"This find changed Web app expert Jeremiah Grossman's mind about the bug. Yesterday, Grossman, CTO of White Hat Security, had said the PDF XSS bug didn't really raise the XSS risk level overall. But in light of RSnake's finding, Grossman now considers this "really bad" and worries that it could be used as a payload for attacks much worse than XSS."
To clarify I was thinking the issue didn't raise the risk level of XSS since just about every website is vulnerable anyway.
The industry is buzzing with chatter about the Universal XSS vulnerability in Adobe’s Acrobat Reader Plugin reported by Stefano Di Paola and Giorgio Fedon. The discovery is impressive, confusing, and scary on a number levels. If it was disclosed prior to January, it probably would have made our Top 10 Hacks of 2006. What a way to kick off the year.
Anyway, I’ve been reading the reports and the data conflicts all over place. InfoSec people are having the same problem. They’re unsure about what this is or what they need to do about it. I’ll try to boil this down to the relevant points and see if I can help out.
Here’s how the attack works:
- Attacker locates a PDF file hosted on website.com
- Attacker entices a victim to click on the link
- Everything XSS has shown to be capable of including Phishing w/ Superbait, Intranet Hacking, Web Worms, History Stealing, etc is now available to the attacker.
- The vulnerability is very pervasive as it lowers the hackabilty bar from the target website needing to have an XSS issue to simply hosting a PDF.
- Normally XSS vulnerabilities are a problem in the server-side code, this one is on the client-side (web browser).
- The fragment portion of the code, where they payload is stored, is NOT submitted to the web server. So the server can’t see it, and won’t be able to block it.
- Several server-side work-arounds have been suggested, but caution is advised since these are all new and relatively untested. Though we might not have much choice.
- Best advice is for users to patch, or re-configure, but that’ll take some time to roll out to the masses.
RSnake wins the award for breaking the Web, again. He found that it’s possible to point the malicious URL to a default PDF file location on the local filesystem:
Wake up browser vendors! It’s time to deal with this stuff!