked in March, the latest report was posted to a vulnerability discussion list by an individual using the name "hack4life." The leaked information was taken from communication sent from CERT to software vendors affected by the PDF problem, according to Jeffrey Carpenter, manager of the CERT Coordination Center. The information appears to be from a vulnerability report submitted to CERT by a Cincinnati security researcher by the name of Martyn Gilmore.

Gilmore did not respond to requests for comment and CERT would not comment on how it obtained the PDF vulnerability information or on Gilmore's relationship with the Pittsburgh-based software vulnerability monitoring organization.

In the report, Gilmore describes a problem in the way that PDF viewing programs for the Unix platform process hyperlinks within valid PDF documents. When processing hyperlinks, common PDF readers use the Unix "shell" command (sh -c) to launch and pass commands to external programs. For example, clicking on a hyperlink for a Web page would launch the associated Web browser, according to the report.

However, Gilmore found that such programs do not properly check the syntax of such commands, enabling arbitrary shell commands to be executed on the vulnerable machine.

While attackers are limited by the privilege level of the user clicking the malicious link, the vulnerability could enable a remote attacker to use shell commands to delete files from the user's hard drive or perform other actions without the knowledge of the victim, the report said.

Adobe Systems' Acrobat Reader 5.06 is affected by the problem in addition to the open-source reader Xpdf 1.01, according to the report.

CERT declined to discuss the details of the vulnerability.

The vulnerability information was scheduled to be released by CERT on June 23, according to an e-mail message purporting to be from hack4life that prefaced the leaked report.

The release date was obtained from CERT communications with its vendors, as well, but CERT declined to comment on whether it would be releasing an advisory regarding the PDF problem on June 23, according to Carpenter.

Hack4life cited "college and exams" for the lull in leaked CERT information in recent months and hinted at the likelihood of more disclosures in the future.

"I'll have plenty of time to keep you all up to date with what those fools at CERT are up to once college is finished," hack4life wrote.

In March, someone using the same name posted information on four vulnerabilities that CERT was investigating to the vulnerability discussion list Full-Disclosure. Those posts included sensitive information on a vulnerability in the Kerberos Version 4 protocol and a problem reported by Microsoft Corp. regarding spammers' abuse of Web redirectors, which forward users of Web portals such as MSN IP (Internet Protocol) addresses close to their geographic location.

The PDF information was disclosed to CERT after the vulnerabilities were leaked in March, Carpenter said.

Contacted by e-mail in March, hack4life denied any affiliation with CERT and said that the reports were "stolen in a recent computer intrusion."

"Fun and amusement" was the primary motivation for stealing and leaking the vulnerability reports. A secondary motivation cited in e-mail by hack4life was anger over CERT's perceived failure to publish vulnerability information in a timely manner.

At the time, CERT officials cast doubt on hack4life's assertion that the reports were hacked, saying that the information was most likely leaked by a member of one of the development teams CERT works with to evaluate vulnerabilities.

The latest incident reaffirms CERT's belief that the problem lies with its vendors rather than with its own systems, Carpenter said. While CERT does not yet know which vendor is responsible for the leak, the organization is confident that an insider threat or compromise at one of the companies it deals with is responsible for the leaks, he said.

CERT is communicating with vendors about the problem, but Carpenter would not comment on whether CERT is working with law enforcement to catch the person responsible for the leaks.

"I'm not going to get into those specifics at this point," he said.

CERT plans to consult with affected vendors and discuss how to proceed now that the information is public, he said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?