New issue
Advanced search Search tips
Starred by 4 users

Issue metadata

Status: Fixed
Owner:
Closed: Jan 2017
Cc:

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
link

Issue 1088: Adobe: Adobe Acrobat Force-Installed Vulnerable Chrome Extension

Reported by taviso@google.com, Jan 18 2017 Project Member

Issue description

On January 12th, an automatic Adobe Acrobat update force installed a new chrome extension with ID efaidnbmnnnibpcajpcglclefindmkaj. You can view it on the Chrome Webstore here: https://chrome.google.com/webstore/detail/adobe-acrobat/efaidnbmnnnibpcajpcglclefindmkaj/

I can see from the webstore statistics it's already got ~30M installations. 

It didn't take long to notice there's a DOM XSS in data/js/frame.html

531         } else if (request.current_status === "failure") {
532             analytics(events.TREFOIL_HTML_CONVERT_FAILED);
533             if (request.message) {
534                 str_status = request.message;
535             }
536             success = false;

Presumably you can do

window.open("chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/data/js/frame.html?message=" + encodeURIComponent(JSON.stringify({
        panel_op: "status",
        current_status: "failure",
        message: "<h1>hello</h1>"
})));

I think CSP might make it impossible to jump straight to script execution, but you can iframe non web_accessible_resources, and easily pivot that to code execution, or change privacy options via options.html, etc.

I've also noticed the way they've designed the "to_html" RPC seems racy, the url of a tab might change (because an attacker can do x = window.open(); x.location = "new location"). Right now I don't think you can do very much with it because it doesn't seem to be feature complete...but still, it seems worth noting this so it doesn't introduce a vulnerability when they enable it.



This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
 

Comment 1 by taviso@google.com, Jan 18 2017

Project Member
PSIRT-6264

Response:

Hi Tavis,

Thanks again for contacting us about this bug.  We're planning an update that we expect will land next week.

We'll circle back with you on Tuesday with a more precise timeframe.

Comment 2 by taviso@google.com, Jan 18 2017

Project Member
Labels: -Restrict-View-Commit
Status: Fixed (was: New)
Response:

Hi Tavis,

Thanks again for contacting us about this xss bug.  We pushed a fix yesterday and it looks like the new version is live now.  What is your expectation around notification to users?

Regards,

Comment 3 by mjurczyk@google.com, Feb 3 2017

Project Member
Labels: -Reported-12-Jan-2017 Reported-2017-Jan-12

Comment 4 Deleted

Comment 5 Deleted

Comment 6 by taviso@google.com, Dec 26

Project Member
Labels: Restrict-AddIssueComment-EditIssue
This issue tracker is not intended to be a discussion forum, please only add comments if you have information relevant to this bug.

Sign in to add a comment