BSides SP 2025 - Desvendando a Execução Remota de Código em PDFs: Uma Ameaça Oculta

- Hey guys, how are you? Cool? So let's go. There's another group of people arriving, let's wait for them to get in position. Very good, there are you guys here at B-Sides. Today we have a booth from ASION here, but taking the ASION shirt off, I'm one of the guys who represent a project called Debian in Brazil, so I'm going to bring a little bit of the community. If anyone has already used Cali, is there anyone with Cali there? So, turn it off, it's a joke. It's very cool. The purpose of this lecture I'll make a disclaimer, please, this is not for going home and doing this here in your bank, okay? I'm really going to show you a very cool technique, so we'll understand how the PDF structure

works, mainly, how the SO says: "Dude, why is this a song? Why is this a PDF? How does the SO do this classification?" I'll show you how to make a malicious code and tell the system that it's a PDF, okay? And we'll be able to execute remote code, and most importantly, We're going to upload this to VirusTotal. Has anyone used VirusTotal here to scan? It's standard, right? If you receive the phishing lecture, if you receive an email, "Oh, a malicious ticket." Naturally, the security team will scan to see if there's any problem. People are listening to me well, right? The first thing we do is to see if this file is malicious. I'll show you

guys the technique of how to customize the bytes of the file and we'll pass it unharmed by the virus. This is our challenge today. We're going to do an attack. I did a report for Virustotos, but they didn't respond, so let's share the knowledge with you. Selling the execution of remote codes in PDF. Let me see if I can pass it here.

Let me introduce myself a little bit. I'm Marcos Carvalho, today I play for ASIO, so I played directly in the response team, incident and security, I already had the privilege of blocking attacks that have already been broadcasted in the media. So, you've seen: "economic box out of the air, mega DDoS", I was one of the guys who mitigated the attack. So I have this background of regs and BGP, too. It comes from a computer engineering chair, that's why I say, today it has a very cool footprint of AI, artificial intelligence, but the base is very important. There is a hacker friend of mine, Mercês, I think he will lecture here, he says exactly that, the

computer bases are very important. And that's what we're going to see, how we manipulate this archive and manage to bypass large file systems. In the community, I'll bring some more questions. So, if anyone has used Debian, I'm suspicious to say, I keep several packages in Debian, including the last H2HC, I was one of the few hackers who managed to replicate the attack of the pagers, which you will remember, that occurred in Israel. We presented it in H2HC, in Debian's Village. There is also my package in Kali, so if anyone has Kali and gives an APT info ASN, my name will appear and I am the guy who keeps this network tool in Kali. It's very

cool to do BGP numbering, so it's a little bit of the old brand that I'm going to present to you, okay? Very cool. I think this B-Sides thing is cool, that we bring this cultural issue of hackers. It's very cool that we're together. So I'm taking off my jacket and let's talk about community. Why do we use this symbol, Glider? Does anyone know what it means? Have you heard of it? I think it's cool because you go home and say, "It's cool, I want to say that the hackers, the crazy ones, keep using this." So, it was Eric Raymond. I think it's cool to bring this cultural issue of history, because from now on, when you see Glider, someone with... with stickers on the notebook, a tattoo like

me, I'll talk a little about RC there, I've already made a lot of contributions there, but basically it was this guy who proposed it, so we need a symbol to represent the hacker culture, so it was this guy, including the open source philosophy was attributed to this guy here, okay? Talking a little bit about my area of operation within ASIO, so, including, there are people from GRU here, our partner here, so, this stack that ASIO today acts, but I'll go through quickly because the idea is not to talk so much about ASIO today, okay? - But basically, today, bank features allow you to do what? Upload a PDF file and automatically it can do the parsing of the digital line. So, automatically, it already takes:

"Oh, it was you who did the purchase in Mercado Livre, for example, here is the digital line, make the payment." Then comes the hacker side of things, I said, "Man, I need to study how this parsing system works. How can the application identify the exact line that has the line for us to pay our ticket and everything else?" Research. Basically, what did I find out? The application starts, so, like this: Today, several stacks will run, .NET mainly, Microsoft ecosystem, PHP systems, even using JavaScript stack, but basically it will do the parsing of the file, and it will validate, guess, byte by byte of the file. When it arrives in the digital line, "oppa, cool, this

one I have to get, send it to an API and make the payment." I said, "cool." If I could number this stack that is running, if it is running in PHP, what happens? So, the hacker logic came. If I put PHP code in the bytes of the file, guess what? I sent my ticket, harmless, he started: "Oh, cool, PDF, cute, I know." When it arrived in the byte that I injected the malicious code, guess what? It executed in the infra that was processing the file. I said, "Man, that's awesome." Then came the whole research issue. So, it's really cool. You've heard this question, "A hanser that cryptographed a whole database." Then the teams, "But the

