Sverre H. Huseby
16/06/05, 18:35
XML External Entity (XXE) Attack Possible in Adobe Reader 7
-----------------------------------------------------------
SHH #7, 2005-06-16
Description
-----------
Recent versions of Adobe Reader (previously known as Acrobat Reader)
are vulnerable to XML External Entity (XXE) Attacks. By including a
JavaScript in a PDF file, and have this JavaScript parse an embedded
XML document with a reference to an external entity, it is possible to
read certain types of textual files on the local computer, and have
them sent to a remote attacker.
Details
-------
The hairy details (the problem description sent to Adobe), including
sample PDFs, are available on a separate web page:
http://shh.thathost.com/secadv/adobexxe/
Solution
--------
Disable the use of JavaScript in Adobe Reader, or upgrade to a version
not vulnerable to this attack.
Vendor Notification
-------------------
The Adobe developers were notified on 2005-04-15. They made a fix
available on 2005-06-15.
Affected versions
-----------------
Confirmed to work in version 7.0 and 7.0.1 on Microsoft Windows,
version 7.0 on GNU/Linux and version 7.0 on Mac OSX.
It is unknown whether the attack works in version 6, which also
supports JavaScript in PDF files.
Fixed versions
--------------
Adobe Reader version 7.0.2.
For Adobe's own advisory, see the following URL:
http://www.adobe.com/support/techdocs/331710.html
Credits
-------
Thanks to Jeremiah Grossman for verifying that the attack also works
on the Mac OSX version of Adobe Reader.
----------------------------
Reported by Sverre H. Huseby
-----------------------------------------------------------
SHH #7, 2005-06-16
Description
-----------
Recent versions of Adobe Reader (previously known as Acrobat Reader)
are vulnerable to XML External Entity (XXE) Attacks. By including a
JavaScript in a PDF file, and have this JavaScript parse an embedded
XML document with a reference to an external entity, it is possible to
read certain types of textual files on the local computer, and have
them sent to a remote attacker.
Details
-------
The hairy details (the problem description sent to Adobe), including
sample PDFs, are available on a separate web page:
http://shh.thathost.com/secadv/adobexxe/
Solution
--------
Disable the use of JavaScript in Adobe Reader, or upgrade to a version
not vulnerable to this attack.
Vendor Notification
-------------------
The Adobe developers were notified on 2005-04-15. They made a fix
available on 2005-06-15.
Affected versions
-----------------
Confirmed to work in version 7.0 and 7.0.1 on Microsoft Windows,
version 7.0 on GNU/Linux and version 7.0 on Mac OSX.
It is unknown whether the attack works in version 6, which also
supports JavaScript in PDF files.
Fixed versions
--------------
Adobe Reader version 7.0.2.
For Adobe's own advisory, see the following URL:
http://www.adobe.com/support/techdocs/331710.html
Credits
-------
Thanks to Jeremiah Grossman for verifying that the attack also works
on the Mac OSX version of Adobe Reader.
----------------------------
Reported by Sverre H. Huseby