[WEB SECURITY] PDF to JavaScript to XML to Exploit

Harwood, Deanne I Deanne.Harwood at dhs.gov
Wed Jun 22 09:39:58 EDT 2005


PDFs use javascript a lot.  It is mainly used for running the pdf forms.  I
used it a lot in my last project. This is not good. Does Adobe know about
this I hope?

-----Original Message-----
From: Jeremiah Grossman [mailto:jeremiah at whitehatsec.com] 
Sent: Tuesday, June 21, 2005 8:29 PM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] PDF to JavaScript to XML to Exploit

Normally we don't advertise vulnerability advisories on this list,  
but I found this one particularly interesting. Especially since it  
took advantage of JavaScript and XML Entities as a vector of attack.

Sverre Huseby (thathost.com) found that new Adobe Acrobat Reader  
(v7.0) had supported implementations of JavaScript and XML. An attack  
can be accomplished by having JavaScript execute at PDF document run- 
time to create an XML Object. The XML Object then makes use of an  
embedded XML Entity. The XML entity is then able to read in local  
files (per the XML spec), including /etc/password. I've tested this  
effectively on my OS X machine and the results were frankly spooky.  
As soon as I loaded the specially crafted PDF document, it was all  
over. I guess this means XSS can happen from inside a PDF. Great.

Of the many questions one may ask, my first was, "Why do PDF's need  
JavaScript!?"


News Article:
http://www.vnunet.com/vnunet/news/2138435/adobe-flaw-xml


Adobe Advisory:
http://www.adobe.com/support/techdocs/331710.html




Regards,

Jeremiah-

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list