IDR didn't catch anything, we didn't have an attempt to attack, but it has all the cryptographic system crap." When we upload a ticket there on the bank app, mainly, This file has already been processed, it was paid, it will not stay there for the rest of its life, it will be stored in a database, but it has a routine system that makes a sanitization of the database. So, look how cool, you send an innocent file, you hacker, because you know that in a month you will run a routine and if this file has malicious code, guess what, it's a problem. So, that's a little bit of what we're going to see today, okay?

fundamental question, remember that I talk about the bases, cool, what crap is this? What is an archive? How does the SO know how to differentiate between a PDF, an image, and a music file? I don't know if you will be able to see, but it's cool that I'm bringing commands, including that you will be able to run on your Kali, on Debian, mainly, okay? But basically there is a database called MIME_TYPE, okay? Every operating system has to have this guy, when you give a file the name of the file, it builds this database, If some bytes sequence, like magic numbers, gets to that base, it will say: "This is a PDF, this is a song,

why am I bringing this base?" Because this is the type of bypass we're going to do. So we're going to open a shell here, I'm going to create a script, I'm going to give a file, the system will say: "This is a text file." - - There are incredible projects, Art Linux, I'm from Debian but I defend other distributions. So we have to get out of here with our minds very open, okay? We have to know how to explore technology and there will be that software that will better serve you in a certain situation, okay? So you have to stop with this business. I even have Windows at home, I have FreeBSD, everything to do research, okay? I

brought a diagram for you, so what are we going to do? We have a guy from Bausch too, very good to be here at the lecture. We take this file, make a manipulation, send it, so basically this simple change we will be able to gain access within an application, and most importantly, the virus will not identify. I will even tell you what the virus validates and why it cannot identify this file as malicious. Very important. There is IA, and I will even show, I created a model of artificial intelligence that we will bypass it. It's cool to tell you that IA is not everything. It is very important for you to have a base, especially the concept of software engineering, network engineering,

because all this concept will help you understand how the stack works and follow with the attack. I'm bringing this knowledge to you, not to get out of here and say, "I'm going to get to Itaú, Bradesco, and I'm going to do..." No, it's for you to know that there is this flaw and that we have a mega important work to do to mitigate and correct this flaw, okay? .

This one was developed by Richard Stallman. I read this work, I think, twice, whole. It has 262 pages, okay? Incredible, guys, this work, okay? It's something I say, you will be able to manipulate and make this type of attack if you understand it very well at low level. It's really hard, you have to get a weekend, take your beer there, who drinks, right? I love it. And study. That's exactly the process that the hacker, being a hacker is this, we are very curious, okay? It's okay, there's A, why do I talk so much about A? I see a trend, people are stopping studying, this is very important. Every weekend I have my laboratory with a

oscilloscope to do hardware hacking. So, it's something you have to have this habit of studying, okay? A cool thing, there's a project from the binary mind, the guys took the project from the stamen and already translated it into Portuguese, look how cool, I even thanked Mercedes for the work. So, the work of the hacker is also to recognize other community issues. The Binary Mind is not sponsoring my lecture or anything like that, but it's cool to share that there's a really cool project, right? They took the Stalman book and are already translating it into Portuguese, look how cool, right? And with a much more accessible language. So, like, whoever wants to access the Stalman book,

which is in English, very complete, there's also a version in Binary Mind in Portuguese, okay? Very cool this Binary Mind project, okay? This guy wrote this. When you see GNU Linux, GNU Software, it was practically Stallman who created Free Software Foundation along with other hackers. So, cool.

