Hacking with Browser Plugins

Because it’s very interesting, I’d like to show you how you can do a XSS attack an the most webapplications out there. The example I’ll present to you now is about the PDF-Plugin and it should make you think about other Browser Plugins like Flashplayer and so on.

The PDF Plugin have many different features you can use over the URL which they call “Open Parameters“.

Here you can see a few examples:

  • The “page” parameter directly access a speciefic site in the PDF -> Example
  • The “zoom” parameter defines the zoom-factor of the PDF -> Example
  • The “search” parameter searches for a specific word or wordlist -> Example

So now let’s go to the interesting stuff. Because of these nice features it’s possible to execute your own script if you use your own parameter. It’s enough if you access a PDF with the following URL:

http://[URL]/[FILENAME].pdf#something=javascript:alert(123); -> Example

As you see, this will execute a JavaScript which creates an alert message but of course this could be anything.

Now have fun with it, I already had mine ;)


Credits goes to Stefano Di Paola and Giorgio Fedon.
Sorry that I’ve missed to copy paste this part of the Blog entry in here before :(

35 Comments to “Hacking with Browser Plugins”  

  1. 1 pdp

    that’s awesome… I can smell a new AJAX worm comming up

  2. 2 Martin J.

    How about giving some credit? The vulnerability you are talking about was originally disclosed by Stefano Di Paola and Giorgio Fedon in their talk at the 23C3.

  3. 3 Disenchant

    I’m so sorry about that Martin. Of course I’ve to give some credit to Stefano Di Paola and Giorgio Fedon. It seems that I didn’t copy paste it out of my document I wrote with the content of this entry :(
    As you see, I edited my blog entry. Next time I’ll be more careful and perhaps don’t write blog entries when I’m as tired as I was when I wrote it.

  4. 4 numb7rs

    Interesting though this is, it doesn’t seem to work when using Firefox with Adobe Reader 8.0.0. Just get an error message from Acrobat Plug-in stating “This operation is not allowed”. Maybe Adobe were alrady aware of this hole and patched it in Adobe 8?

  5. 5 Disenchant

    Hi numb7rs,
    you’re absolutely right. I tried it about two hours ago with exactly the same version of Firefox and Adobe Reader on a Windows machine. There it seems not longer possible to do that kind of attack because they block every parameter which isn’t supported. I couldn’t test it before because I only had Linux machines around and there is AFAIK at the moment no version 8.0.0 for these.

    Something else which I found out during these tests:
    When I accessed something like http://URL/FILENAME.pdf#search=‘aaaaaaaaaaaaaaaaaaaaaaaaaaaa…’ (put there an “a” few thousand times) with Firefox and Adobe Reader 8.0.0, both applications no longer reacted. I hadn’t the time yet for have a closer look on it but anyway it’s not that interesting as the PDF-XSS story :)

  6. 6 Duncan

    It looks like it may be specific to Adobe too – Konqueror, using the KDE internal PDF support, doesn’t pop up the JS alert box.

  7. 7 Stefano Di Paola

    Ok, yes,
    Last version of Acroread plugin was patched, as we contacted them about three/four months ago.

    Me and Giorgio were waiting next week to send the advisory.
    We will send it asap on public ML…
    Anyway, i was a bit concerned about this…
    just a mail to one of us in order to let us know about this posting maybe could be kind.

  8. 8 Stefano Di Paola

    ah…well…i forgot to say you are forgiven ;)

  9. 9 ascii

    it’s great to blog about this since these are bleeding edge techniques but it would be nice to give credits (it’s really bad for a researcher to see his work not credited), the problem was that there wasn’t a page on wisec.it describing the technique (that isn’t limited to UXSS) that has been presented to ccc on 29 and so people couldn’t link the original site

    if this wasn’t so hot no diplomatic accident occurred :) anyway thanks for the fix to the article!

  10. 10 dheg

    IE 7 with Adobe 7 does not appear to have the vulnerability either. I get a Network Error – reload or close? message. I reload and the pdf comes up without the JavaScript executing.

  11. 11 saso

    according to the this page from the original author of this article from CCC this is already fixed in adobe acrobat 8 (as far as we talk strictly about the pdf issue since the original topic of the article is more wide/general about ajax/web2 attacks)


  12. 12 Disenchant

    Out there are still some people who don’t understand the impact of such stuff:

    Why is something like this “Less critical”???

  13. 13 Dodge

    Anyway of doing a google search to see how many links out there are already using this hack?

  14. 14 Margi

    Wow, 3-4 months and things are still the same!

  15. 15 aliane

    Hi, Sorry, but it doen’t work with me (no effects), I have IE7 (7.0.5700.7) with Adobe Acrobat 7.0 Professional version 7.0.0.

  16. 16 Disenchant

    Hi aliane,
    as we’ve already seen, only the Firefox Adobe Reader Plugins (< 8.0) are affected.

  17. 17 Swampy

    The vulnerability exists in both the IE and Firefox plugins on Reader 6

  18. 18 TheHorse13

    This also does not work with IE7 with acrobat 7 plugin. It clips the java alert window.

  19. 19 darron

    What about forcing the PDF to download? Kind of like this?

  20. 20 benny

    may it help to deliver the pdf as application/zipor something else (to force the download)?
    e.g. (apache)

    ForceType application/zip

  21. 21 Scott

    Now I have yet another reason not to use the PDF plugin in Firefox.

    I’ve got Adobe Reader 8 set to view PDFs in the app and not in the browser.
    I’ve set Firefox to download PDFs and not to view them with the plugin.
    And on top of all that, I use the PDF Download extension ( https://addons.mozilla.org/en-US/firefox/addon/636 ).

    I could not reproduce the examples you’ve given here.

  22. 22 Disenchant

    Hi Scott,
    yes it’s correct that it won’t work with Adobe Reader 8.0 because the issue was patched there :)

  23. 23 Rajesh

    nice article….i really like ur site….

  1. 1 SecuriTeam Blogs » PDF = Potential Death File?
  2. 2 justinclarke.com
  3. 3 Anonymous
  4. 4 Operation n » Adobe Universal XSS
  5. 5 alik levin's
  6. 6 links for 2007-01-03 - Online
  7. 7 Mozilla Firefox, PDF Files and XSS - Reaper-X .:[ ID ]:.
  8. 8 Welcome to Flaphead.com @ Home
  9. 9 Thought Torrent - Protecting against PDF XSS with Apache
  10. 10 deaz’s blog » Browser plugins, PDF & XSS
  11. 11 SSL Links - SSL Information » Many Intruders Remain Unpredictable
  12. 12 The show must go on at Disenchant’s Blog