[NEWS] Adobe SVG Viewer Cross-Domain and Zone Access

From: SecuriTeam (support_at_securiteam.com)
Date: 10/08/03

  • Next message: SecuriTeam: "[UNIX] File Inclusion Vulnerability in PayPal Store Front" 
    To: list@securiteam.com
Date: 8 Oct 2003 12:48:43 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Adobe SVG Viewer Cross-Domain and Zone Access
    ------------------------------------------------------------------------

    SUMMARY

    Scalable Vector Graphics (SVG) is a relatively new XML-based language for
    creating and controlling vector graphics. The language was standardized
    and endorsed by the WWW Consortium (W3C).

    Several SVG parsers and renderers have been released as browser plugins,
    but the most popular of them all is Adobe SVG Viewer (ASV). According to
    Adobe: "Adobe SVG Viewer 3.0 is available in 15 languages and many
    millions of viewers have already been distributed worldwide".

    A vulnerability in Adobe's SVG allows remote attackers to access other
    domains content (cross-site scripting vulnerability), read locally stored
    files, and execute arbitrary commands.

    DETAILS

    Vulnerable systems:
     * Adobe SVG Viewer (ASV) 3.0 and prior
     * Adobe SVG Viewer 3 Build 76

    One of the methods ASV implements that resemble the available methods in
    HTML DOM is "alert". This method is meant to display a standard dialog
    window with a message and wait for dismissal.

    When an SVG document performs an "alert()" command, the current execution
    thread pauses and waits for user input (press the OK button). At that
    time, using a different thread, an attacker can change the location
    (current URL) of the window and load a victim domain. When the user
    finally dismisses the alert window, the execution thread resumes normally,
    except now it has full access to the victim document via the "parent"
    object.

    Currently, when using this method in conjunction with other components,
    the implications include cookie theft, website impersonation, local file
    reading, local file writing, and arbitrary command execution. This could
    lead to full control over the victim computer.

    Exploit:
    The following represents code in an embedded SVG document:
    alert("Press OK to continue...");
    // At this point, another thread changes the parent URL to the victim
    domain
    parent.alert(parent.location.href); // Outputs victim domain once the user
    pressed OK

    Notice that the user has no way to cancel the alert dialog. The choices
    are to press OK or kill the process.

    Demonstation:
    GreyMagic put together two proofs of concept demonstrations (ASV 3.0 or
    prior required, scripting must be enabled), it can be found at:
    <http://security.greymagic.com/adv/gm004-mc/>
    http://security.greymagic.com/adv/gm004-mc/.

    Solution:
    GreyMagic brought this issue to Adobe on 09-Sep-2003. They have devised a
    patched version (ASV 3.01) and made it available on the official
    <http://www.adobe.com/svg/viewer/install/mainframed.html> ASV download
    site.

    ADDITIONAL INFORMATION

    The original advisory can be downloaded from:
    <http://security.greymagic.com/adv/gm004-mc/>
    http://security.greymagic.com/adv/gm004-mc/.

    The information has been provided by <mailto:security@greymagic.com>
    GreyMagic Software.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] File Inclusion Vulnerability in PayPal Store Front"