XXS Attack

XSS means that an application/website, even though it is considered trustworthy, is used by an attacker to inject malicious code with various purposes.

A news broke the 20th of October of 2020 about Adobe illustrator having a critical XSS vulnerability. 

Threat post article reads as follows:

“Critical Patches

Illustrator contains seven bugs affecting Illustrator 2020 for Windows, 24.2 and earlier versions.

Two of the issues are out-of-bounds read flaws, (CVE-2020-24409, CVE-2020-24410); one is an out-of-bounds write bug (CVE-2020-24411). Tran Van Khang working with Trend Micro Zero Day Initiative is credited for the discoveries.

“All of these vulnerabilities occur within the processing of PDF files by Illustrator,” Dustin Childs, communications manager for Trend Micro’s Zero Day Initiative, told Threatpost. “In all three cases, an attacker can leverage the vulnerabilities to execute code in the context of the current process.””

The vulnerabilities were more propagated than that, Illustrator was not the only Adobe application affected. Users should reinstall the whole suite of tools since the majority of them were included on the patches.

These critical vulnerabilities require the user interaction to exploit. It requires a crafted pdf file for example.

The following website shows how to craft a pdf with metasploit.

Payload in PDF

In order to find exploits for XSS, the security researcher can use Exploit-DB. Then use searchsploit, which is a command-line search tool for Exploit-DB.

A way to view the source code for the exploit in exploit-DB can be by clicking on a CVE and viewing the source code on the exploit database this way:

The source code and steps are much more detailed and it would be rather confusing to read if I copy and paste. It is better if you follow my steps and view a couple of exploits on your own.

“Arbitrary code execution vulnerabilities are particularly nefarious given that they enable attackers to directly run malicious code on the exploited systems,” Jay Goodman, strategic product marketing manager at Automox, told Threatpost.

Most CVEs are not that exciting because there is no source code made available, there are some hints and unless you are used to writing your own code and realize that some of those vulnerabilities are actually a mix of several CVEs it is very difficult to replicate a CVE. 

Tigzy (n. d.) Payload in PDF. Retrieved from  https://linuxsecurityblog.com/2018/11/12/payload-in-pdf/ 

 Tara Seals (October 2020) Adobe Critical code execution bugs. Retrieved from https://threatpost.com/adobe-critical-code-execution-bugs/160369/