Comments on: PDF Strikes Back

By: BoletÃn 00089 - 15/03/2007 at Aullando con el Lobo (W.O.L.F.)

BoletÃn 00089 - 15/03/2007 at Aullando con el Lobo (W.O.L.F.) — Sun, 23 Sep 2007 21:12:08 +0000

[...] PDF Strikes Back http://www.gnucitizen.org/projects/pdf-strikes-back/ [...]

By: Alex

Alex — Sun, 20 May 2007 11:52:41 +0000

I’m sorry, but can you tell the difference between UXSS and XSS ? I mean, when do I have to call it XSS and when UXSS ?
Thanks !

By: Arvutikaitse » Blog Archive » PDF kui uks sinu arvutisse

Arvutikaitse » Blog Archive » PDF kui uks sinu arvutisse — Fri, 30 Mar 2007 06:32:12 +0000

[...] Kasutajainfo ja kasutusinfo levitamine ei paista olevat vÃ¤ga suur probleem, kuid Adobe tooted vÃµimaldavad avada (ja seega edastada) ka sinu arvutis olevaid faile (CVE-2007-1199, SA24408, pdp). [...]

By: GNUCITIZEN » PDF and History Hacks

GNUCITIZEN » PDF and History Hacks — Fri, 02 Mar 2007 15:42:46 +0000

[...] First of all, let’s see what is happening on the client-side web hacking front-line. It is possible to steal the browser history by using an approach quite different from what Jeremiah Grossman came up with last year. I am making use of script tags together with about:cache protocol leeks. This works on Firefox 2.0.0.2 which means that if this is what you are using right now, you are most definitely vulnerable. [...]

By: pdp

pdp — Thu, 01 Mar 2007 20:57:03 +0000

This is weird! Thanks.

By: MustLive

MustLive — Thu, 01 Mar 2007 19:40:39 +0000

The following number of POCs (Proof of Concept) work on Adobe Reader 8.0. Other versions might be vulnerable too.

It is also work in my Acrobat 6.0 (but only tow tests). Pdp, not all PoCs worked in my case, just first two.

poc01.pdf - work (open file:///C:/)
poc02.pdf - work (show the file path)

Other three: poc03-ie.pdf, poc03-ff.pdf and poc03-op.pdf didn’t work. Because my system (Win XP SP2) didn’t like file names with # character. So that PoCs didn’t work in my Mozilla, Firefox and IE.

By: pdp

pdp — Thu, 01 Mar 2007 12:18:13 +0000

Wokker, it is a new issue. However, I do use the Universal PDF XSS to better explain the risk. Wait for my blog entry which will detail this finding.

By: Wokker

Wokker — Thu, 01 Mar 2007 11:12:57 +0000

Is this a new issue or is this the same issue that you reported in http://www.gnucitizen.org/blog/danger-danger-danger?
Only with some new Poc’s ?

By: The show must go on at Disenchant’s Blog

The show must go on at Disenchant’s Blog — Thu, 01 Mar 2007 08:35:23 +0000

[...] pdp wrote an interesting blog posting today about his research on the well known so called PDF UXSS vulnerability. Because pdp did a good job on his posting, I just want to quote a part of it: [...]

By: Kishor

Kishor — Thu, 01 Mar 2007 05:13:13 +0000

Scary!

Because it reveals my user name which is very important in order to guess some of the vulnerable htmls that might be present in my temp directory. These HTMLs can be the exploited further may be using http://www.gnucitizen.org/projects/pdf-strikes-back/poc01.pdf.

c:\docume~1\USERNAME\locals~1\temp\poc02-2.pdf

By: javier

javier — Wed, 28 Feb 2007 22:54:00 +0000

FYI. Nothing happens using Foxit reader on win XP2. So opening documents this way should be considered a little more secure.

By: pagvac

pagvac — Wed, 28 Feb 2007 13:38:29 +0000

Tried poc01 on Adobe Acrobat Reader 8.0 (Windows XP SP2) and it does open ‘C:’ using the default web browser.

It’s interesting that Adobe Acrobat Reader 4.0 does open ‘C:’ using Windows’ ‘explorer.exe’ as opposed to the default web browser.

Comments on: PDF Strikes Back

By: BoletÃ­n 00089 - 15/03/2007 at Aullando con el Lobo (W.O.L.F.)

By: Alex

By: Arvutikaitse » Blog Archive » PDF kui uks sinu arvutisse

By: GNUCITIZEN » PDF and History Hacks

By: pdp

By: MustLive

By: pdp

By: Wokker

By: The show must go on at Disenchant’s Blog

By: Kishor

By: javier

By: pagvac

By: BoletÃn 00089 - 15/03/2007 at Aullando con el Lobo (W.O.L.F.)