From security@greymagic.com Tue Oct 7 19:06:19 2003 From: GreyMagic Software To: vulnwatch@vulnwatch.org Date: Tue, 7 Oct 2003 18:02:07 +0200 Subject: [VulnWatch] Adobe SVG Viewer Local and Remote File Reading (GM#003-MC) GreyMagic Security Advisory GM#003-MC ===================================== By GreyMagic Software, Israel. 07 Oct 2003. Available in HTML format at http://security.greymagic.com/adv/gm003-mc/. Topic: Adobe SVG Viewer Local and Remote File Reading. Discovery date: 07 Sep 2003. Affected applications: ====================== Adobe SVG Viewer (ASV) 3.0 and prior. Note that any other application that embeds ASV is affected as well, including the WebBrowser control. Therefore, any application that makes use of the WebBrowser control is vulnerable (Internet Explorer, AOL Browser, MSN Explorer, etc.). Introduction: ============= Scalable Vector Graphics (SVG) is a relatively new XML-based language for creating and controlling vector graphics. The language was standardized and endorsed by the WWW Consortium (W3C). Several SVG parsers and renderers have been released as browser plugins, but the most popular of them all is Adobe SVG Viewer (ASV). According to Adobe: "Adobe SVG Viewer 3.0 is available in 15 languages and many millions of viewers have already been distributed worldwide." Discussion: =========== Adobe SVG Viewer exposes several non-standard extensions, among them are the "postURL" and "getURL" methods. These methods are meant to make asynchronous HTTP requests to a server and return the results to the SVG document via a callback function that is supplied as an argument. Both "postURL" and "getURL" attempt to prevent requests to local files and URLs on different domains for obvious security reasons. However, we discovered that when a valid URL is supplied to these methods, and then redirects to a local or remote file, the content of that file is returned, allowing an attacker to read any file on the user's computer and remote sites. Notice that in this case cookies are sent to remote sites, making the privacy breach quite severe. A significant mitigating factor in IE6 SP1 is its prevention of navigation to local content from the Internet Zone. This means that users of IE6 SP1 (in the Internet Zone ONLY) are safe from having their local files read by this vulnerability. However, they are not safe from remote URL reading. All other versions of IE are vulnerable to both local and remote file reading. Exploit: ======== The following code attempts to read a local or remote file, "rd.asp" redirects to the desired unauthorized location. getURL( "rd.asp", function (oResponse) { parent.alert(oResponse.content); } ); Demonstration: ============== We put together a proof of concept demonstration, which can be found at http://security.greymagic.com/adv/gm003-mc/. Solution: ========= GreyMagic brought this issue to Adobe on 09-Sep-2003. They have devised a patched version (ASV 3.01) and made it available on the official ASV download site at http://www.adobe.com/svg/viewer/install/mainframed.html. Tested on: ========== Adobe SVG Viewer 3 Build 76. Disclaimer: =========== The information in this advisory and any of its demonstrations is provided "as is" without warranty of any kind. GreyMagic Software is not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. - Copyright © 2003 GreyMagic Software.