DANGER, DANGER, DANGER
The WEB has gone crazy. I know that this is not news for some of you but you will be surprised to what extend this craziness has just developed. It seams that the entire WEB is falling apart and someone has to do something otherwise we risk to lose too much. Among the traditional QuickTime Movie, QTL, Flash, Image, HTML and PDF backdoors, there is another one trivially achievable with high degree of impact.
WEB backdoors or backdoors that affect WEB content, if you like, have developed in the past year a lot. This phenomenon is due to many things although we should really give the honer to the quick development of the AJAX technologies. Because of the AJAX growth, malicious minds and security experts started to really pay attention on what is happening with the WEB. And what is that? Obviously, our WEB is a very fragile baby and unsurprisingly nobody knows how to deal with it.
So we changed a lot of diapers last year. Simple things we do suddenly have become very dangerous and risky. If you think that user supplied Image files are safe, think again. There were several attacks affecting social networks and a couple of very successful AJAX worms, again affecting social networks, during the last year. However, it seams that we haven’t really scratch the surface yet.
Back in September 2006 David and I had a small adventure with Adobe’s PDF technology. David made several issues with JavaScript for PDF publicly available and the findings were quite shocking for many corporate minds. Today, it seams that a new wave of PDF related attacks emerges from the ashes but this time, oh my… In my mind I can expand the full potentials of what I am about to expose to you and I must say that the picture is not nice.
It seams that PDF documents can execute JavaScript code for no apparent reason by using the following template.
http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_hereYou must understand that the attacker doesn’t need to have write access to the specified PDF document. In order to get an XSS vector working you need to have a PDF file hosted on the target and that’s all about it. The rest is just a matter of your abilities and desires.
This finding was originally mentioned by Sven Vetsch, on his blog. The attack vector was discovered by Stefano Di Paola and Giorgio Fedon. This is a very good and quite interesting finding. Good work.
Just to show you the impact of this issue I prepared the following POC.
http://www.google.com/librariancenter/downloads/Tips_Tricks_85×11.pdf#something=javascript:function createXMLHttpRequest(){ try{ return new ActiveXObject(’Msxml2.XMLHTTP’); }catch(e){} try{ return new ActiveXObject(’Microsoft.XMLHTTP’); }catch(e){} try{ return new XMLHttpRequest(); }catch(e){} return null;}var xhr = createXMLHttpRequest();xhr.onreadystatechange = function(){ if (xhr.readyState == 4) alert(xhr.responseText);};xhr.open(’GET’, ‘http://www.google.com’, true);xhr.send(null);
When you open the PDF document, an XMLHttpRequest will be made to google.com and the front page source code will be displayed inside an alert box. Obviously, attackers can create a lot more dangerous scenario, where highly sensitive information is leaked leaving the user totally blind of what is going on.
This attack vector has several benefits that I must elaborate on. First of all, it is obvious that this is not a server side problem. This is totally client side and WEB vendors cannot do much about it. The only solution is to have Adobe release a patch as soon as possible or just not to host PDF files at all. Obviously the second solution is highly unfeasible. This leave us with Adobe fixing the bug, but let’s be honest with each other, things won’t get better. It is not that Adobe don’t have good guys there or they are irresponsible, it is just the fact that not that many people update their PDF reader mainly because it usually requires a large chunk of data being downloaded and installed. The process is very slow and bulky and puts off every security enthusiast. I am not sure if Adobe has silent update for putting off fires like this one. Anyway, we will see this attack vector for a while in the wild.
Now we have a prove that every site on this planet is vulnerable to XSS (Cross-site scripting). This is definitely not nice.
Unwillingly we have become solicitors of a very dangerous craft.
trackbacks
- SecuriTeam Blogs » PDF = Potential Death File?
- ha.ckers.org web application security lab - Archive » Universal XSS in PDFs
- flyingpenguin » Blog Archives » PDF XSS hits the fan
- chlog.net » PDF Dateien per XSS angreifbar
- NakedCleaner.com » Blog Archive » PDF’s are Bad!
- Twan van Elk » Blog-archief » PDF-achterdeur
- Secure2S » بایگانی سایت » آسیب پذیری XSS در نمایش فایل های PDF
- IT Blogwatch
- Mozilla Firefox, PDF Files and XSS - Reaper-X .:[ ID ]:.
- Rooter » Hacking con Browser Plugins
- En nog iets.nl » Blog Archive » PDF - En wat Javascript
- The Daily Tech Connection » Blog Archives » When JavaScript Attacks!
