Products::Security

• Security
  • News
  • Vulnerabilities
    • Internet Explorer
    • Opera
    • Other
    • Mozilla Firefox
  • Online Tools
    • Script Decoder
  • Subscribe
• Products
  • Composica Enterprise
• Contact

GreyMagic Security Advisory GM#004-MC

By GreyMagic Software, Israel.
07 Oct 2003.

Topic: Adobe SVG Viewer Cross Domain and Zone Access.

Discovery date: 19 Aug 2003.

Affected applications:

Adobe SVG Viewer (ASV) 3.0 and prior.

Note that any other application that embeds ASV is affected as well, including the WebBrowser control. Therefore, any application that makes use of the WebBrowser control is vulnerable (Internet Explorer, AOL Browser, MSN Explorer, etc.).

Introduction:

Scalable Vector Graphics (SVG) is a relatively new XML-based language for creating and controlling vector graphics. The language was standardized and endorsed by the WWW Consortium (W3C).

Several SVG parsers and renderers have been released as browser plugins, but the most popular of them all is Adobe SVG Viewer (ASV). According to Adobe: "Adobe SVG Viewer 3.0 is available in 15 languages and many millions of viewers have already been distributed worldwide."

Discussion:

One of the methods ASV implements that resemble the available methods in HTML DOM is "alert". This method is meant to display a standard dialog window with a message and wait for dismissal.

When an SVG document performs an "alert()" command, the current execution thread pauses and waits for user input (press the OK button). At that time, using a different thread, an attacker can change the location (current URL) of the window and load a victim domain. When the user finally dismisses the alert window, the execution thread resumes normally, except now it has full access to the victim document via the "parent" object.

Currently, when using this method in conjunction with other components, the implications include cookie theft, website impersonation, local file reading, local file writing and arbitrary command execution. This could lead to full control over the victim computer.

Exploit:

The following represents code in an embedded SVG document:

alert("Press OK to continue...");
// At this point, another thread changes the parent URL to the victim domain
parent.alert(parent.location.href); // Outputs victim domain once the user pressed OK

Notice that the user has no way to cancel the alert dialog, the choices are to press OK or kill the process.

Demonstation:

We put together two proof of concept demonstrations (ASV 3.0 or prior required, scripting must be enabled):

We chose not to demonstrate local file writing and arbitrary command execution, as they have much higher damage potential.

Solution:

GreyMagic brought this issue to Adobe on 09-Sep-2003. They have devised a patched version (ASV 3.01) and made it available on the official ASV download site.

Tested on:

Adobe SVG Viewer 3 Build 76.

Disclaimer:

The information in this security advisory and any of its demonstrations is provided "as is" without warranty of any kind.

Vulnerability details are provided strictly for educational and defensive purposes.

GreyMagic Software is not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory.

Stay informed:

Subscribe to GreyMagic's early notification email service and be informed of new vulnerabilities and updates as soon as they appear on the site.

Press here to subscribe.

Your privacy is important to us, read our Privacy Statement.

Copyright © 2008 GreyMagic Software