Select Page

Everyday application security is facing new threats and it challenges the business users. The latest is in the form of XSS attacks; where an application serving PDF files are vulnerable to these attacks.

Attackers simply have to add an anchor containing a script, e.g. add #blah=javascript:alert(document.cookie); to ANY URL that ends in .pdf (or streams a PDF). The browser hands off the anchor to the Adobe reader plug-in, and the script then runs in the victim.s browser.

The Universal PDF XSS issue was discovered by Stefano Di Paola and Giorgio Fedon and it was presented on 23C3 security conference. This vulnerability obviously affects the Adobe Acrobat Reader which is a widely used software among business, non-business organizations and individuals. By abusing Acrobat.s open parameter features well protected sites become vulnerable to Cross-site scripting attacks if they host PDF documents. This is pretty bad and unless you update your reader or change the way your browser handles PDF documents, you may get hacked quite badly. This issue is very serious.

This vulnerability can be exploited by using the URL in the following fashion

http://path/file.pdf#blah=javascript: yourcode

It is very clear that any malicious user can write the required code for malicious activity. Can hijack sessionID and thereby the user identity or execute code from another location and thus redirect a user to a phishing site and a lot more.

Some examples

Try it on your windows OS

file:///C:/Program%20Files/Adobe/Acrobat%207.0/Resource/ENUtxt.pdf# blah=javascript:try%20{var%20req%20=%20new%20XMLHttpRequest();req.open(%22GET%22,%20%22file:///C:/WINDOWS/system32/drivers/etc/hosts%22,%20null);req.send(null);%20alert(req.responseText)%20}%20catch%20(e)%20{console.dir(e)};

Does this ring any bell?? Doesn.t it crazy? Minor modifications in the JavaScript will reveal the directory browsing, or copying of files from your system.

Another one for directory listing

file:///C:/Program%20Files/Adobe/Acrobat%207.0/Resource/ENUtxt.pdf# blah=javascript:try%20{var%20req%20=%20new%20XMLHttpRequest();req.open(%22GET%22,%20%22file:///C:/%22,%20null);req.send(null);%20alert(req.responseText)%20}%20catch%20(e)%20{console.dir(e)};

OK, now lets go more details from the fun part of the vulnerability.

PDF being widely used, it is important to understand that most of the applications in the internet have this vulnerability. This makes the situation a lot worse because If you happen to be on a malicious site or you click a malicious link, attackers can simultaneously compromise several of your WEB accounts that are currently open/authenticated.

Note the point that, this attack will be effective only if you/victim click on the url.

Now lets see what hackers/crackers/(you name it) do to make use of this vulnerability?

Being an intelligent user, chances are less you click on a suspicious link. However attackers can make use of sneak techniques to force you somehow, by changing the file extension of the PDF document to .mp3 or .mov or even .html. It looks less suspicious, but still when pulled from the server the content will be served as application/pdf:

For example:

A slight modification in the htaccess file of http://currentdomain/

#.htaccess

RewriteEngine On

RewriteRule *.(jpg|png|css|mp3|mov|avi)$ http://otherdomain/abc.pdf

When a user clicks on the following url

http://currentdomain/whatever.mp3#something= javascript:malicious_code

the code will be executed on http://otherdomain and not in the currentdomain. The user has fallen into the trap.

Now you have tiny URL.

One can embed the malicious URL in a tiny URL and send the tiny URL to the victims. This will make the user less suspicious about the URL and has more possibility of clicking on the link.

Using tinyurl you can have

http://currentdomain/whatever.mp3#something= javascript:malicious_code

become

http://tinyurl.com/..Another option is to have the exploit link opening automatically without user action. This can be performed by embedding the link in a site, normally malicious site. When a user visits such sites, the exploit page will automatically opened by using iframes.

his vulnerability will be a solid tool for phishing attackers and they can use this cleaverly to gather personal information and identity thefts.

What are the fixes?

Do not click any url which is not familiar and/or which is not from a trusted source. Always type the URL and then guide through the site links.
Upgrade your Adobe Acrobat reader to version 8
Upgrade the browsers using vendor released patches