- Rod Trent at myITforum.com : Adobe responds to being blasted in the media about not patching vulnerability
- GNUCITIZEN » XSS Prelude
- J@§¤ñ’s Stack Trace » Blog Archive » XSS in virtually every web site
- J@§¤ñ’s Stack Trace » Blog Archive » Loal Cross-Site Scripting
GNUCITIZEN is one of the most influential organizations of its kind, reaching thousands of users every day and having a strong relationship with numerous printed and web-based media outlets. Part of our mission is to let others succeed the same way GNUCITIZEN did. Therefore, if you have a research or an interesting information you would like to share, 
comments
BTW, on Window PRO SP 2, only FF is vulnerable.
As I just added to my blog entry and wrote to the mailinglists:
It seems that I didn’t copy paste the credits out of my document I wrote with the content of this entry :(
Of course I’ve to give some credit to Stefano Di Paola and Giorgio Fedon because they found this flaw and not me at all.
As you see, I edited my blog entry. Next time I’ll be more careful and perhaps don’t write blog entries when I’m as tired as I was when I wrote it.
@pdp
Please also edit your blog entry. thx
pdp, I haven’t tested this yet but it looks like a great find.
Users with Foxit PDF viewer are not vulnerable to this; at least those without the JavaScript plugin installed (the default). So those who learn’t last time round should be ok.
Sven, fixed!
This flaw could be really bad. Think of all those pfd files hosted by online banks.
http://www.google.com/search?q.....tnG=Search
A phisher could do some real damage.
It seems to not be replicatable on IE6 or IE7 for me, although is with FF.
Any thoughts ?
Tester Zero, indeed.
Jason, yes… although some people are getting different results. For example, the following conditions are exploitable:
The damage is huge.
according to the this page from the original author of this article from CCC this is already fixed in adobe acrobat 8 (as far as we talk strictly about the pdf issue since the original topic of the article is more wide/general about ajax/web2 attacks)
http://www.wisec.it/vulns.php?page=9
It doesn’t work in Linux I tried
- kpdf
- evince
- adobe reader 7.0
mike, it affects strickly Adobe Acrobat. saso, several researchers report Acrobat 8 as one of the vulnerable. I guess it depends on that platform and the current acrobat patch level.
I couldn’t replicate it on IE7 with either reader 7 or 8 at all, although I could reproduce the problem on FF.
Now I’m starting wonder how huge this really is: Acrobat 8 has been out for at least 6 months, IE7 for 3 or so, and is getting a major push from MS. Either update will fix the problem, and what, 85% or so of the world is still on IE?
It’s definitely still a big deal, but it’s not something companies with a decent software update policy will need to lose sleep over right now.
I’ve seen a couple of places that the “wprkaround” is to turn off JS in your browser. From the client-side, wouldn’t it be sufficient to just remove/replace the Adobe Acrobat browser plug-in?
Doesn’t seem to work in IE6 with Acrobat 7.
Windows 2003 R2 SP1, x64, FF 1.5.0.8, Adobe Reader 7.0.8: PoC worked.
Fixed it by telling FF to give me the download box for pdf files in the future :)
Kris, I see you point of veiw but I don’t quite agree with it. IMHO, this vulnerability will be present for a while. In fact, I can see some development on new types of WEB worms that can simulationsly spread over several social networks. The impact of this issue is huge.
Web worms can use Jeremiah’s css history dump and login detection hacks together with the Google AJAX Search API hack in order to create a massive WEB infection. In fact, such type of malicious code can be trivially composed in half an hour. This is a vary scary thought.
Smaxor, what’s your patch level? I have a sneak suspecion that the IE POC works on different SPs.
A couple of points on this…
1) This issues ONLY effects the Windows platform. Mac, Linux, etc. users are NOT effected.
2) We found this issue out ourselves during our own security/vulnerability testing of Acrobat and introduced a fix as part of Acrobat/Reader 8 for Windows. As such, users of Acrobat/Reader 8 (regardless of browser) are NOT EFFECTED!
3) We already have patches prepared for earlier versions of Acrobat and will release those as soon as they are ready. This will address those users who are unable/unwilling to upgrade to Acrobat/Reader 8.
We thank the community for their concern in identifying vulnerabilities in our products and hope that our having the issues already addressed in our current versions will serve to alleviate concerns and demonstrate our commitment to this area.
