Adobe Universal XSS Just Got Worse
Some had a good nights sleep last night. Generally it will be those who heeded our suggestions given last year September with “Backdooring PDF Files”, while others most likely didn’t get any sleep at all.
I woke up this morning and started getting ready for work. As usual, I turned on my laptop and cruised over to Michael Daw’s SecNews and then to my RSS feeds. There is alot of talk regarding the new Adobe Universal XSS and its just got worse!
Rsnake was playing (he says for 5 minutes, I bet it was longer), and verified that this XSS attack can be extended to the local browser context. This makes this attack even worse! Not only is this attack universal but it can now exploit localhost too! Nice find RSnake.
If your interested in some of the attacks with local browser context issues check out our RSS Injection in Sage exploits.
This has got to be one of the worst and most widespread XSS attacks that I can ever remember. If your running Adobe <= 7 your most likely in trouble. Check my previous post for fix suggestions.
Proof of Concept
file:///C:/Program%20Files/Adobe/Acrobat%207.0/Resource/
ENUtxt.pdf#blah=javascript:alert("XSS");
No really, it was 5 minutes. It was about 20 to get Adobe installed on a machine that I didn’t care about keeping vulnerable, but only five minutes to find a standard file. :) Then another 10 minutes writing the blog post… then another 2 minutes to proof… okay, so all in maybe 40 minutes. Happy now? ;)
heh :)
Adobe’s official response:
http://michaeldaw.org/news/news-030106/#comment-3205