It's time to mess with the system, so I'm going to open a shell here, but basically it's the following, what are you going to need? Guys, don't criticize me, there are people who like to use VS Code, NVEN, I love it too, I'm a hack culture, I like to use IMEX, my IMEX there, it serves me very well, but basically you will need a shell to do this attack in controlled laboratory, But you will need a shell, whether it's Linux, your own MacOS, for example, the file commands, xdump and a text editor. Why am I using Emacs? Because it has a feature that you can edit bytes of an archive. You could use nvin-b and

do the same thing. I like it, it's nice, I like to use Emacs. And here, guys, it's the whole virus, it has a feature to upload, so we're going to start playing and let's do an upload for the whole virus, let's see if it returns to us, okay? Look how cool, I have a file here, boleto.pdf, so what are we going to do? I'm going to give the file command.

boleto.pdf, look how cool, the operating system said: "Marcos, this is a PDF file." Ok, but how do they know? So let's create a PHP file here, I even created a laboratory, I'm not going to do it in the banking system, obviously, but I brought it here to exemplify for you, ok? So let's create a payload here. I'm just going to call it "file", I'm going to do it, as I can't support it, ok guys? For those who are in cyber, this is a typical command, it's the following: This here, we will inject into the bytes of the file, we will do the upload. So, there will be that parsing process when it arrives in the

line. But you will see that if we pass this file this way to virustoto, man, it will identify. This is already mapped. So, let's do a test, okay?

But look, my idea is to transform this here into a PDF. So, as it is as txt, the system is saying: "Man, this is a ASCII file, from the ASCII table, it's binary, it's string, so let's try to manipulate it. Will I be able to change only the file extension and transform it into a PDF? Let's see. This is very cool from Linux, sometimes when you need to rename an archive, you already pass the little shortcut here, so you can use the keys to advance, okay? Let me give it an "ls". Done, it turned into a file.pdf. Let's see, let's give it a file up there to see what it turned into. You think the

operating system is stupid? You fool, you just changed the file extension, but its architecture is still a text file. Why is it cool? In that book I talked about low-level programming, it also passes the MIME types, the magic numbers that we can manipulate. So, that's why I recommend reading, guys. So, let me open the file again.

Look, you noticed that I put a header, %PDF and the version of the file. It's very important, let me do a quick catch here. So the catch command shows what's inside a file. Let me give it a -A because it's a binary. Look how cool. What I injected, %PDF, is a way for me to tell the system, "Dude, this is a PDF." So it will consult that MIMI type base and say, "Cool, this is really a PDF." What is the question? When you upload to a system that will validate this file, it also says, "Man, the version that my system is able to process this file is version 1.4." You who know Python, you will open a shell there, you will put the string "a"

times one million. Do you know what Python will do for us? That's why I like Python. It will do one million "a" letters, for example, or number one, you can put a string. What can we do? I can get a Python and instead of 1.4, . We won't do this in the real system, but this is vulnerable and exists. Even companies that are registered in Hacker Run can do a report. So, get the concept here, it's very cool. Even manipulating the version. When you upload the file, the version is 1.4, for it to do this validation, it needs to allocate a memory to validate. So, if you burst this number here, put an absurd number, very big, If

there is no memory protection, you will generate, boom, the memory is blown. So you can get the stack that is running, see which memory offset has leaked, understand that it is the reverse, that you are agreeing. So you can also manipulate the system memory and inject a malicious code, look, from a miserable PDF, okay? But let's do the following, I'll go back here to VirusTotal, so I'll access VirusTotal here. Look how cool! This is the standard flow, so when you receive that malicious file by email, man, it's natural, we come here, I'm going to do the upload, so I'm here in the "B-Sites" folder that I created, go to the PDF, I've already done so many tests and failed again

here sending me the file, so let's select here. What does Virossotos do? It compares with a signature base and says, if your file has already been mapped at some point, including this attack, some players will detect it, let's wait there, okay? but basically it will validate the extension of the file, so .pdf, .exe, .php, PHP can't, man. So it will validate several questions, okay? Let's hope it's scanning there, but basically it validates these signatures, okay? While it's scanning there, this one, for example, didn't get it, okay? If we go back, let's edit the file here, I'll do this test with you, we send it there, another payload. There is also an option of PHP that you can pass

through the get parameter to it. Cool, I take the parameter in the URL and try to execute it as a system function. Let's do this, let's see how the whole virus behaves.

Why am I going to put the URL? Usually the pentesters, the staff always puts CMD, this is already mapped, the whole virus, so we have to try, that is, the user will pass me a parameter in the URL field, and if this parameter really arrives, I will execute in a system function of the system, okay? Let me go back here to the PDF header, I ended up excluding it. Let's do a new upload here, select the file, look, Some players already got me, so if you try to do it, "I want to do a handset attack", no, let's do it, okay? "I want to encrypt a base, but in my little archive, so some questions the players will get."

