Discussion

In September pdp and I did some really fun work involving backdooring PDF files. It opened alot of eyes and some back accounts in getting it fixed. Now Stefano Di Paola and Giorgio Fedon have found a way to perform universal XSS attacks on systems with Adobe Reader and Professional installed.

Affected Versions

According to pdp the following versions have been found vulnerable:

  • IE 6 SP 1 with version of Acro Reader older than 8.0
  • Firefox 2.0.0.1 win32
  • Firefox 1.5.0.8 win32
  • Opera 8.5.4 build 770 win32
  • Opera 9.10.8679 win32

Not Vulnerable:

  • IE7.0 win32

Exploitation:

http://[URL]/[FILENAME].pdf#something=javascript:alert(123);
sven released some nice POC exploits using this vulnerability, see:
http://www.disenchant.ch/blog/hacking-with-browser-plugins/

Solutions:

This brings back memories from last year. Those who learnt from our previous post on backdooring PDF files will be immune to this attack. Some suggestions:

  1. Use foxit PDF reader rather then Adobe (JavaScript is disabled by default)
  2. If you must stick with Adobe then disable all default plugins that are not in use. See bipins comment on our original findings http://michaeldaw.org/md-hacks/backdooring-pdf-files/#comment-42
  3. Upgrade to Adobe 8