Find malicious PDF files using PHP validation?

Question

Currently for file validations the following actions are implemented,

• File type validations using MIME details like application/pdf
• Validating the file extensions along with MIME details.

But some PDF files contains the malicious scripts like JavaScript to damage the system

More details about the PDF attacks:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-2992

Question: For this case any recommended solutions?

Answer 1

Adding another answer as this project below is much easier to use and also is able to find CVE-2008-2992 vulnerability. I know you are asking about PHP but you can simply run any script from PHP using for example escapeshellcmd

peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. With peepdf it's possible to see all the objects in the document showing the suspicious elements, supports all the most used filters and encodings, it can parse different versions of a file, object streams and encrypted files

https://github.com/jesparza/peepdf

Instructions: http://eternal-todo.com/tools/peepdf-pdf-analysis-tool

and you use it like below, and on the end you get all problematic elements with CVE info

$ ./peepdf.py -f fcexploit.pdf

File: fcexploit.pdf
MD5: 659cf4c6baa87b082227540047538c2a
SHA1: a93bf00077e761152d4ff8a695c423d14c9a66c9
Size: 25169 bytes
Version: 1.3
Binary: True
Linearized: False
Encrypted: False
Updates: 0
Objects: 18
Streams: 5
Comments: 0
Errors: 1

Version 0:
    Catalog: 27
    Info: 11
    Objects (18): [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 22, 23, 24, 25, 26, 27, 28]
        Errors (2): [11, 25]
    Streams (5): [5, 7, 9, 10, 11]
        Encoded (4): [5, 7, 9, 10]
    Objects with JS code (1): [5]
    Suspicious elements:
        /OpenAction: [1]
        /JS: [4]
        /JavaScript: [4]
        getAnnots (CVE-2009-1492): [5] 

Answer 2

Take a look into this project https://github.com/urule99/jsunpack-n - A Generic JavaScript Unpacker

jsunpack-n emulates browser functionality when visiting a URL. It's purpose is to detect exploits that target browser and browser plug-in vulnerabilities. It accepts many different types of input: ( also PDFs* )

By looking into ths file https://raw.githubusercontent.com/urule99/jsunpack-n/master/pre.js it looks like it directly addresses your problem.

var util = {
375     printf : function(a,b){print ("//alert CVE-2008-2992 util.printf length ("+ a.length + "," + b.length + ")\n"); },

On upload I would feed pdf into this tool and check the results.

Below some interesting resouces related to that vunelabirity which explain everything in-depth.

http://resources.infosecinstitute.com/hacking-pdf-part-1/

http://resources.infosecinstitute.com/hacking-pdf-part-2/

In part 2 of the article there is a fragment saying that you can use Spider monkey to execute pre.js (the file I mentioned eariler ) to get info about CVE

js -f pre.js -f util_printf.pdf.out

//alert CVE-2008-2992 util.printf length (13,undefined)

Answer 3

I did this once a few years ago (no longer have code).

• On upload
  • Scan the file for malicious code (similar to a virus scanner)
  • Deny or Allow file based on functional logic

Malicious code is usually hidden inside base 64 functions inside of file meta, or using char codes to render the malicious code.

You'll need to find a dictionary of common malicious code, or create your own and open the file with php functionality and scan for items within your dictionary (Array).

At this point, you're probably think, that's not very optimized or that would be slow...etc.

This is correct; anytime you throw security it does take a performance hit, but you could get around it by creating a new server that the files get uploaded to and scanned and then passed back to the original server...etc.

As far as scanners go I'm sure you may find services or open source code, just found this one; https://github.com/mikestowe/Malicious-Code-Scanner/blob/master/phpMalCodeScanner.php (never used it, or am I recommending it)