User: Password:
Subscribe / Log in / New account


A Firefox PDF plugin XSS vulnerability

January 3, 2007

This article was contributed by Jake Edge.

A particularly nasty cross-site scripting (XSS) vulnerability has surfaced that impacts Firefox users who have installed the Adobe Reader (Acrobat/PDF) plugin. Proof of concept exploits have been published on Bugtraq as well as several blogs (here for example). Adobe has fixed the problem in Acrobat version 8; which is only available for Windows, no word yet on a fix for the Linux plugin (which is based on Acrobat version 7).

The technique was first disclosed last week at the 23rd Chaos Communication Congress by Stefano Di Paola and Giorgio Fedon in their Subverting AJAX presentation. Sven Vetsch discovered another wrinkle and publicized it on his blog. The crux of the vulnerability is a link with a URL of the following form:

The host and path to file are legitimate URL paths to a PDF file that is hosted somewhere on the net, quite possibly at a site that is trusted by the user. The attacker need not have any access to the PDF file, but can have his code executed while appearing to be a simple download from the affected site. It is the ability to turn any PDF hosted on any site into an XSS attack that makes this vulnerability so insidious.

The vulnerability exploits a feature of the Adobe plugin that is not shared with other mechanisms for viewing PDFs from the web (including using the acroread external program that is also supplied by Adobe). Arguments can be passed to the plugin via the information after the '#' and can be used to specify a specific page or search string in the PDF. It can also be used to populate PDF forms using '#FDF=URL' arguments and the information for the forms is retrieved from the URL. Evidently Adobe does not check for FDF or two other similar argument types (which is why 'anystring=' works) and blindly asks the browser to fetch the URL specified. If the URL is javascript code as described above, the plugin does not detect that case and in effect forces the browser to execute it.

Any site hosting a PDF file is vulnerable and there is little that the site can do; there is no indication that the request is anything out of the ordinary because the string after the '#' is not passed as part of the request. Concerned sites could stop hosting PDF files, but that seems rather unlikely. Other server-side solutions are being discussed as there is a concern that users are unlikely to upgrade their browser plugins. Hosting sites would much rather that they be in control of whether their PDF files can appear in links with malicious content. Most XSS problems can be handled by proper server side filtering of user supplied content, but this particular vulnerability is different.

So far there are no reports of other PDF plugins that follow Adobe's lead in retrieving URLs that appear in links to PDF files. In this author's experience, PDF viewing utilities are separate programs that get invoked by the browser after it downloads a PDF file. For xpdf and kpdf (and presumably others), this works just fine but Adobe chose to provide a means of more closely integrating PDF viewing into the browser. Unfortunately, the fact that this plugin is closed source implies that users, especially Linux users, must wait for Adobe to fix the problem. We cannot fix it ourselves.

One could certainly imagine a similar mistake being made by one of the other PDF viewer development teams; Adobe is hardly alone in making bad choices in developing software. However, the fix for an open source PDF viewer would likely be available within hours of the report. Adobe was notified about this problem on 15 October according to the advisory, but there is still no fix for Linux. Disabling the plugin would seem to be prudent.

Fixing the affected software is just the start of the task of fixing the overall problem. As mentioned above, users are not particularly good at picking up security fixes even when they know about them. Getting the message out on this particular problem is a big hurdle. The alternative is to educate users so that they can recognize maliciously crafted links to PDFs and that is almost certainly a harder task.

The potential for a widespread outbreak exploiting this vulnerability is fairly high and this will probably not be the last we will hear about it. It certainly has the possibility of damaging the reputation of PDF amongst even casual web users and that is probably keeping some folks at Adobe awake at nights.

Comments (20 posted)

New vulnerabilities

cacti: multiple vulnerabilities

Package(s):cacti CVE #(s):CVE-2006-6799
Created:January 1, 2007 Updated:January 26, 2007
Description: The network monitoring and graphing frontend Cacti has three vulnerabilities. The cmd.php script allows command line usage and is also installed in a web-accessible location. The cmd.php input is insufficiently sanitized, a passed-in URL can be used to inject arbitrary SQL code. The cmd.php script can be used by a remote attacker to execute arbitrary shell commands via improperly sanitized results from SQL queries.
Gentoo 200701-23 cacti 2007-01-26
Debian DSA-1250-1 cacti 2007-01-17
Mandriva MDKSA-2007:015 cacti 2007-01-15
SuSE SUSE-SA:2007:007 cacti 2007-01-12
OpenPKG OpenPKG-SA-2007.001 cacti 2007-01-01

Comments (none posted)

denyhosts: denial of service

Package(s):denyhosts CVE #(s):CVE-2006-6301
Created:January 3, 2007 Updated:January 3, 2007
Description: A botched regular expression allows a remote attacker to add arbitrary hosts to the denyhosts blacklist, causing those hosts to be unable to make ssh connections to the target system.
Gentoo 200701-01 denyhosts 2007-01-03

Comments (2 posted)

elog: multiple vulnerabilities

Package(s):elog CVE #(s):CVE-2006-5063 CVE-2006-5790 CVE-2006-5791 CVE-2006-6318
Created:December 28, 2006 Updated:January 3, 2007
Description: elog, a web-based electronic logbook has multiple vulnerabilities that may lead to arbitrary code execution. Log entry editing in HTML has a cross-site scripting vulnerability. A number of format string vulnerabilities may be used for the execution of arbitrary code. There are cross-site scripting vulnerabilities related to the creation of new logbook entries. There is insufficient error handling in config the file parsing that may be used for a denial of service attack.
Debian DSA-1242-1 elog 2006-12-27

Comments (none posted)

mono: source disclosure attack

Package(s):mono CVE #(s):CVE-2006-6104
Created:December 21, 2006 Updated:January 17, 2007
Description: The Mono ASP.NET server XSP has a source disclosure attack vulnerability. A malicious user can use this to acquire the source code of a server-side application.
Gentoo 200701-12 mono 2007-01-16
Fedora FEDORA-2007-067 mono 2007-01-12
Fedora FEDORA-2007-068 mono 2007-01-12
SuSE SUSE-SA:2007:002 mono-web 2007-01-04
Ubuntu USN-397-1 mono 2006-12-20
Mandriva MDKSA-2006:234 mono 2006-12-20

Comments (none posted)

openser: buffer overflow

Package(s):openser CVE #(s):
Created:December 26, 2006 Updated:January 3, 2007
Description: A buffer overflow was discovered in the "parse_expression" function of the "permissions" module of the SIP router OpenSER, versions up to and including 1.1.0. The OpenSER "permissions" module is used to determine if a SIP call has appropriate permission to be established. The "parse_expression" function is used during parsing of the modules local allow/deny configuration files.
OpenPKG OpenPKG-SA-2006.042 openser 2006-12-26

Comments (none posted)

w3m: denial of service

Package(s):w3m CVE #(s):
Created:December 28, 2006 Updated:January 15, 2007
Description: The W3M textual web browser has a format string vulnerability. If the run-time options -dump or -backend are used, W3M can be made to crash if certain escape sequences occur in the Common Name of a web site X.509 certificate.
Fedora FEDORA-2007-077 w3m 2007-01-15
Fedora FEDORA-2007-078 w3m 2007-01-15
Gentoo 200701-06 w3m 2007-01-12
SuSE SUSE-SA:2007:005 w3m 2007-01-10
Ubuntu USN-399-1 w3m 2007-01-03
OpenPKG OpenPKG-SA-2006.044 w3m 2006-12-28

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>

Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds