XML External Entity (XXE) Attack Possible in Adobe Reader 7
-----------------------------------------------------------

                                                    SHH #7, 2005-06-16

Description
-----------

Recent versions of Adobe Reader (previously known as Acrobat Reader)
are vulnerable to XML External Entity (XXE) Attacks.  By including a
JavaScript in a PDF file, and have this JavaScript parse an embedded
XML document with a reference to an external entity, it is possible to
read certain types of textual files on the local computer, and have
them sent to a remote attacker.


Details
-------

The hairy details (the problem description sent to Adobe), including
sample PDFs, are available on a separate web page:
  http://shh.thathost.com/secadv/adobexxe/


Solution
--------

Disable the use of JavaScript in Adobe Reader, or upgrade to a version
not vulnerable to this attack.


Vendor Notification
-------------------

The Adobe developers were notified on 2005-04-15.  They made a fix
available on 2005-06-15.


Affected versions
-----------------

Confirmed to work in version 7.0 and 7.0.1 on Microsoft Windows,
version 7.0 on GNU/Linux and version 7.0 on Mac OSX.

It is unknown whether the attack works in version 6, which also
supports JavaScript in PDF files.


Fixed versions
--------------

Adobe Reader version 7.0.2.
For Adobe's own advisory, see the following URL:
  http://www.adobe.com/support/techdocs/331710.html


Credits
-------

Thanks to Jeremiah Grossman for verifying that the attack also works
on the Mac OSX version of Adobe Reader.


----------------------------
Reported by Sverre H. Huseby