You, as good hackers, will say, "Okay, cool, but how can an illegitimate PDF then enter my system?" We have to say, "Cool, you kicked the bucket, you put a PHP there, it's obvious, several players will get you." I'll give you a mindset. We can use a LibreOffice file, we can use Google Docs, we create a PDF with anything, but under this file we manipulate and put our payload. So let's do this. I'll open my Docs here. So basically I created an extremely fictitious ticket here, just for demonstration here at B-Sides, but basically what I'm going to do, I'm going to generate, Google Docs, for example, it has an option to generate and export files as

PDF. And we're going to validate. What the hell does he put inside this PDF? You will see that a PDF is extremely complex. It has bytes that don't end anymore. A tiny file that has a lot of things. So let's generate this file. So I come here in File, Download. It has a PDF option here. Remembering that this technique here, you could use other software. I'm showing with Google Docs the stack most used today. There are companies, okay? I'm going to select my B-Size file here. And let's open this file. Let me give it an LS here.

Guys, this is a PDF. It is composed of several instructions, including the size of the source and each field of this one you can also manipulate. It is very common today, you do the upload sometimes in a selective process, you send your resume, the system automatically takes your email, it is allocating memory. How will it validate if the email is valid or not? It is the field that you can change in the PDF. So, these are questions that we can validate. Let me close quickly, because we are almost on time.

This file here, I'm going to inject a malicious code into it, a PHP, I uploaded a system in DVWA so we can validate it. Why? When you pass bytes to a model, it can't work. We know that IA can work very well with natural language. If you pass bytes to an IA, man, it will hallucinate and tell you fried potatoes and a lot of things, less than you need. So, it's a question that we need to work on to have a specific model for binary validation. We can even discuss this calmly. So, let's make a quick attack for you to see.

This attack I did, basically I'm going to do an upload for a vulnerable system here, ok guys? So I have an application here running DVWA

And look, here is to demonstrate to you, ok, at first a infected PDF does not cause damage to your system. But remember, if you have a routine that will sanitize your database and have a partition system, yes, it can be executed. So this is an index that I want to bring to you and very important. How are you going to be able to open a PDF and work on it from now on? This is the idea I wanted to bring to you. If we ask for this file, including here for the DVWA, Here, by the way, this application has a failure of inclusion that I can open, but just to demonstrate here. Look, it called my PDF file. Let's

see if you look here. But look at the shit that happened, folks. Down here we will see that there will be an ETCPswd file in this file. Let me see. Trolled by Emacs, he replaced it. Let's do the upload here.

So basically here I will simulate the inclusion of an archive just to show you that it can be executed, ok guys? Look how cool, for those who have already seen it, something strange has already appeared. A tip, when you are simulating in a browser, you can do the following: I will open this here, look, "view page search", a golden tip for those who do pen tests, ok? So come here to my page, "view page search", it will format here for us, and look how magical, guys. This is the Linux /etc file. Here I could use the Shor algorithm, for example, assembly base, to encrypt a database, to encrypt the file system. Here it was exactly

a POC. I'm not going to do exactly the process I did in the bank application, but you have the database very well. I just ask, you won't do it in the system. But the idea is basically this. Let me go back to the presentation.

Here is an example of how we could mitigate the payload inspection. And guys, there's something really cool. Besides this part that I brought about exploration, there's something really good. There's a job vacancy in ASIM. I think it's cool. If you're good in security, if you have this culture of wanting to contribute, I'll share the QR code with you. So, go to the ASIUM website, if you have a match, I want to contribute with network systems. So, besides this community issue that I'm here with you talking about Debian, about hack activism, go there, there's a nice spot that can give you a match. So, besides bringing this community issue, I went to the B-Site and there's a possible opportunity that I can act and contribute, okay, guys? I'm going to

share here with you the link... from ASION and our Discord. I wanted to exchange ideas with Marcos and the team, to see the vacancy issue. I'll let QR Code get in touch with us. The lecture is over, call me and we'll talk about several issues. I believe I managed to bring you a cool question. Thank you very much. Very good. Congratulations, Marcos. Guys, now I'd like to call the next lecture from Jardel Matias. Jardel, are you here?