Next Page >>
svg
________________________________________________________________________
From the low-hanging-fruit-department
Firefox et al. Denial of Service - All versions supporting SVG
________________________________________________________________________
CHEAP Plug :
************************************************************************
You are invited to participate in HACK.LU 2009, a small but concentrated
luxemburgish security conference. More information : http://www.hack.lu
Remote exploitation of a memory corruption vulnerability in WebKit, as
included with multiple vendors' browsers, could allow an attacker to
execute arbitrary code with the privileges of the current user.
Scalable Vector Graphics (SVG) is an XML based file format used to
describe two dimensional vector graphics. It defines both a markup
language, and a JavaScript interface.
When parsing a series of SVG tags, and then manipulating them via
JavaScript, Safari fails to handle exceptional conditions. It is
Problem Description:
Security issues were identified and fixed in mozilla firefox:
Security researcher regenrecht reported via TippingPoint's Zero Day
Initiative that a flaw in the Mozilla SVG implementation could result
in an out-of-bounds memory access if SVG elements were removed during
a DOMAttrModified event handler (CVE-2011-3658).
Firefox prevents the dropping of javascript: links onto a frame
to prevent malicious sites from tricking users into performing
JavaScript if it assumed the dialogArguments could not be initialized
by another site. An anonymous security researcher, via TippingPoint's
Zero Day Initiative, also independently reported this issue to Mozilla
(CVE-2009-3988).
Mozilla security researcher Georgi Guninski reported that when a SVG
document which is served with Content-Type: application/octet-stream
is embedded into another document via an <embed> tag with
type=image/svg+xml, the Content-Type is ignored and the SVG document
is processed normally. A website which allows arbitrary binary data to
be uploaded but which relies on Content-Type: application/octet-stream
Details:
A buffer overflow vulnerability has been found in the Torque server.
This was
reported to the EGI SVG (RT 1870) as well as to the Torque software
providers.
This has been fixed by the Torque Providers, and an updated version is
also
available in EPEL.
http://securethoughts.com/security/chromelocalfilexss/chromedownload.php?fna
me=WATCHMENAKED.mhtml
(Image)
2. The SVG(Scalable Vector Graphics) file is a registered extension in some
Safari versions and hence a SVG file gets automatically opened in Safari. If
you ever had an older version of Safari on your computer, this extension
will be most probably there in your registry. Hence, it does not matter what
your current version of Safari is (and you may very well be using the latest
version of Safari). So the exploit works like this:
ZDI-09-034: Apple Safari SVG Set.targetElement() Memory Corruption
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-034
June 8, 2009
-- CVE ID:
CVE-2009-1709
-- Affected Vendors:
Apple
JBIG2Stream.cxx vector may overlap CVE-2009-1179. (CVE-2009-0791).
Use-after-free vulnerability in the garbage-collection implementation
in WebCore in WebKit in Apple Safari before 4.0 allows remote
attackers to execute arbitrary code or cause a denial of service
(heap corruption and application crash) via an SVG animation element,
related to SVG set objects, SVG marker elements, the targetElement
attribute, and unspecified caches. (CVE-2009-1709).
WebKit, as used in Safari before 3.2.3 and 4 Public Beta, on Apple
Mac OS X 10.4.11 and 10.5 before 10.5.7 and Windows allows remote
Affected: 2008.0
_______________________________________________________________________
Problem Description:
A vulnerability has been found and corrected in kdegraphics (ksvg):
Use-after-free vulnerability in the garbage-collection implementation
in WebCore in WebKit in Apple Safari before 4.0 allows remote
attackers to execute arbitrary code or cause a denial of service
(heap corruption and application crash) via an SVG animation element,
Problem Description:
Security issues were identified and fixed in mozilla firefox and
thunderbird:
The SVG implementation in Mozilla Firefox 8.0, Thunderbird 8.0, and
SeaMonkey 2.5 does not properly interact with DOMAttrModified event
handlers, which allows remote attackers to cause a denial of service
(out-of-bounds memory access) or possibly have unspecified other
impact via vectors involving removal of SVG elements (CVE-2011-3658).
CVE-2010-4199
WebKit does not properly perform a cast of an
unspecified variable during processing of an SVG use element, which allows
remote attackers to cause a denial of service or possibly have unspecified
other impact via a crafted SVG document.
CVE-2010-4040
the necessary changes.
