Operation n

I have begun putting together a Hacking web 2.0 MindMap. Its alot nicer on the eye then a bunch of links:
http://michaeldaw.org/hacking_web-2_0_mindmap/

Jeremiah opened up a can of worms in his blog entry, “Disclosure: Ready or Not” I began my comment but it just became to big so I decided to bounce around some thoughts here.

In October 06 I released an article, “Hacker, Cracker Powershift?” where I voiced some of my concerns which relate to this article.

I think “money” (the root of all evil) like everything else ends up destroying the art. Look at the football and cricket conspiracies of today. This one is paying that one, so that one doesn’t play as well blah blah blah (read my link above to understand this statement better).

Although responsible disclosure needs to be addressed, my thoughts rest more with the hearts of the rising generation. In my opinion everything is moving back to secret hacker groups sharing zero-day exploits and selling them to the highest bidder.

Whats the point of discussing vulnerability disclosure when the percentage of vulnerabilities found surpass those vulnerabilities being publically released?

Some had a good nights sleep last night. Generally it will be those who heeded our suggestions given last year September with “Backdooring PDF Files”, while others most likely didn’t get any sleep at all.

I woke up this morning and started getting ready for work. As usual, I turned on my laptop and cruised over to Michael Daw’s SecNews and then to my RSS feeds. There is alot of talk regarding the new Adobe Universal XSS and its just got worse!

Rsnake was playing (he says for 5 minutes, I bet it was longer), and verified that this XSS attack can be extended to the local browser context. This makes this attack even worse! Not only is this attack universal but it can now exploit localhost too! Nice find RSnake.

If your interested in some of the attacks with local browser context issues check out our RSS Injection in Sage exploits.

This has got to be one of the worst and most widespread XSS attacks that I can ever remember. If your running Adobe <= 7 your most likely in trouble. Check my previous post for fix suggestions.

Proof of Concept

file:///C:/Program%20Files/Adobe/Acrobat%207.0/Resource/
   ENUtxt.pdf#blah=javascript:alert("XSS");

Discussion

In September pdp and I did some really fun work involving backdooring PDF files. It opened alot of eyes and some back accounts in getting it fixed. Now Stefano Di Paola and Giorgio Fedon have found a way to perform universal XSS attacks on systems with Adobe Reader and Professional installed.

Affected Versions

According to pdp the following versions have been found vulnerable:

• IE 6 SP 1 with version of Acro Reader older than 8.0
• Firefox 2.0.0.1 win32
• Firefox 1.5.0.8 win32
• Opera 8.5.4 build 770 win32
• Opera 9.10.8679 win32

Not Vulnerable:

• IE7.0 win32

Exploitation:

http://[URL]/[FILENAME].pdf#something=javascript:alert(123);
sven released some nice POC exploits using this vulnerability, see:
http://www.disenchant.ch/blog/hacking-with-browser-plugins/

Solutions:

This brings back memories from last year. Those who learn’t from our previous post on backdooring PDF files will be immune to this attack. Some suggestions:

1. Use foxit PDF reader rather then Adobe (JavaScript is disabled by default)
2. If you must stick with Adobe then disable all default plugins that are not in use. See bipin’s comment on our original findings http://michaeldaw.org/md-hacks/backdooring-pdf-files/#comment-42
3. Upgrade to Adobe 8