mailing list archives
Local file detection bug found through Adobe SVG Viewer
From: "Hyperdose Security" <robfly () hyperdose com>
Date: Wed, 4 May 2005 08:37:37 -0700
Hyperdose Security Advisory
Name: Local file detection bug found through Adobe SVG Viewer
Systems Affected: v3.0 (unclear if earlier versions were affected)
Author: Robert Fly - robfly () hyperdose com
Advisory URL: http://www.hyperdose.com/advisories/H2005-07.txt
From Adobe.com, "Adobe helps people and businesses communicate better
through its world-leading digital imaging, design, and document technology
platforms for consumers, creative professionals, and enterprises.".
Adobe SVG Viewer contains a Safe for Scripting ActiveX control (file
NPSVG3.dll). The control contains a property named 'src'. When 'src' is
set to a file that does exist, the web page will stop loading immediately.
If 'src' is set to a file that does not exist the page will continue to load
(specifically readystate will not hit the complete state). Using this trick
a users hard drive. Knowing the existence of files can be a stepping stone
for further attacks.
Proof of concept: http://www.hyperdose.com/exploits/AdobeSVG.html
//foo is reference to SVG ActiveX control, filename is the filename
you're looking for
foo.src = filename;
if (document.readyState != 'complete')
alert('File does not exist.');
This bug is very similar to Hyperdose's last advisory on Adobe
(http://www.hyperdose.com/advisories/H2005-06.txt). The exploit mechanism
for this one though is more interesting. Be aware of timing based attacks.
If you pay attention, they're out there.
Upgrade to version 3.03.
Details from Adobe found here:
Hyperdose Security was founded to provide companies with application
security knowledge through all parts of an application's security
development lifecycle. We specialize in all phases of software development
ranging from security design and architectural reviews, security code
reviews and penetration testing.
email robfly () hyperdose com
- Local file detection bug found through Adobe SVG Viewer Hyperdose Security (May 05)