PDF Launch Action allows to execute Mono executables
The PDF specification defines the "Launch Action", which allows documents to launch arbitrary applications. The file to be launched can either be specified by a local path, a URL or a file embedded within the PDF document itself. The standard does not provide any security considerations regarding this obviously dangerous feature. Therefore, it is fair to say that PDF offers "command execution by design" – if the standard is straightforwardly implemented.
Evince uses xdg-open to handle the file to be launched, thereby delegating the security decision to a third-party application. On my Debian GNU/Linux test system, this results in code execution with minimal user interaction: by referencing an Windows .exe from a Link annotation, the file is executed with /usr/bin/mono
, an emulator for .NET executables, if the user clicked somewhere into the document.
Steps to reproduce:
# apt-get install bless
$ evince launch-linux-mono.pdf
I'm not sure if this is a bug/misconfiguration in xdg-open. However, it is debatable if security-focused PDF viewers should support the Launch action at all. It is a dangerous feature mostly used to spread malware (primarily in the Windows world). We recently conducted a large-scale study of 294.586 PDF documents downloaded from the Internet, in order to research if there are any legitimate use cases at all. Only 532 files (0.18%) contained a Launch action. It can be concluded that the Launch action is rarely used in the wild and its support should is questionable in security-oriented PDF implementations.