LAN_PRINT_135: Acrobat Reader Browser Plug-in has a huge XSS vulnerability.
(LAN_PRINT_86 Vulnerabilities)
LAN_PRINT_94 NIST.org
Wednesday 03 January 2007 - 20:31:17
Let's get straight to the point, this vulnerability should not be taken lightly. People I know, and in some cases fear, are worried about this. If you have the Adobe Acrobat Reader browser plug-in installed nearly any website that contains a PDF file can now be exploited for Cross-site Scripting (XSS). (UPDATES below)
The bottom line? If yourlocalbank.com hosts a PDF file (and most do) and you have the Acrobat Reader browser plug-in installed (and a lot of people do) and you click on a specially crafted link to the yourlocalbank.com PDF file then someone can steal your login credentials and take care of your online banking for you. Or the bad guy can create fake pages for phishing attacks that appear to be from legitimate sites and collect credit card information that way (for more information see our XSS article). CNET gives a couple of good attack scenarios.
How? Its actually a very easy vulnerability to exploit and hackers everywhere are kicking themselves for not finding it sooner. Normally we don't post "how to" information but this is being posted everywhere and needs no complicated explanation. Simply append the Javascript to the end of the PDF as such:
- http://somedomain.com/pdffile.pdf#blah=javascript:alert(“XSS”);
The Javascript can be anything and we've already seen malicious examples, including examples that can run executables. Here are some harmless examples from Dischant.ch:
Mitigation? Until Adobe releases an update the choices aren't very nice. Either uninstall the Acrobat Reader or use Firefox and use the NoScript plugin (see our instructions).
UPDATES: - There are reports that the latest Acrobat Reader 8.0 patch may have fixed the problem. Adobe was notified of the issue in advance of public release of the vulnerability. You can download the latest version from Adobe.
- 1/4/2007 - Because of the way Internet Explorer interfaces with the Acrobat Reader it apparently does not run the JavaScript correctly. IE7 apparently displays a network error and won't display the PDF or run the JavaScript, IE6 seems to simply ignore JavaScript completely. Firefox and Opera are attack vectors and users of these browsers should take precautions (ie; in Firefox use the NoScript plugin).
- 1/4/2007 - Webmasters can prevent PDF files hosted on their systems from being used in XSS attacks by changing the MIME-type of the PDF extension to something non-existent. This will force the web browser to prompt the user to download the PDF file rather than view it within the browser. This will prevent your site from being used in phishing schemes, session hijacking, password theft, etc. Most people simply do not update their 3rd party applications so this might be best way to handle the issue. Financial institutions should definitely consider doing this.
As we've said before everyone needs to get a lot better at updating 3rd party applications, not just the OS and the web browser. A lot of people have plugins installed such as the Acrobat Reader, Flash, Quicktime, etc. All of these can have nasty vulnerabilities.
Quotes:
This is really sort of insane. Like you said, it’s simple, but nasty. Now its not really a question of ‘where’s the useful XSS vuln on target site?’ its more ‘oh hey they’ve got a PDF file… now just how do I want to use this againt them?’. This opens so many doors to exploitation, it’s not really even funny… Drive-by credential theft is the one that comes to mind first…
--- comment at ha.ckers.org
{BLOGME}
{GOOGLESBOX=XSS}
{AMAZONPROD=1597491543}
LAN_PRINT_303NIST IT Security
( http://www.nist.org/comment.php?comment.news.196 )
