Internet Explorer Universal XSS
We read a nice analysis of Internet Explorer Universal XSS which was disclosed on Full Disclosure last week.
It is quite simple to exploit and the code speaks for itself:
- Microsoft will release a fix.
- There is also another PoC which doesn't require user interaction.
- Only mitigation is sending
XFOheaders in all files, which is not quite possible.
- Claimed that this is a regression of CVE-2014-0293 which we couldn't find information about.
Cross Domain Data Theft Via Adobe Reader
It's been in the wild for a long time so you might have heard about this already, but wanted to talk about it here in case you missed. We all know hosting user generated content in your actual domain isn't the best thing to do, but thanks to Adobe Reader, there is more!
If you allow viewing user uploaded PDF files through your website, they can use this to steal content and post it to another domain.
PDF supports a scripting language called formcalc. That particular scripting language has really interesting functions called
PUT. As you can guess, those functions are making cookie carrying HTTP requests to the origin which hosts the file. You can read those in detail from original documentation here.
Here is the PoC in formcalc
var content = GET("myfriends.php");
- Create a PDF file which has desired attack plan, which probably tries to extract sensitive information.
- Upload that file to the target website.
- Find its URL.
- Send its URL to victim with hoping her to click.
- Go have some sleep until hearing from the victim.
- We tested this with IE + Adobe 11, which worked without any issues.
- You need to have a liberal
crossdomain.xmlon your domain at
attacker.comto enable cross-domain posting. We found one for you and put it here.
- If you don't want to exfiltrate any data or this was being prevented in the future, you can still do CSRF with this since you can read the response, extract tokens and hit the particular functionality!