* Adobe Reader 7.01 on Microsoft Windows
* Adobe Reader 7
* Adobe Reader 7.02 on Microsoft Windows
To Sverre's knowledge, the general "XML External Entity Attack" was first described by Gregory Steuck in 2002 (http://www.securiteam.com/securitynews/6D0100A5PU.html). The following example XML document will make the XML parser read c:\boot.ini and expand it into the content of the foo tag:
Note: The attack is limited to files containing text that the XML parser will allow at the place the External Entity is referenced. Files containing non-printable characters, and files with randomly located less than signs or ampersands, will not be include-able. This restriction greatly limits the number of possible target files.
The remote web server URL points to a script that just displays whatever is sent to it. (Please realize that even if the content of c:\boot.ini is displayed in the local web browser, it has taken a trip to the remote web server before being displayed locally.):
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
One can clearly see that the web server got a copy of c:\boot.ini from the local computer. As stated above, the XML parser is rather picky when it comes to the contents of the included file. But it has no problems if the file contains XML, which an increasing number of files appear to do these days.
The vendor has released an update in 2005-06-15.
2005-04-15: Adobe notified
2005-04-20: Reply from Adobe's Product Security Incident Response Team (PSIRT) that they are looking into it
2005-05-09: Sverre H. Huseby sent an E-mail to Adobe's PSIRT asking for the current status
2005-05-10: E-mail from Adobe that they're working on a fix
2005-06-15: Adobe releases the fixed version 7.0.2 for Windows