XSS/Phising with PDF

There’s currently a lot of chatter on the securityfocus mailing list about the pdf-javascript vulnerability
disclosed by Stefano Di Paola and Giorgio Fedon last week at 23C3 in Berlin (original advisory),
making new ajaxy worms or XSS possible. Adobe did put out an Acrobat fix, but lots of people don’t often upgrade Acrobat reader.

Affected versions are combinations of (other combinations may exist):

  • IE6 + Acrobat Reader 7 + XP SP1
  • IE6 + Acrobat Reader 4 + XP SP2
  • Firefox 2
  • Firefox 1.5
  • Opera 8.5.4
  • Opera 9.10

In my opinion, it also makes for a big phishing hole.
Google for any banking pdf’s (for example using something like site:abankingsite.com filetype:pdf)
and attach your fake banking site to let the user login to read the article using a JavaScript confirm dialogue.
In Firefox 2 the dialogue states: ‘The page at http://www.abanksite.com says:’. Depending on if you click "OK" or "Cancel" you are redirected to the fake login page or to the real banking page (but not the article). Try this link (POC), which could be part of a phishing mail, in Firefox/acrobat7: http://tinyurl.com/y6gklk (the tinyurl not only makes it easier to link, but additionally obfuscates the payload in the pdf link). It abuses the trustworthy URL of the bank to redirect to a fake login page.

A possible server side solution would be to force the pdf’s to be downloaded through use of a particular MIME type or Content-Disposition. On the client-side, upgrade to Acrobat 8, or always download pdf’s, don’t open them in your browser, or use another pdf reader.

Read more at SecurityFocus (maillist thread) or GNUCitizen here and a follow up here.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.