GreyMagic Security Advisory GM#004-MC
=====================================

By GreyMagic Software, Israel.
07 Oct 2003.

Available in HTML format at <http://security.greymagic.com/adv/gm004-mc/>.

Topic: Adobe SVG Viewer Cross Domain and Zone Access.

Discovery date: 07 Sep 2003.

Affected applications:
======================

Adobe SVG Viewer (ASV) 3.0 and prior. 

Note that any other application that embeds ASV is affected as well,
including the WebBrowser control. Therefore, any application that makes use
of the WebBrowser control is vulnerable (Internet Explorer, AOL Browser, MSN
Explorer, etc.). 


Introduction:
=============

Scalable Vector Graphics (SVG) is a relatively new XML-based language for
creating and controlling vector graphics. The language was standardized and
endorsed by the WWW Consortium (W3C). 

Several SVG parsers and renderers have been released as browser plugins, but
the most popular of them all is Adobe SVG Viewer (ASV). According to Adobe:
"Adobe SVG Viewer 3.0 is available in 15 languages and many millions of
viewers have already been distributed worldwide." 


Discussion: 
===========

One of the methods ASV implements that resemble the available methods in
HTML DOM is "alert". This method is meant to display a standard dialog
window with a message and wait for dismissal. 

When an SVG document performs an "alert()" command, the current execution
thread pauses and waits for user input (press the OK button). At that time,
using a different thread, an attacker can change the location (current URL)
of the window and load a victim domain. When the user finally dismisses the
alert dialog, the execution thread resumes normally, except now it has full
access to the victim document via the "parent" object. 

Currently, when using this method in conjunction with other components, the
implications include cookie theft, website impersonation, local file
reading, local file writing and arbitrary command execution. This could lead
to full control over the victim computer. 


Exploit: 
========

The following represents code in an embedded SVG document: 

alert("Press OK to continue...");
/* At this point, another thread changes the parent URL to the victim domain
*/
parent.alert(parent.location.href); /* Outputs victim domain once the user
pressed OK */

Notice that the user has no way to cancel the alert dialog, the choices are
to press OK or kill the process. 


Demonstration:
==============

We put together two proof of concept demonstrations, which can be found at
<http://security.greymagic.com/adv/gm004-mc/>.


Solution: 
=========

GreyMagic brought this issue to Adobe on 09-Sep-2003. They have devised a
patched version (ASV 3.01) and made it available on the official ASV
download site at <http://www.adobe.com/svg/viewer/install/mainframed.html>. 


Tested on: 
==========

Adobe SVG Viewer 3 Build 76.


Disclaimer:
===========

The information in this advisory and any of its demonstrations is provided
"as is" without warranty of any kind. 

GreyMagic Software is not liable for any direct or indirect damages caused
as a result of using the information or demonstrations provided in any part
of this advisory. 

- Copyright c 2003 GreyMagic Software.