|
Adobe Acrobat Reader Plugin - Multiple Vulnerabilities
Original Advisory:
http://www.wisec.it/vulns.php?page=9
Original Discovery and Research:
Stefano Di Paola
Contribution:
Giorgio Fedon (IE Dos, UXSS Analysis)
Elia Florio (Poc and Code Execution analysis)
Status: Vendor Informed on 15 October 2006
Patched: Yes
Please upgrade your current version of adobe acrobat
_______________________________________________________
Brief Intro:
During our lecture at 23C3 (Subverting Ajax), we presented
some interesting attack vectors to take advantage of
the dangerous vulnerability called "Prototype Hijacking"
in browser frameworks. Any XSS represents a good
entry point, and single Universal XSS is de facto the best
entry point.
Since Adobe did a great job and patched in less than 1
month the issues herein reported, we decided to
undisclose our findings during 23C3 to make the audience
better understand risks and impacts of high-level plugins
vulnerabilities (e.g. Func. Integration and not memory
corruption).
There is also a possible remote code execution (RCE), but
was not the focus of our talk.
Affected Versions:
Adobe Acrobat Reader plugin 7 (fully patched) and Below
Tested On:
Firefox 1.5.0.7 and Below, 2.0RC2 under Windows XP SP2
Firefox 1.5.0.7 and Below, 2.0RC2 under Ubuntu 6.06
Internet Explorer SP2 under Windows XP SP2
Summary:
Adobe Acrobat plugin for Mozilla Firefox (acroreader) is able to
populate Portable Documents
(PDF files) forms by supplying an external set of datas through the FDF,
XML, or XFDF fields.
Implementation of FDF, XML, XFDF
(http://partners.adobe.com/public/developer/en/acrobat/PDFOpenParameters.pdf)
functionalities in Acrobat Reader Plugin is vulnerable to different kind
of attacks.
Vulnerability extent changes from browser to browser:
1. Universal CSRF / session riding;
(Mozilla Firefox, Internet Explorer, Opera + Acrobat Reader plugin)
2. UXSS in #FDF, #XML e #XFDF;
(Mozilla Firefox + Acrobat Reader plugin)
3. Possible Remote Code Execution;
(Mozilla Firefox + Acrobat Reader plugin)
4. Denial of Service;
(Internet Explorer + Acrobat Reader plugin)
______________________________________
1. Universal CSRF and session riding
This is probably Adobe related as all tested browsers (IE,Firefox,Opera)
where affected.
The issue is that by creating a special link like this:
http://site.com/file.pdf#FDF=http://victim.com/index.html?param=...
automatically Adobe plugin sends a request to 'victim.com' without user
interaction asking
for defined page in 'fdf' parameter. This could be used as a Universal
Session Riding (aka UCSRF)
attack which is a well known vulnerability.
Note that the same effect is accomplished by using 'xml' and 'xfdf'
parameters.
====
2. UXSS in #FDF, #XML e #XFDF
In addition by using the following request, is possible to execute
javascript code
inside Firefox browser:
http://site.com/file.pdf#FDF=javascript:alert('Test Alert')
The previous could be triggered against a site and because of this is a
Universal Cross Site
Scripting.
UXSS is a particular type of Cross Site Scripting and has the ability to
be triggered
by exploiting flaws inside browsers, instead of leveraging the
vulnerabilities against
insecure web sites. It's also possible to force clients to download
files by supplying:
http://site.com/file.pdf#FDF=javascript:document.location'file://C:/winnt/notepad.exe'