SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Adobe SVG Viewer Vendors:   Adobe Systems Incorporated
Adobe SVG Viewer Discloses Arbitrary Files to Remote Users
SecurityTracker Alert ID:  1007894
SecurityTracker URL:  http://securitytracker.com/id/1007894
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 7 2003
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.0 and prior versions
Description:   An information disclosure vulnerability was reported in the Adobe SVG Viewer and browser control. A remote user can view files on the target user's system and remotely located files that are readable by the target user's browser.

GreyMagic Software reported that the non-standard "postURL" and "getURL" methods implemented by the Adobe SVG Viewer do not properly restrict cross-domain security controls. A remote user can supply a valid URL and then redirect to a restricted file to view the restricted file.

According to the report, users of Microsoft Internet Explorer (IE) version 6 SP1 are protected against the disclosure of local files to remote users, but not against the disclosure of remote files to remote users. All other IE versions are fully affected.

A demonstration exploit is available at:

http://security.greymagic.com/adv/gm003-mc/

The vendor was reportedly notified on September 9, 2003.

Impact:   A remote user can view files on the target user's computer and on web sites accessible to the target user.
Solution:   The vendor has released a fixed version (3.01), available at:

http://www.adobe.com/svg/viewer/install/mainframed.html

Vendor URL:  www.adobe.com/svg/overview/whatsnew.html (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Adobe SVG Viewer Local and Remote File Reading (GM#003-MC)


GreyMagic Security Advisory GM#003-MC
=====================================

By GreyMagic Software, Israel.
07 Oct 2003.

Available in HTML format at http://security.greymagic.com/adv/gm003-mc/.

Topic: Adobe SVG Viewer Local and Remote File Reading.

Discovery date: 07 Sep 2003.

Affected applications:
======================

Adobe SVG Viewer (ASV) 3.0 and prior. 

Note that any other application that embeds ASV is affected as well,
including the WebBrowser control. Therefore, any application that makes use
of the WebBrowser control is vulnerable (Internet Explorer, AOL Browser, MSN
Explorer, etc.). 


Introduction:
=============

Scalable Vector Graphics (SVG) is a relatively new XML-based language for
creating and controlling vector graphics. The language was standardized and
endorsed by the WWW Consortium (W3C). 

Several SVG parsers and renderers have been released as browser plugins, but
the most popular of them all is Adobe SVG Viewer (ASV). According to Adobe:
"Adobe SVG Viewer 3.0 is available in 15 languages and many millions of
viewers have already been distributed worldwide." 


Discussion: 
===========

Adobe SVG Viewer exposes several non-standard extensions, among them are the
"postURL" and "getURL" methods. These methods are meant to make asynchronous
HTTP requests to a server and return the results to the SVG document via a
callback function that is supplied as an argument. 

Both "postURL" and "getURL" attempt to prevent requests to local files and
URLs on different domains for obvious security reasons. 

However, we discovered that when a valid URL is supplied to these methods,
and then redirects to a local or remote file, the content of that file is
returned, allowing an attacker to read any file on the user's computer and
remote sites. Notice that in this case cookies are sent to remote sites,
making the privacy breach quite severe. 

A significant mitigating factor in IE6 SP1 is its prevention of navigation
to local content from the Internet Zone. This means that users of IE6 SP1
(in the Internet Zone ONLY) are safe from having their local files read by
this vulnerability. However, they are not safe from remote URL reading. All
other versions of IE are vulnerable to both local and remote file reading. 


Exploit: 
========

The following code attempts to read a local or remote file, "rd.asp"
redirects to the desired unauthorized location. 

getURL(
    "rd.asp",
    function (oResponse) {
        parent.alert(oResponse.content);
    }
); 


Demonstration:
==============

We put together a proof of concept demonstration, which can be found at
http://security.greymagic.com/adv/gm003-mc/.


Solution: 
=========

GreyMagic brought this issue to Adobe on 09-Sep-2003. They have devised a
patched version (ASV 3.01) and made it available on the official ASV
download site at http://www.adobe.com/svg/viewer/install/mainframed.html. 


Tested on: 
==========

Adobe SVG Viewer 3 Build 76.


Disclaimer:
===========

The information in this advisory and any of its demonstrations is provided
"as is" without warranty of any kind. 

GreyMagic Software is not liable for any direct or indirect damages caused
as a result of using the information or demonstrations provided in any part
of this advisory. 

- Copyright ) 2003 GreyMagic Software.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC