XSS for PDFs – New injection technique offers rich pickings for security researchers

UPDATED The contents of PDF documents can be exfiltrated to a remote server using an exploit contained in a single link, potentially exposing a wealth of sensitive information to an attacker.

Security researcher Gareth Heyes of PortSwigger* demonstrated how a newly developed injection technique enabled him to conduct a successful injection attack against a PDF rendered server-side during Black Hat Europe’s online conference today.

Using a single link, Heyes showed how he was able to compromise the contents of a PDF document and exfiltrate it to a remote server, “just like a blind cross-site scripting (XSS) attack”.

Just the ticket

Server-side PDF generation is popular these days, with e-tickets, boarding passes, and other documents created this way.

These PDF documents often contain sensitive information, including bank details, passport numbers, addresses, and other data.

Discussing the potential impact of his newly developed ‘XSS for PDFs’ technique, Heyes told The Daily Swig: “Imagine you can control your company website URL on a shared PDF.

“You inject a PDF injection vector and the victim clicks your link or anywhere in the PDF and you can extract all the sensitive information they entered.”

Documenting the exploit

Heyes explained that in order to carry out the attack, the user needs to be able to input parentheses or backslashes in the PDF document.

“A library should escape parenthesis and backslashes in URI dictionaries or text streams,” the researcher said.

“If they don’t escape any of those characters, or one of those characters, then there could be PDF injection in the library.”

If these conditions are met, a user can construct an injection to take control of the PDF document.

This can be done by calling app.alert(1) in PDF JavaScript, or by using the submitForm action/function to make a POST request to an external URL. The document is then ripe for exfiltration.

Vulnerable software

Heyes found two libraries that were vulnerable to the exploit: PDF-Lib, which has more than 52,000 weekly downloads, and jsPDF, which has around 250,000. Both are NPM modules.

Each library seems to correctly escape text streams but makes the mistake of allowing PDF injection inside annotations, he explained, adding that he was also able to execute the attack in both Adobe Acrobat and Chrome’s PDF reader, PDFium.

In response to these findings, Adobe issued a security update for Adobe Acrobat Reader on December 9 that remedied the security vulnerability.

To protect against the exploit on an unprotected PDF reader, Heyes advised: “At the library level you should ensure parentheses are escaped correctly in annotation URLs and text streams.

“At the web app level, ensure you perform validation on the PDF to ensure there are no unwanted JavaScript or SubmitForm actions.”

Check out Heyes’s technical blog post, Portable Data exFiltration: XSS for PDFs, for full details.

* Disclosure: PortSwigger Web Security is The Daily Swig’s parent company.

This article was updated on December 11 to reference the security patch released by Adobe in light of the research. 

Source: https://portswigger.net/daily-swig/xss-for-pdfs-new-injection-technique-offers-rich-pickings-for-security-researchers