From 23 to 31 December i was in Berlin for the CCC congress with other Italian security researchers and friends. We had good time enjoying Berlin, drinking beer and exchanging informations. Also Stefano Di Paola and Giorgio Fedon disclosed some Adobe Acrobat Reader bugs in a larger talk titled Subverting AJAX.
Adobe Acrobat plugin for Mozilla Firefox and IE (acroreader) is able to populate Portable Documents
(PDF files) forms by supplying an external set of datas through the FDF, XML, or XFDF fields. Implementation of FDF, XML, XFDF functionalities in Acrobat Reader Plugin is vulnerable to different kind of attacks.
Vulnerability extent changes from browser to browser:
- Universal CSRF / session riding (Mozilla Firefox, Internet Explorer, Opera + Acrobat Reader plugin)
- UXSS in #FDF, #XML e #XFDF (Mozilla Firefox + Acrobat Reader plugin)
- Possible Remote Code Execution (Mozilla Firefox + Acrobat Reader plugin)
- Denial of Service (Internet Explorer + Acrobat Reader plugin)
Read more on the original advisory: http://www.wisec.it/vulns.php?page=9.
The CCC lecture: http://events.ccc.de/congress/2006/Fahrplan/events/1602.en.html.
The CCC PDF :): http://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.pdf.