[PDF] [PDF] docexport* Methods Allow Arbitrary File Creation - IOActive Security

Adobe Reader 9 1 2; earlier versions are likely vulnerable as well Description Several JavaScript methods of the Document Object do not honor the Privileged  



Previous PDF Next PDF





[PDF] JavaScript for Acrobat API Reference - Adobe

Adobe Acrobat SDK Contents JavaScript for Acrobat API Reference 5 2 JavaScript API (Continued) Annotation (Continued) Annotation methods 



[PDF] Acrobat JavaScript Scripting Reference - Adobe

The use of these older methods are discouraged and marked by in the version column Using this property or method dirties (modifies) the PDF document If the



[PDF] JavaScript for Acrobat API Reference - Datalogics Developer

Adobe® Acrobat® DC SDK JavaScript™ for Acrobat API Reference for Microsoft ® Windows® AlternatePresentation methods AnnotRichMedia methods



[PDF] Acrobat Forms JavaScript Object Specification - Planet PDF

27 jan 1999 · Use this method to determine whether objects, properties, or methods in newer versions of the software are available if you wish to maintain 



[PDF] FOR PDF FORMS

Implements objects, methods, and properties that enable you to manipulate PDF Source: https://www adobe com/devnet/acrobat/javascript html THE BASICS 



[PDF] Acrobat JavaScript Scripting Reference - PDFill

29 sept 2005 · Acrobat JavaScript objects, properties, and methods can also be accessed through Microsoft® Visual Basic® to automate the processing of PDF 



[PDF] docexport* Methods Allow Arbitrary File Creation - IOActive Security

Adobe Reader 9 1 2; earlier versions are likely vulnerable as well Description Several JavaScript methods of the Document Object do not honor the Privileged  



[PDF] Techniques of Introducing Document-level JavaScript into a PDF file

The method of introducing Acrobat document-level JavaScript (DLJS) into a PDF depends on the application used: pdf tex or dvi pdf m Until recently, users

[PDF] acrobat javascript reference

[PDF] acrobat javascript scripting guide 2017

[PDF] acrobat javascript scripting reference

[PDF] acrobat javascript scripting reference 10

[PDF] acrobat javascript scripting reference dc

[PDF] acrobat javascript scripting reference xi

[PDF] acrobat javascript set text field value

[PDF] acrobat javascript this getfield is not a function

[PDF] acrobat js console

[PDF] acrobat not detecting form fields

[PDF] acrobat pro scripting guide

[PDF] acrobat sdk

[PDF] acrobat xi pro

[PDF] acroexch pdbookmark

[PDF] acroexch pddoc getinfo

http://www.ioactive.com Page 1

IOActive Security Advisory

Title doc.export* Methods Allow Arbitrary File Creation

Severity High

Date Discovered July 13, 2009

Affected Products

Adobe Reader 9.1.2; earlier versions are likely vulnerable as well.

Description

Several JavaScript methods of the Document Object do not honor the Privileged Context and Safe Path settings. IOActive was able to execute certain privileged JavaScript methods that can be used to create arbitrary files and folders on a targeted file system.

Technical Details

According to the Acrobat user documentation, certain methods are either not available or have security restrictions in a non-privileged context. Therefore, it should not be possible to call these methods from page open events. The following content is taken from the user documentation: Some Acrobat JavaScript methods, marked by S in the third column of the quick bar, have security restrictions. These methods can be executed only in a privileged context, which includes console, batch, menu, and application initialization events. All other events (for example, page open and mouse-up events) are considered non-privileged. IOActive discovered that some methods do not adhere to this policy; the following methods are executable from the 'page open' event: doc.exportAsFDF doc.exportAsText doc.exportAsXFDF doc.exportDataObject doc.exportXFAData

These methods take a

cPath parameter, which can be used to create a file or folder on the file system and should be considered a "safe path." For example, the documentation has this to say about the cPath parameter for the doc.exportAsText method: http://www.ioactive.com Page 2 NOTE:(SecurityS): The parameter cPath is must have a safe path (see "Safe Path" on page 34) and have a .txt extension. This method will throw a NotAllowedError (see Error Object ) exception if these security conditions are not met, and the method will fail. This is incorrect as the method allows any arbitrary file extension and any arbitrary path, which means that an attacker can use any arbitrary file extension and any arbitrary path. Attackers can leverage this vulnerability to create malicious files in targeted system folders.

Proof of Concept

The following code will write a file with the .exe extension in the Startup folder of the targeted user:

6 0 obj< function Init\(\) { this.exportAsText(false, null, "/c/Documents and

Settings/Administrator/Start

} Init\(\); )>>endobj

1 0 obj<>endobj

quotesdbs_dbs10.pdfusesText_16