Leonard Rosenthol
Adobe Systems
Leonard, I am not surprised that actions has already been taken. I remember the last time your company respond was quite on time.
The one million dollar question is: how quickly your update will propagate? I think this is the concerning bit emerging from the current situation.
It does work on Linux - FF: 1.5.0.9 + adobe reader 7
The concern I have is that we have a very tight security policy here and this is the first bug I’ve seen in about 18 months that’s actually going to affect us.
Here we have to use IE but only trusted sites are allowed to run any kind of Javascript, ActiveX control, etc. Non trusted sites can’t even open PDF files directly so ordinarily vulnerabilities don’t affect us at all.
However this bug appears to allow an untrusted site to open a PDF from a trusted site and I can only assume that means it will run the code from the security context of the trusted site too. That is a very serious concern for us.
My other concern is that Acrobat Reader is a nightmare to update, it’s one of the worst programs we have for deploying updates, and I can see this being a popular attack vector because of it’s widespread use and the problems updating it.
We’ll get Acrobat updated on our computers today, but I wonder how long this vulnerability would have gone quietly unnanounced by Adobe…
And now it’s local - credits for the basic PoC go to RSnake.
click here
I could reproduce with FF 2.0.0.1, Acro 7.0.8 on Win32
EVEN through Acro had Javascript disabled.
Obviously, this only affects JS _inside_ the PDF.
Tested here with Win 2K SP4, IE6 and Adobe 7.0.5. Seems not vulnerable.
I was going to say “it doesn’t work for me” but then I remembered I uninstalled Adobe PDFbloater and installed Foxit.
Yay foxit!
btw, here is an updated list of exploitable versions. the info is provided by acidus
Effected Browser: (all on Windows)
update from acidus
What about forcing the PDF to download instead of displaying it in the browser with the plugin? Kind of like this.
Hi, I’m sorry for the wait on this, but the Adobe Security Group has the full advisory published now: http://www.adobe.com/support/s.....07-01.html
If you’ve updated your internet software since last autumn then you’re already covered, with the free Adobe Reader 8. (This info was available in Stefano & Giorgio’s initial paper, and in the CERT advisory.)
As Leonard advised, patches for those who cannot update to the current version (old OS, locked intranet etc) are expected for download next week.
tx, jd/adobe
I can’t get this to work in FF 2.0.0.1 with Acrobat Reader 7.0.5 or in Opera 9.10 …
Does this only work if you use the plugin?
I have both set to open in Acrobat Reader, so I get a download box, and then Acrobat Reader opens up…
this is because Google fixed it by adding the following header to the response:
try
Still no popup in Opera 9.10. Got it in FF2.0.0.1.
Running FFx 2 and Reader 8, I got an alert that said “This operation is not allowed” and then the adobe pdf file opened correctly using the second link. The first link doesn’t tell the browser it’s a pdf so it didn’t open using the plugin.
To help mitigate this problem at the server end, the following Apache URL rewrite rules:
… should redirect requests for PDFs hosted here:
… to here:
youripaddress/yourdir/your.pdf
Since you’re probably setting cookies on your domain and not your IP address, most XSS approaches should hit a wall.
I have Windows 2000 Professional, IE6, Acrobat Reader 4.0. Does this affect me? I have my bank online and pay bills online with my checking acct. Am a student online also. Should I delete it? Cannot get higher version with win2k.
Not just FF, but also Mozilla which I use (Mozilla 1.7.7) also have this issue.
On Win XP Pro SP2 (and most probably XP HE also as previous Windows XP, such as Gold and SP1).
Just need Acrobat plugin installed in your browser.
It is realy danger and widespread vulnerability, boys.
The are up to 317 000 000 sites over the Web which have pdf files (as Google said). And every admin of every site need to deal with this Universal PDF XSS.
Using XP SP2,
FF 1.5.0.9,
PDF Downloader 0.7.6 and .8,
and AR 7.0.8 and now AR7.0.9 -
Uh… no change. The CIA link above still pops the XSS windows with 7.0.9 (even after rebooting)
Moving on to 8
RDP, that’s interesting. Anyone getting similar results?
I cannot reproduce the problem with xpdf and firefox on debian.
This is very widespread vulnerability. I have already written my own article about UXSS (in Ukrainian).
And you may look at this example of such hole at microsoft’s site :-).
http://www.microsoft.com/windo.....ript:alert(’XSS’)