Adobe SVG Viewer Cross-Domain Access Flaw Lets Remote Users Execute Code in Arbitrary Domains
SecurityTracker Alert ID: 1007895|
SecurityTracker URL: http://securitytracker.com/id/1007895
(Links to External Site)
Date: Oct 7 2003
Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): 3.0 and prior versions|
Another cross-domain security vulnerability was reported in the Adobe SVG Viewer. A remote user can execute arbitrary commands and write files on the target user's system.|
GreyMagic Software reported that the Adobe SVG Viewer allows a remote user to create an SVG document or HTML code that, when loaded, will change the URL of a window to a different domain while requesting user input via the "alert()" command, then continue execution in the new domain. The domain change is effected by the use of a separate thread than the user-input request thread.
According ot the advisory, a remote user can steal cookies, impersonate web sites, read local files, and execute arbitrary commands by exploiting this method.
A demonstration exploit is available at:
The vendor was reportedly notified on September 9, 2003.
A remote user can execute scripting code in an arbitrary domain. This allows the remote user to read files and execute commands in the Local Computer zone.|
The vendor has released a fixed version (3.01), available at:|
Vendor URL: www.adobe.com/svg/overview/whatsnew.html (Links to External Site)
Access control error, State error|
|Underlying OS: Windows (Any)|
Source Message Contents
Subject: Adobe SVG Viewer Cross Domain and Zone Access (GM#004-MC)|
GreyMagic Security Advisory GM#004-MC
By GreyMagic Software, Israel.
07 Oct 2003.
Available in HTML format at http://security.greymagic.com/adv/gm004-mc/.
Topic: Adobe SVG Viewer Cross Domain and Zone Access.
Discovery date: 07 Sep 2003.
Adobe SVG Viewer (ASV) 3.0 and prior.
Note that any other application that embeds ASV is affected as well,
including the WebBrowser control. Therefore, any application that makes use
of the WebBrowser control is vulnerable (Internet Explorer, AOL Browser, MSN
Scalable Vector Graphics (SVG) is a relatively new XML-based language for
creating and controlling vector graphics. The language was standardized and
endorsed by the WWW Consortium (W3C).
Several SVG parsers and renderers have been released as browser plugins, but
the most popular of them all is Adobe SVG Viewer (ASV). According to Adobe:
"Adobe SVG Viewer 3.0 is available in 15 languages and many millions of
viewers have already been distributed worldwide."
One of the methods ASV implements that resemble the available methods in
HTML DOM is "alert". This method is meant to display a standard dialog
window with a message and wait for dismissal.
When an SVG document performs an "alert()" command, the current execution
thread pauses and waits for user input (press the OK button). At that time,
using a different thread, an attacker can change the location (current URL)
of the window and load a victim domain. When the user finally dismisses the
alert dialog, the execution thread resumes normally, except now it has full
access to the victim document via the "parent" object.
Currently, when using this method in conjunction with other components, the
implications include cookie theft, website impersonation, local file
reading, local file writing and arbitrary command execution. This could lead
to full control over the victim computer.
The following represents code in an embedded SVG document:
alert("Press OK to continue...");
/* At this point, another thread changes the parent URL to the victim domain
parent.alert(parent.location.href); /* Outputs victim domain once the user
pressed OK */
Notice that the user has no way to cancel the alert dialog, the choices are
to press OK or kill the process.
We put together two proof of concept demonstrations, which can be found at
GreyMagic brought this issue to Adobe on 09-Sep-2003. They have devised a
patched version (ASV 3.01) and made it available on the official ASV
download site at http://www.adobe.com/svg/viewer/install/mainframed.html.
Adobe SVG Viewer 3 Build 76.
The information in this advisory and any of its demonstrations is provided
"as is" without warranty of any kind.
GreyMagic Software is not liable for any direct or indirect damages caused
as a result of using the information or demonstrations provided in any part
of this advisory.
- Copyright ) 2003 GreyMagic Software.