|
Brought to you by:
Suppliers of:
|
|
|
| |
Scalable Vector Graphics (SVG) is a relatively new XML-based language for creating and controlling vector graphics. The language was standardized and endorsed by the WWW Consortium (W3C).
Several SVG parsers and renderers have been released as browser plugins, but the most popular of them all is Adobe SVG Viewer (ASV). According to Adobe: "Adobe SVG Viewer 3.0 is available in 15 languages and many millions of viewers have already been distributed worldwide".
A vulnerability in Adobe's SVG allows remote attackers to access other domains content (cross-site scripting vulnerability), read locally stored files, and execute arbitrary commands. |
| |
Credit:
The original advisory can be downloaded from: http://security.greymagic.com/adv/gm004-mc/.
The information has been provided by GreyMagic Software.
|
| |
Vulnerable systems:
* Adobe SVG Viewer (ASV) 3.0 and prior
* Adobe SVG Viewer 3 Build 76
One of the methods ASV implements that resemble the available methods in HTML DOM is "alert". This method is meant to display a standard dialog window with a message and wait for dismissal.
When an SVG document performs an "alert()" command, the current execution thread pauses and waits for user input (press the OK button). At that time, using a different thread, an attacker can change the location (current URL) of the window and load a victim domain. When the user finally dismisses the alert window, the execution thread resumes normally, except now it has full access to the victim document via the "parent" object.
Currently, when using this method in conjunction with other components, the implications include cookie theft, website impersonation, local file reading, local file writing, and arbitrary command execution. This could lead to full control over the victim computer.
Exploit:
The following represents code in an embedded SVG document:
alert("Press OK to continue...");
// At this point, another thread changes the parent URL to the victim domain
parent.alert(parent.location.href); // Outputs victim domain once the user pressed OK
Notice that the user has no way to cancel the alert dialog. The choices are to press OK or kill the process.
Demonstation:
GreyMagic put together two proofs of concept demonstrations (ASV 3.0 or prior required, scripting must be enabled), it can be found at: http://security.greymagic.com/adv/gm004-mc/.
Solution:
GreyMagic brought this issue to Adobe on 09-Sep-2003. They have devised a patched version (ASV 3.01) and made it available on the official ASV download site.
|
|
|
|
|
