Stored XSS through PDF viewer
[CVE-2018-5158]

The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file.

As a security expert, I was diagnosing a web page, and I checked the page that opens the PDF file on the bulletin board. I looked into the library to find vulnerabilities in PDFs on that page.

pdf.js is a library for opening PDFs from web pages, and we have confirmed that web vulnerabilities occur, unlike traditional PDF files.

I started to get interested in pdf.js rendering PDFs on the web.
ç pdf.js uses a method of converting PostScript to Javascript and displaying it on the web. Using this property, a web vulnerability was found in pdf.js and a major vulnerability was found in Stored XSS in CVE-2018-5158.

CVE-2018-5158

Before you know this vulnerability, you should use an official document to determine the normal functionality used by the vulnerability.



First, let's see how this function is used! A description of the related function function Type 4 can be found on page 175 in the PDF 1.7 official document

In fact, you probably don't know because it's the first time I've opened a PDF through an editor and seen a postscript myself. So do I. As will be further explained below, CVE-2018-5158 is a vulnerability that can exploit domain and range parameters. Therefore, let's check how it is used and refer to the detailed description of each parameter below.



According to this document., the domain and range parameters are used in relation to the graphical state within the PDF. Although complex mathematical formulas exist throughout the document, it is only necessary to know how the vulnerability function used in pdf.js was originally used. In other words, there is no need to know deeply about complex mathematical formulas. The Domain parameters and Range parameters only verify that the type is an array and do not check the input values separately, triggering Stored XSS. It may still be difficult, but looking at the PoC used in CVE-2018-5158 can help you understand. Let's see

The following PoCs can be found below:
%PDF-1.4
1 0 obj
<<
/FunctionType 4
/Domain [(console.log("Stored XSS")) 0]
/Range [0 0]
/Length 12
>>
stream
{
0 add
}
endstream
endobj

Looking at the PoC, the JavaScript function is inserted within the Domain and Range parameters. It seems really simple, but let's understand the structure.

The domain and range parameters are also arrays of the type entered using numeric values in the default structure of the PDF. Therefore, it is judged that only numbers are input within pdf.js and only the corresponding parameters are arranged without further review. I can check this link, but I'm sad that I can't access it anymore.

When an input value is received, pdf.js adds the relevant glyph. In this case, an attack is possible by generating JavaScript code without verification and inserting a payload into the part.

Additionally, I will also post other examples found through the CVE.

CVE- 2018-5158 vulnerability cases are as follows:

• SLACK
• GitLAB
• NextCloud

We analyzed CVE-2018-5158 today. In fact, when analyzing CVE for the first time, it was difficult because there were not many related data, but I was proud that few people analyzed CVE. In the future, we will analyze not only web vulnerabilities but also vulnerabilities combined with the web.

This has been P4rkJW. Thank you.