PDF XSS vulnerability announced at CCC
A new cross-site scripting attack was announced at the 23rd CCC by Stefano Di Paola & Giorgio Fedon:
http://events.ccc.de/congress/2006/Fahrplan/events/1602.en.html
The gist of the attack is that you are able to get javascript executed by simple having it appended to the PDF's URL.
This is an example (from GNU Citizen): (line breaks added for aesthetic value)
www.google.com/librariancenter/downloads/Tips_Tricks_85×11.pdf#something \
=javascript:function createXMLHttpRequest(){ try{ return new \
ActiveXObject('Msxml2.XMLHTTP'); }catch(e){} try{ return new \
ActiveXObject('Microsoft.XMLHTTP'); }catch(e){} try{ return new \
XMLHttpRequest(); }catch(e){} return null;}var xhr = createXMLHttpRequest(); \
xhr.onreadystatechange = function(){ if (xhr.readyState == 4) \
alert(xhr.responseText);};xhr.open('GET', 'http://www.google.com', true)\
;xhr.send(null);
http://events.ccc.de/congress/2006/Fahrplan/events/1602.en.html
The gist of the attack is that you are able to get javascript executed by simple having it appended to the PDF's URL.
This is an example (from GNU Citizen): (line breaks added for aesthetic value)
www.google.com/librariancenter/downloads/Tips_Tricks_85×11.pdf#something \
=javascript:function createXMLHttpRequest(){ try{ return new \
ActiveXObject('Msxml2.XMLHTTP'); }catch(e){} try{ return new \
ActiveXObject('Microsoft.XMLHTTP'); }catch(e){} try{ return new \
XMLHttpRequest(); }catch(e){} return null;}var xhr = createXMLHttpRequest(); \
xhr.onreadystatechange = function(){ if (xhr.readyState == 4) \
alert(xhr.responseText);};xhr.open('GET', 'http://www.google.com', true)\
;xhr.send(null);
This doesn't require the ability to write the PDF, just the ability to generate a URL that is based on a
PDF hosted on some site.
There are a number of good explanations on this. I liked this one:
http://www.disenchant.ch/blog/hacking-with-browser-plugins/34
The original paper talks about more than this specific flaw and is certainly worth reading as well.
Mitigation: Turning off javascript seems effective at mitigating this. Militant use of the NoScript extension for
Firefox would be my recommendation. Of course you have to turn off javascript for _everything_ (specifically the target domains, not the website setting up the attack. in the Disenchant examples you would have to disable scripting for Google, MySpace, Microsoft, Ebay and BofA) but....
Update: Thanks to those of you who pointed out that this appears to fail/is fixed in Adobe Acrobat/Reader 8:
http://www.adobe.com/products/acrobat/readstep2.html
Keywords:
0 comment(s)
Symantec attack uptick reported
Thanks to Mike who sent us the following note about what he's seen on his network. Anyone else seeing similar movement?
The Symantec AV attacks have picked up over the last day or so, as systems that were probably turned off over the holidays are turned on and infected by the worm. Almost all of the attacks we saw just before Christmas were from other .edus; now we are seeing more attacks from systems in countries other than the US. About 70% of the 186 systems that tried attacking us today were outside the US. Brazil and Taiwan take top honors for most attacking hosts.
The Symantec AV attacks have picked up over the last day or so, as systems that were probably turned off over the holidays are turned on and infected by the worm. Almost all of the attacks we saw just before Christmas were from other .edus; now we are seeing more attacks from systems in countries other than the US. About 70% of the 186 systems that tried attacking us today were outside the US. Brazil and Taiwan take top honors for most attacking hosts.
Keywords:
0 comment(s)
Apple QuickTime RTSP URL Handler Vulnerability
 The Month of the Apple bugs seems to have started. The first bug is in the handling of RTSP URL's within Quicktime, leading to arbitrary code execution on both Windows and Mac OS. You can find the advisory here:
http://projects.info-pull.com/moab/MOAB-01-01-2007.html. The MOAB blog states that you should disable the rtsp:// URL handler, however I have not determined how this is done.
Update 1:
Robert helped me find something I was missing. Guess I am just blind today or was just paying a little too much attention to the bowl games. To disable RTSP URLs in QuickTime, open the QuickTime control panel. Then, select the File Types tab. Expand the Streaming category and make sure the RTSP stream descriptor is unchecked. Here is a screen capture of this from my Windows based computer. I assume MacOS X computers have a similar control panel.  I recommend that you make sure that this is unchecked.Â
Keywords:
0 comment(s)
VLC Media Player udp URL handler Format String Vulnerability
Welcome Fans to Day Two of the Month of Apple Bugs!
http://projects.info-pull.com/moab/MOAB-02-01-2007.html
Today's contestants are: the MOAB team and VLC Media Player.
We have a special treat for you today as the vulnerability announced on this lovely Winter morning (okay, it hasn't stopped raining yet today and it was almost dark at 2:30pm and technically it's evening but...) impacts the VLC Media Player on both OSX and Windows.
MOAB team, the reigning champion after their highly noted win against Apple Quicktime yesterday by stack overflow had this to say about their opponent-
"A format string vulnerability exists in the handling of the udp:// URL handler. By supplying a specially crafted string, a remote attacker could cause an arbitrary code execution condition, under the privileges of the user running VLC."
After a short bout MOAB was declared winner again by delivery of PoC for both x86 and PPC.
This contender has certainly come out strong but we'll see how they hold up as the month continues. That's all till next time sports fans.
0 comment(s)
http://projects.info-pull.com/moab/MOAB-02-01-2007.html
Today's contestants are: the MOAB team and VLC Media Player.
We have a special treat for you today as the vulnerability announced on this lovely Winter morning (okay, it hasn't stopped raining yet today and it was almost dark at 2:30pm and technically it's evening but...) impacts the VLC Media Player on both OSX and Windows.
MOAB team, the reigning champion after their highly noted win against Apple Quicktime yesterday by stack overflow had this to say about their opponent-
"A format string vulnerability exists in the handling of the udp:// URL handler. By supplying a specially crafted string, a remote attacker could cause an arbitrary code execution condition, under the privileges of the user running VLC."
After a short bout MOAB was declared winner again by delivery of PoC for both x86 and PPC.
This contender has certainly come out strong but we'll see how they hold up as the month continues. That's all till next time sports fans.
×
![modal content]()
Diary Archives
Comments
www
Nov 17th 2022
4 months ago
EEW
Nov 17th 2022
4 months ago
qwq
Nov 17th 2022
4 months ago
mashood
Nov 17th 2022
4 months ago
isc.sans.edu
Nov 23rd 2022
3 months ago
isc.sans.edu
Nov 23rd 2022
3 months ago
isc.sans.edu
Dec 3rd 2022
3 months ago
isc.sans.edu
Dec 3rd 2022
3 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
2 months ago
isc.sans.edu
Dec 26th 2022
2 months ago