get3.adobe.com Cross Site Scripting

get3.adobe.com Cross Site Scripting: Posted Dec 8, 2014; Authored by Yann CAM; Adobe's get3.adobe.com site suffered from a reflective cross site scripting vulnerability.; tags | exploit, xss; SHA-256 | 5d5629ac99ef89b0f45c5ad8cfe201d0e1d75d982e7e15012c86a8b9be463662; Download | Favorite | View

get3.adobe.com Cross Site Scripting

######################################################################
# Exploit Title: Adobe.com Flashplayer sub-domain Reflected XSS (RXSS)
# Date: 08/12/2014
# Author: Yann CAM @ Synetis - ASafety
# Vendor or Software Link: www.adobe.com
# Version: /
# Category: Reflected Cross Site Scripting
# Google dork:
# Tested on: Adobe.com Flashplayer sub-domain
######################################################################

Adobe description :
======================================================================
 
Adobe Systems Incorporated is a multinational computer software company. Adobe Systems headquarter is based in San Jose, California, United States. 
The company has historically focused upon the creation of multimedia and creativity software products, with a more-recent foray towards rich Internet 
application software development. It is best known for the Portable Document Format (PDF), Flash player and Adobe Creative Suite, later Adobe Creative Cloud.


Vulnerability description :
======================================================================
A reflected XSS is available in the get3.adobe.com sub-domain.
Through this vulnerability, an attacker could tamper with page rendering, redirect victims to fake Adobe portals, or capture Adobe's users credentials such cookies. 
It's also possible to forge a fake adobe's page with this XSS to provide a backdoored version of the flash plugin to users.
This reflected XSS is on GET "re" variable and is not properly sanitized before being used to his page.


Proof of Concept 1 :
======================================================================
 
A non-persistent XSS (RXSS) in "re" GET param is available in the get3.adobe.com sub-domain.
Tested on Firefox 31.0.
 
After upgrading Flashplayer with auto-update agent on Windows, a page of adobe sub-domain is automatically opened.
This page is opened to check if the upgrade is successfully ; and return code of the auto-update agent is passed through "re" GET variable.
This numeric return code is reinjected into the JavaScript source-code of the page and can be crafted to make an XSS.
 
PoC:
 
https://get3.adobe.com/fr/flashplayer/completion/aih/?exitcode=1337&re=7331;alert(/Reflected XSS - Yann CAM @ASAfety - www.synetis.com/);&type=update&appid=200


Proof of Concept 2 :
======================================================================

Session cookie can be retrive with this XSS.

PoC:

https://get3.adobe.com/fr/flashplayer/completion/aih/?exitcode=1337&re=7331;alert(document.cookie);&type=update&appid=200


Screenshots :
======================================================================

- http://www.asafety.fr/data/20140829-adobe-xss01.png
- http://www.asafety.fr/data/20140829-adobe-xss02.png
- http://www.asafety.fr/data/20140829-adobe-xss04.png


Solution:
======================================================================

Fixed by Adobe PSIRT.
 
 
Additional resources :
======================================================================
 
- https://www.adobe.com/
- https://blogs.adobe.com/psirt/
- https://helpx.adobe.com/security/acknowledgements.html
- http://www.asafety.fr/actualites-news/contribution-adobe-injection-de-code-javascript-xss/
- http://www.synetis.com

 
Report timeline :
======================================================================
 
2014-08-28 : Adobe PSIRT Team alerted with details and PoC.
2014-08-30 : Adobe response and issue number affected (2985).
2014-10-28 : Vulnerability not fixed, second email to get a status.
2014-10-28 : Adobe response : still working on this issue.
2014-12-05 : Vulnerability seems to be fixed, third email to get a status.
2014-12-05 : Adobe response : case 2985 closed and acknowledgement.
2014-12-08 : Public advisory

Credits :
======================================================================
 
    88888888
   88      888                                         88    88
  888       88                                         88
  788           Z88      88  88.888888     8888888   888888  88    8888888.
   888888.       88     88   888    Z88   88     88    88    88   88     88
       8888888    88    88   88      88  88       88   88    88   888
            888   88   88    88      88  88888888888   88    88     888888
  88         88    88  8.    88      88  88            88    88          888
  888       ,88     8I88     88      88   88      88   88    88  .88     .88
   ?8888888888.     888      88      88    88888888    8888  88   =88888888
       888.          88
                    88    www.synetis.com
                 8888  Consulting firm in management and information security
 
Yann CAM - Security Consultant @ Synetis | ASafety

--
SYNETIS | ASafety
CONTACT: www.synetis.com | www.asafety.fr

Top Authors In Last 30 Days

Red Hat 221 files
Ubuntu 59 files
Debian 30 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
tmrswrr 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,298)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,550)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,453)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

get3.adobe.com Cross Site Scripting

get3.adobe.com Cross Site Scripting

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

get3.adobe.com Cross Site Scripting

Share This

get3.adobe.com Cross Site Scripting

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems