Cenzic 232 Patent
Paid Advertising
web application security lab

Universal XSS in PDFs

This is what happens when I read too fast. I almost completely dismissed a recent writeup by Stefano Di Paola and Giorgio Fedon (thanks to pdp for doing a more thorough writeup). But it’s true, and PDF is vulnerable to XSS injection regardless if you have control over the PDF itself. Which means any website that has a PDF on it is now vulnerable to XSS injection.

The trick is simple: http://path/to/pdf/file.pdf#blah=javascript:alert(”XSS”);

Yup, like I said, simple. This is a really nasty issue, as any automatic redirection or getting anyone to click on a link can now compromise that website if they have Adobe’s PDF reader installed (which practically everyone does). This is one of the worst issues I’ve seen in a while, as almost every major website has PDFs on it (investor relations, white papers, sales sheets, etc…). You might want to remove your PDFs for the time being, protect them or at minimum host them on a domain you don’t care about.

28 Responses to “Universal XSS in PDFs”

  1. alf Says:

    omfg… my mouth is still open oO
    great find @ the guys from 23c3, i’ll be there next year, too

  2. RSnake Says:

    pdp’s example is now down, but here’s another one in Google:

    http://www.google.com/appliance/pdf/google_gsa_datasheet.pdf#blah=javascript:alert("XSS");

  3. RSnake Says:

    Various reports on compatibility

    Works on:

    Firefox 2.0.0.1 win32
    Firefox 1.5.0.8 win32
    Opera 8.5.4 build 770 win32
    Opera 9.10.8679 win32

    Does not work on IE7.0 win32

  4. mat Says:

    i cannot get this to work on any site with the ltest firefox and flock browser

  5. mgroves Says:

    If you are using RSnake’s example URL, make sure to change ”XSS” to “XSS”

  6. adam Says:

    that google link didn’t work for me. sounds pretty crazy though

  7. mbrisby Says:

    Looks like attaching a “content-disposition: attachment” HTTP header to PDF files helps. That keeps the PDF file from opening in the reader plugin. I have the following directive in a ‘FilesMatch “\.(ppt|xls|doc|pdf)$”‘ container (apache):

    Header append Content-disposition ‘Attachment’

  8. unsticky Says:

    This is really sort of insane. Like you said, it’s simple, but nasty. Now its not really a question of ‘where’s the useful XSS vuln on target site?’ its more ‘oh hey they’ve got a PDF file… now just how do I want to use this againt them?’. This opens so many doors to exploitation, it’s not really even funny… Drive-by credential theft is the one that comes to mind first…

  9. Andrew van der Stock Says:

    Does not work with:

    Intel

    Safari 2.0.4 with Apple Preview (default MacOS X config)
    Firefox 2.0.1 with Apple Preview (default if no AR installed)

    I will try with Adobe Reader 7.0.8 and 8.0 later.

    Andrew

  10. RSnake Says:

    adam, which browser/acrobat version(s) are you using?

  11. maluc Says:

    wow.. just wow.

    that’s ridiculous. i’m quite stunned .. and quite excited ^^;

    and really, how often do people update their adobe reader - this one’ll be around for quite a while. and it makes me glad i use foxit reader instead of adobe

  12. Andrew van der Stock Says:

    Does not work with on MacOS X (Intel) with:

    Safari 2.0.4 with Adobe Reader 7.0.8 (PPC binary)
    Firefox 2.0.1 (does not integrate with AR 7.0.8 by default, not vulnerable

    We’ve also had difficulty replicating this finding with IE 6.0 from XP SP2 and AR 7.0.8 on Win32.

    It’s looking less and less likely to be a “universal” exploit.

    Andrew

  13. ChrisP Says:

    Wow - that makes about 7 million vulnerable points of entry just for dot coms. Nice indeed!

    Results 1 - 10 of about 7,040,000 from *.com for filetype:pdf. (0.13 seconds)

    I tried a few, some work and others fail.

