search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Various UNIX and Linux PDF readers/viewers execute commands embedded within hyperlinks

Vulnerability Note VU#200132

Original Release Date: 2003-06-18 | Last Revised: 2003-09-26

Overview

A vulnerability in various UNIX and Linux PDF viewers/readers may allow remote attackers to execute arbitrary commands on your system.

Description

Adobe Systems Incorporated describes PDF (Portable Document Format) as "a universal file format that preserves the fonts, images, graphics, and layout of any source document, regardless of the application and platform used to create it." A viewer such as Adobe Reader or Xpdf is needed to view a document encoded in PDF. Various PDF viewers are widely deployed on the Internet. Quoting from the Adobe Systems Incorporated web site:

Governments and enterprises around the world have adopted PDF to streamline document management, increase productivity, and reduce reliance on paper....An open file format specification, PDF is available to anyone who wants to develop tools to create, view, or manipulate PDF documents. Indeed, more than 1,800 vendors offer PDF-based solutions, ensuring that organizations that adopt the PDF standard have a variety of tools to leverage the Portable Document Format and to customize document processes.

When a victim clicks on a hyperlink contained within a malicious PDF file, an attacker may be able to execute arbitrary commands with the privileges of the victim. This is possible because some UNIX and Linux PDF readers/viewers spawn external programs to handle hyperlinks by invoking the shell command interpreter.

Impact

A remote attacker may be able to execute arbitrary commands with the privileges of the victim.

Solution

Apply a patch when available.

Vendor Information

200132
 

View all 59 vendors View less vendors


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was discovered by Martyn Gilmore. The CERT/CC thanks Martyn, Adobe, and the folks responsible for the Xpdf project.

This document was written by Ian A Finlay.

Other Information

CVE IDs: CVE-2003-0434
Severity Metric: 37.97
Date Public: 2003-06-13
Date First Published: 2003-06-18
Date Last Updated: 2003-09-26 15:44 UTC
Document Revision: 27

Sponsored by CISA.