Actions in the Portable Document Format (PDF)

The PDF format is becoming more and more (in)famous due to the lately published vulnerabilities in Adobe products allowing the execution of arbitrary code in the system. Now I don't want to write about these malicious files but I'll do it in future posts.

After the brief comments about the objects we can find in a document of this type and its physic and logic structure I'm going to follow with the actions that can be executed in background. The PDF files aren't static documents but it's possible to specify some kind of programming depending on the user actions. This is where the security problem arises and that becomes a simple PDF in a potential malcode with high probabilities of being executed.

A PDF action is a dictionary object which can contain the following elements:

  • /Type: it's optional and it's used to specify the object type of the dictionary. In this case it's Action.
     
  • /S: it's an obligatory element that defines the type of the action we want to do.
     
  • /Next: it's optional too and specifies the next action or actions to be executed.

 

 

Beside this, depending on the action type, the number of elements that can be included within the dictionary increase, allowing a better control over the actions. The action types we can find are listed here:

  • GoTo: put the application focus on other part of the document.
  • GoToR: put the application focus on other part of a document different to the actual one.
  • GoToE: it allows to redirect from/to a embedded PDF file.
  • Launch: it executes an applications or read or print a document.
  • Thread: it jumps to an article within the document.
  • URI: with this action it's possible to access to web pages or remote resources.
  • Sound: it plays the specified sound.
  • Movie: it plays the specified movie.
  • Hide: it's an action that hides or shows the specified annotation/s.
  • Named: it executes an action predefined  by the PDF reader.
  • SubmitForm: it sends the existent form data to a given URL.
  • ResetForm: this action changes the values of the form fields to default.
  • ImportData: the function of this action is to import data from a file to the document.
  • JavaScript: it executes Javascript code.
  • SetOCGState: it sets the state of a group of optional components (graphic elements located in the document).
  • Rendition: it controls the reproduction of multimedia content.
  • Trans: this action allows to control the graphic transition between several actions.
  • GoTo3DView: it identifies a 3D annotation and specifies a type of view to use.

 

The trigger of these actions is variable, depending on their location which is used to be an annotation or any object in the document outline. In these cases the action follows the /A element and it's executed when the container object is activated. They can also be located within an annotation, in a page or in an interactive form field following the /AA (Additional Actions) element and their execution depends on the chosen options. This way it's possible to execute actions when the mouse enters or exits from an annotation part, when certain page of the document is being viewed, or when the value of a form field is modified, among others. As well it's possible to execute an action when we open the document through the /OpenAction element, located in the document catalog.

As you can see the actions are very powerful. This post wanted to be an introduction to the execution of actions in a PDF document, in next posts I'll try to explain some of them from a practical perspective.