GreyMagic Security Advisory GM#003-MC
=====================================

By GreyMagic Software, Israel.
07 Oct 2003.

Available in HTML format at <http://security.greymagic.com/adv/gm003-mc/>.

Topic: Adobe SVG Viewer Local and Remote File Reading.

Discovery date: 07 Sep 2003.

Affected applications:
======================

Adobe SVG Viewer (ASV) 3.0 and prior. 

Note that any other application that embeds ASV is affected as well,
including the WebBrowser control. Therefore, any application that makes use
of the WebBrowser control is vulnerable (Internet Explorer, AOL Browser, MSN
Explorer, etc.). 


Introduction:
=============

Scalable Vector Graphics (SVG) is a relatively new XML-based language for
creating and controlling vector graphics. The language was standardized and
endorsed by the WWW Consortium (W3C). 

Several SVG parsers and renderers have been released as browser plugins, but
the most popular of them all is Adobe SVG Viewer (ASV). According to Adobe:
"Adobe SVG Viewer 3.0 is available in 15 languages and many millions of
viewers have already been distributed worldwide." 


Discussion: 
===========

Adobe SVG Viewer exposes several non-standard extensions, among them are the
"postURL" and "getURL" methods. These methods are meant to make asynchronous
HTTP requests to a server and return the results to the SVG document via a
callback function that is supplied as an argument. 

Both "postURL" and "getURL" attempt to prevent requests to local files and
URLs on different domains for obvious security reasons. 

However, we discovered that when a valid URL is supplied to these methods,
and then redirects to a local or remote file, the content of that file is
returned, allowing an attacker to read any file on the user's computer and
remote sites. Notice that in this case cookies are sent to remote sites,
making the privacy breach quite severe. 

A significant mitigating factor in IE6 SP1 is its prevention of navigation
to local content from the Internet Zone. This means that users of IE6 SP1
(in the Internet Zone ONLY) are safe from having their local files read by
this vulnerability. However, they are not safe from remote URL reading. All
other versions of IE are vulnerable to both local and remote file reading. 


Exploit: 
========

The following code attempts to read a local or remote file, "rd.asp"
redirects to the desired unauthorized location. 

getURL(
"rd.asp",
function (oResponse) {
parent.alert(oResponse.content);
}
); 


Demonstration:
==============

We put together a proof of concept demonstration, which can be found at
<http://security.greymagic.com/adv/gm003-mc/>.


Solution: 
=========

GreyMagic brought this issue to Adobe on 09-Sep-2003. They have devised a
patched version (ASV 3.01) and made it available on the official ASV
download site at <http://www.adobe.com/svg/viewer/install/mainframed.html>. 


Tested on: 
==========

Adobe SVG Viewer 3 Build 76.


Disclaimer:
===========

The information in this advisory and any of its demonstrations is provided
"as is" without warranty of any kind. 

GreyMagic Software is not liable for any direct or indirect damages caused
as a result of using the information or demonstrations provided in any part
of this advisory. 

- Copyright c 2003 GreyMagic Software.