1

I opened a PDF in IceCat like this: icecat x.pdf

Files started being produced in home.

Here are the invalid encoded files that were produced some short while after opening the PDF (assuming, as I scrolled, data loaded and was accidentally dumped due to a > in the PDF):

/home/myhome/

-rw-rw-r--.  1 username  username             0 Aug 29 13:55 'i'$'\340''Дx}'$'\263\273\300\303''G딷ȍ'$'\251''K'$'\210\352\224''v'$'\023''j'$'\257\344''݃'$'\020''a'$'\001\224''a'$'\234''_'
-rw-rw-r--.  1 username  username             0 Aug 29 13:55 '4'$'\373\332''uK'$'\035\376\022\353\006\236'
-rw-rw-r--.  1 username  username             0 Aug 29 13:55 ''$'\352\223''O'$'\326''͞'$'\177'
-rw-rw-r--.  1 username  username             0 Aug 29 13:55 '6'$'\305'
-rw-rw-r--.  1 username  username             0 Aug 29 13:55 ''$'\366''_'$'\376\246\362\023\362''I'$'\207''hM'$'\242\024''^'$'\207\266\177''wI'$'\372''0'$'\200\373\230\177''9^þ'$'\305\360''?'$'\277\341''5^'$'\375\251''s'$'\322\313'
-rw-rw-r--.  1 username  username             0 Aug 29 13:55 ''$'\312''x'$'\244\343\371''Ͼx'$'\246''e'$'\317\030\232\362\335'
-rw-rw-r--.  1 username  username           173 Aug 29 13:55 '2f'$'\201''^'$'\004'
-rw-rw-r--.  1 username  username             0 Aug 29 13:55 'C-ًm'$'\326'':'$'\a''-]G_R'$'\216''V݄'$'\021\342'
-rw-rw-r--.  1 username  username             0 Aug 29 13:55 '%'$'\024\212''b'$'\223\342\325''t'$'\211\260\027''ט8'$'\036\357\304\325''+'$'\005''F'$'\220''v'$'\344\302\206\343\030\004\017\231\f\225\261\251''Pd'$'\030''F'$'\335\310\021\265''Ç'$'\325''TWUF+ʇ'$'\224\225\226\024\027\025\026\344\347\345\346''dgE2á'$'\214\364\264''Ԕ'
-rw-rw-r--.  1 username  username             0 Aug 29 13:55 ''$'\177\305\362\335'
-rw-rw-r--.  1 username  username             0 Aug 29 13:55 'g]'$'\354'
-rw-rw-r--.  1 username  username             0 Aug 29 13:55 ''$'\002\374\a\372\030\360''gt'$'\006'''$'\240\277\305\336''B'$'\227''ѧ'$'\200\377''D'$'\237\001\376'
-rw-rw-r--.  1 username  username             0 Aug 29 13:55 ''$'\035\032''zQ'$'\241\234\213''6w'$'\214\306\355''R!'$'\202\336\312''G'$'\217\253''k^|'$'\312''d'$'\024''0ݪzV'$'\211''+'$'\315\032''ҳY'$'\223''tR'$'\203\022\252\f\275\325\341\355\024''7'$'\333\327\006''D'$'\370''-'$'\300''p'$'\222''ކ'$'\r'
-rw-rw-r--.  1 username  username             0 Aug 29 13:55 ''$'\270\353\256''W'$'\226\033\032''3'$'\021\303\360\030\371\017''F'$'\262\034''I'$'\346''k$'$'\327''b'$'\357\a\234''iJu'
-rw-rw-r--.  1 username  username             0 Aug 29 13:55 'stream'$'\r'
-rw-rw-r--.  1 username  username             0 Aug 29 13:55 'XY'$'\276''D'$'\364\220\267''+'$'\273\370\265''r'$'\006''Φ'

I see one file 173 bytes which contains:

user@host$ cat '2f�^^D'
/DIRECTORY/THE_PDF_I_OPENED.pdf: line 2: $'=\034F\202\320X\377\342\372P\027i\r\215\355jX\271x\303\330\326z\274\334N\223': command not found
idonteven
  • 187
  • 12
  • 1
    Looks like the PDF was executed as if it was a shell script. Wherever there was a `>` in the file, the shell would have interpreted it as a file redirection and then taken the binary rubbish afterwards as the filename. – Stephen Harris Aug 29 '20 at 19:54
  • 1
    Wow nice observation. OK then. I guess icecat is probably not the best PDF reader then – idonteven Aug 29 '20 at 20:06

0 Answers0