Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Adobe SVG Viewer Active Scripting Bypass (GM#002-MC)
From: GreyMagic Software (securityGREYMAGIC.COM)
Date: Tue Oct 07 2003 - 10:58:12 CDT
GreyMagic Security Advisory GM#002-MC
By GreyMagic Software, Israel.
07 Oct 2003.
Available in HTML format at http://security.greymagic.com/adv/gm002-mc/.
Topic: Adobe SVG Viewer Active Scripting Bypass.
Discovery date: 19 Aug 2003.
Adobe SVG Viewer (ASV) 3.0 and prior.
Note that any other application that embeds ASV is affected as well,
including the WebBrowser control. Therefore, any application that makes use
of the WebBrowser control is vulnerable (Internet Explorer, AOL Browser, MSN
Scalable Vector Graphics (SVG) is a relatively new XML-based language for
creating and controlling vector graphics. The language was standardized and
endorsed by the WWW Consortium (W3C).
Several SVG parsers and renderers have been released as browser plugins, but
the most popular of them all is Adobe SVG Viewer (ASV). According to Adobe:
"Adobe SVG Viewer 3.0 is available in 15 languages and many millions of
viewers have already been distributed worldwide."
SVG documents may be manipulated by script, through a full Document Object
Model that the plugin exposes. In order to achieve an independent method of
manipulation, ASV creates an instance of the Microsoft JScript engine, which
is then used to parse and execute script blocks that appear in the document.
When parsed in the browser environment, SVG documents are able to interact
with the containing HTML document by using the "parent" property. By
referring to the HTML document, script running in the SVG document is able
to fully control the parent's content.
The problem is that ASV completely disregards the browser's Active Scripting
settings. Thereby, making it easy for attackers to utilize scripting
abilities and HTML DOM manipulations without having to rely on Active
Scripting being enabled by the user. Many users choose to disable Active
Scripting in the browser for security reasons, since even though Active
Scripting isn't in itself a threat (in most cases), it happens to be a major
component in browser-based attacks.
We put together a proof of concept demonstration, which can be found at
GreyMagic brought this issue to Adobe on 21-Aug-2003. They have devised a
patched version (ASV 3.01) and made it available on the official ASV
download site at http://www.adobe.com/svg/viewer/install/mainframed.html.
Adobe SVG Viewer 3 Build 76.
The information in this advisory and any of its demonstrations is provided
"as is" without warranty of any kind.
GreyMagic Software is not liable for any direct or indirect damages caused
as a result of using the information or demonstrations provided in any part
of this advisory.
- Copyright © 2003 GreyMagic Software.
Want to reply to the person who sent this message?
This list is configured such that just hitting reply is going to result in
the message coming to the list, not to the individual who sent the message.
This was done to help reduce the number of Out of Office messages posters
received. So if you want to send a reply just to the poster, you''ll have to
copy their email address out of the message and place it in your TO: field.