lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20031007160004.97BB3867F@marco.bezeqint.net>
From: security at greymagic.com (GreyMagic Software)
Subject: Adobe SVG Viewer Cross Domain and Zone Access (GM#004-MC)

GreyMagic Security Advisory GM#004-MC
=====================================

By GreyMagic Software, Israel.
07 Oct 2003.

Available in HTML format at http://security.greymagic.com/adv/gm004-mc/.

Topic: Adobe SVG Viewer Cross Domain and Zone Access.

Discovery date: 07 Sep 2003.

Affected applications:
======================

Adobe SVG Viewer (ASV) 3.0 and prior. 

Note that any other application that embeds ASV is affected as well,
including the WebBrowser control. Therefore, any application that makes use
of the WebBrowser control is vulnerable (Internet Explorer, AOL Browser, MSN
Explorer, etc.). 


Introduction:
=============

Scalable Vector Graphics (SVG) is a relatively new XML-based language for
creating and controlling vector graphics. The language was standardized and
endorsed by the WWW Consortium (W3C). 

Several SVG parsers and renderers have been released as browser plugins, but
the most popular of them all is Adobe SVG Viewer (ASV). According to Adobe:
"Adobe SVG Viewer 3.0 is available in 15 languages and many millions of
viewers have already been distributed worldwide." 


Discussion: 
===========

One of the methods ASV implements that resemble the available methods in
HTML DOM is "alert". This method is meant to display a standard dialog
window with a message and wait for dismissal. 

When an SVG document performs an "alert()" command, the current execution
thread pauses and waits for user input (press the OK button). At that time,
using a different thread, an attacker can change the location (current URL)
of the window and load a victim domain. When the user finally dismisses the
alert dialog, the execution thread resumes normally, except now it has full
access to the victim document via the "parent" object. 

Currently, when using this method in conjunction with other components, the
implications include cookie theft, website impersonation, local file
reading, local file writing and arbitrary command execution. This could lead
to full control over the victim computer. 


Exploit: 
========

The following represents code in an embedded SVG document: 

alert("Press OK to continue...");
/* At this point, another thread changes the parent URL to the victim domain
*/
parent.alert(parent.location.href); /* Outputs victim domain once the user
pressed OK */

Notice that the user has no way to cancel the alert dialog, the choices are
to press OK or kill the process. 


Demonstration:
==============

We put together two proof of concept demonstrations, which can be found at
http://security.greymagic.com/adv/gm004-mc/.


Solution: 
=========

GreyMagic brought this issue to Adobe on 09-Sep-2003. They have devised a
patched version (ASV 3.01) and made it available on the official ASV
download site at http://www.adobe.com/svg/viewer/install/mainframed.html. 


Tested on: 
==========

Adobe SVG Viewer 3 Build 76.


Disclaimer:
===========

The information in this advisory and any of its demonstrations is provided
"as is" without warranty of any kind. 

GreyMagic Software is not liable for any direct or indirect damages caused
as a result of using the information or demonstrations provided in any part
of this advisory. 

- Copyright © 2003 GreyMagic Software.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