[davidsong]

There are several ebooks that have been uploaded to libgen that contain PDF exploits, and from what I understand there's no way to remove them.

The way that their library database works is by linking a book number to a file's md5 sum. On the filesystem they are stored something like `$drive:\$batch\$sum` where `$drive` is a Windows drive letter, `$batch` is the primary key of the document rounded to the nearest 1k, 10k or 100k depending on collection and `$sum` is the `md5sum` of the file data. The archive's file data is shared via torrents, usenet and other means in those batches, and to keep that in sync they have a policy of the primary key and sum of each file being immutable.

So if you do happen to download the literary works of mankind via their torrents, you have to do so with your antivirus turned off and hope nobody has uploaded anything too illegal over the last decade.

[mediocrejoker]

I could be wrong but I think technically a PDF exploit only affects a single viewer program, like Acrobat on windows, right?

[davidsong]

Well yes, and in this case we're talking files that contain an exploit for a version of Acrobat from 2006 or so and an infection vector that only works on Windows XP, and connects to a botnet that is either long dead or now an NSA/CIA asset.

But Windows Defender quite rightly still quarantines the file.

[heathl]

It would depend on the exploit. For a simple example, an exploit that was a result of a flaw in the file specification could result in it being cross platform.

It's going to be rarer to find something of that scope, maybe even to the point of you being effectively right.

[davidsong]

Also dodgy files can contain multiple exploits, potentially for different platforms. Problem here from the malicious actor's point of view is that each vector for attack is also a vector for detection, so rather than a cesspool of exploits it makes more sense to use single new and mostly unknown exploit that targets software used by the greatest number of victims.

[_cereal]

It depends on the exploit and on the reader. If, for example, the reader supports javascript then it can be attacked, apart from other weaknesses. Chrome on Linux executes javascript in PDF, while Firefox does not.

Here is an example file: https://we.tl/q90gXERGmx

Built with https://github.com/cornerpirate/JS2PDFInjector

[sandov]

Or don't use a vulnerable PDF viewer, or OS.

[davidsong]

Or put it anywhere a vulnerable PDF viewer or OS might stumble upon, where an overzealous scanner has write access to, or where some snitch might grab a copy from and blacklist your domains.