Adobe Reader 7: Xml External Entity Attack

Full Version: Adobe Reader 7: Xml External Entity Attack

GovernmentSecurity.org > General GSO > Exploit & Vulnerability Mailing List Archives

qcred11

Jun 16 2005, 03:31 PM

QUOTE

Adobe Reader 7: XML External Entity (XXE) Attack

Description
-----------
Recent versions of Adobe Reader (previously known as Acrobat Reader)
are vulnerable to XML External Entity (XXE) Attacks. By including a
JavaScript in a PDF file, and have this JavaScript parse an embedded
XML document with a reference to an external entity, it is possible to
read certain types of textual files on the local computer, and have
them sent to a remote attacker.

Details
-------
The hairy details (the problem description sent to Adobe), including
sample PDFs, are available on a separate web page:
http://shh.thathost.com/secadv/adobexxe/

Solution
--------
Disable the use of JavaScript in Adobe Reader, or upgrade to a version
not vulnerable to this attack.

Vendor Notification
-------------------
The Adobe developers were notified on 2005-04-15. They made a fix
available on 2005-06-15.

Affected versions
-----------------
Confirmed to work in version 7.0 and 7.0.1 on Microsoft Windows,
version 7.0 on GNU/Linux and version 7.0 on Mac OSX.
It is unknown whether the attack works in version 6, which also
supports JavaScript in PDF files.

Fixed versions
--------------
Adobe Reader version 7.0.2.
For Adobe's own advisory, see the following URL:
http://www.adobe.com/support/techdocs/331710.html

Credits
-------
Thanks to Jeremiah Grossman for verifying that the attack also works
on the Mac OSX version of Adobe Reader.

----------------------------
Reported by Sverre H. Huseby

Source: http://seclists.org/lists/bugtraq/2005/Jun/0143.html

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.