    Any details as to _why_ this actually works?

  14. RSnake Says:

    Thanks mgroves, I changed my link to use quotes instead of those weird fake quotes wordpress inserts.

  15. mathijs Says:

    Doesn’t work for me on FF2 on mac.

    But it is one scary attack vector..

  16. unsticky Says:

    I think I may have found another issue in the adobe plug in, while I was playing around with this. It seems, atleast on my box, if you have an iframe pointing to a PDF file with an onLoad event, the adobe plugin will crash, displaying a message about how its preformed an illegal action, such as jaywalking. When you click OK, firefox hangs. This is on FF 1.5.0.9 on WinXP Home SP2

  17. chlog.net » PDF Dateien per XSS angreifbar Says:

    […] Wie auf ha.ckers.org web application security lab und GNUCITIZEN wird, sind PDF Dateien gegenüber XSS injection verletzbar, wenn man die Kontrolle über das PDF-File hat. Also ist jede Website die PDF Dateien enthält verwundbar. Es ist (leider) sehr einfach: http://pfad/zur/pdf/date.pdf#blah=javascript:alert(”XSS”); […]

  18. unsticky Says:

    I deffinatly think I found something, but I want to play with it a bit more and find a surefire way to cause the crash, before I go out rambling about how to do it, so sort of ignore my previous post, ’cause the crash doesn’t seem quite as simple as that.

  19. unsticky Says:

    Another post! Finished my little PoC drive-by credential theft script. Grabs your google.com cookie and displays it on the second page, source for both parts is available on the display page. http://newbert.org/pdf.htm is the link, if you’re interested.

  20. yawnmoth Says:

    In the off chance that anyone is curious, here’s an example of a URL where the # effect is intentional:

    http://www.google.com/appliance/pdf/google_gsa_datasheet.pdf#search=google

    Not sure what else can be done with #’s…

  21. dusoft Says:

    does not work in firefox 2.01 (linux)

  22. adam Says:

    nah it does work i was just being a bit special ;)

  23. zeno Says:

    Changing the mime type to something nonexistant should be the best solution for a site to perform (since users will never patch). Default behavior for unknown mimetypes is prompt to download.

    - zeno
    http://www.cgisecurity.com

  24. Secure2S » بایگانی سایت » آسیب پذیری XSS در نمایش فایل های PDF Says:

    […] Firefox->Tools->Options->Content->Manage->change PDF action to “Save todisk”. برای اطلاعات بیشتر در این مورد می توانید به نوشته Adobe Acrobat JavaScript Execution Bug is a Huge Security Issue مراجعه کنید. شروع اصلی بحث در لیست webappsec همچنان در حال ادامه است. مراجعه کنید به Universal XSS with PDF files: highly dangerous برای دیدن نظرات مختلف در این مورد. نوشته GNUCITIZEN در این مورد | نوشته ha.ckers در مورد PDF XSS […]

  25. IR Web Report Blog » PDF flaw has security experts agog Says:

    […] One blogger on the ha.ckers.org site wrote: “This is one of the worst issues I’ve seen in a while, as almost every major website has PDFs on it (investor relations, white papers, sales sheets, etc…). You might want to remove your PDFs for the time being, protect them or at minimum host them on a domain you don’t care about.” […]

  26. John Dowdell Says:

    Sorry for the delay, but the Adobe Security Advisory is up on this, with best info:
    http://www.adobe.com/support/security/advisories/apsa07-01.html

    tx, jd/adobe

  27. rdivilbiss Says:

    All due respect…but there are plenty other issues with Acrobat reader besindes this security issue.

    I’ll stick with something not so bloated and which doesn’t phone home.

    http://listproc.ucdavis.edu/archives/linux/log0504/0004.html

    http://lwn.net/Articles/129729/

  28. RSnake Says:

    Yes, but compared to compromising your machine, I think the phone home features are barely worth talking about, unless you are talking about how that correlates to CSRF - which is pretty bad.