Details follow:
It was discovered that KDE-Libs did not properly handle certain malformed
SVG images. If a user were tricked into opening a specially crafted SVG
image, an attacker could cause a denial of service or possibly execute
arbitrary code with the privileges of the user invoking the program. This
issue only affected Ubuntu 9.04. (CVE-2009-0945)
It was discovered that the KDE JavaScript garbage collector did not
ZDI-08-006: Microsoft Internet Explorer SVG animateMotion.by Code
Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-006.html
February 12, 2008
-- CVE ID:
CVE-2008-077
-- Affected Vendor:
Microsoft
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 8.04 LTS:
ksvg 4:3.5.10-0ubuntu1~hardy1.1
After a standard system upgrade you need to restart your session to effect
the necessary changes.
Details follow:
####################
Proof Of Concept
####################
Save This code as image.svg and open it with Safari,look
i have add some "extra" pixels in font size text style.
################ BOF image.svg ######################
<?xml version="1.0"?>
ZDI-11-240: Apple Safari Webkit SVG Marker Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-240
July 27, 2011
-- CVE ID:
CVE-2011-1453
-- CVSS:
David Remahl discovered that mediawiki1.7 is prone to a cross-site scripting attack.
CVE-2008-5250
David Remahl discovered that mediawiki1.7, when Internet Explorer is used and
uploads are enabled, or an SVG scripting browser is used and SVG uploads are
enabled, allows remote authenticated users to inject arbitrary web script or
HTML by editing a wiki page.
CVE-2008-5252
ZDI-10-153: Apple Webkit SVG Floating Text Element Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-153
August 11, 2010
-- CVE ID:
CVE-2010-1787
-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ZDI-10-141: Apple Webkit SVG ForeignObject Rendering Layout Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-141
August 5, 2010
-- CVE ID:
CVE-2010-1786
-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ZDI-10-142: Apple Webkit SVG First-Letter Style Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-142
August 5, 2010
-- CVE ID:
CVE-2010-1785
-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ZDI-11-224: Mozilla Firefox SVGPointList.appendItem Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-224
June 21, 2011
-- CVE ID:
CVE-2011-2363
-- CVSS:
ZDI-11-270: Mozilla Firefox SVGTextElement.getCharNumAtPosition Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-270
August 17, 2011
-- CVE ID:
CVE-2011-0084
-- CVSS:
Several vulnerabilities have been discovered in Icedove, an unbranded
version of the Thunderbird mail/news client.
CVE-2011-0083 / CVE-2011-2363
"regenrecht" discovered two use-after-frees in SVG processing,
which could lead to the execution of arbitrary code.
CVE-2011-0085
"regenrecht" discovered a use-after-free in XUL processing, which
Background
==========
Graphviz is an open-source multi-platform graph visualization software. It
takes a description of graphs in a simple text format (DOT language), and
makes diagrams out of it in several useful formats (including SVG).
Description
===========
A vulnerability exists in Graphviz's parsing engine which makes it possible to
overflow a globally allocated array and corrupt memory by doing so.
Flash content, which could cause a denial of service or possibly
execute arbitrary code with the privileges of the user invoking the
program. (CVE-2009-2467)
It was discovered that Firefox did not properly handle some
SVG content, which could lead to a denial of service or possibly
execute arbitrary code with the privileges of the user invoking the
program. (CVE-2009-2469)
A flaw was discovered in the JavaScript engine which could be used
to perform cross-site scripting attacks. (CVE-2009-2472)
memory corruption under certain circumstances, and we presume that
with enough effort at least some of these could be exploited to run
arbitrary code (CVE-2011-2982).
Security researcher regenrecht reported via TippingPoint's Zero Day
Initiative that a SVG text manipulation routine contained a dangling
pointer vulnerability (CVE-2011-0084).
Mozilla security researcher moz_bug_r_a_4 reported a vulnerability in
event management code that would permit JavaScript to be run in the
wrong context, including that of a different website or potentially
Soroush Dalili discovered that a cross-site scripting countermeasure
related to Javascript URLs could be bypassed.
CVE-2012-0456
Atte Kettunen discovered an out of bounds read in the SVG Filters,
resulting in memory disclosure.
CVE-2012-0458
Mariusz Mlynski discovered that privileges could be escalated through
of arbitrary code.
CVE-2010-0162
Georgi Guninski discovered that the same origin policy can be
bypassed through specially crafted SVG documents.
For the stable distribution (lenny), these problems have been fixed in
version 1.9.0.18-1.
For the unstable distribution (sid), these problems have been fixed in
Several vulnerabilities have been found in Iceweasel, a web browser
based on Firefox:
CVE-2011-0083 / CVE-2011-2363
"regenrecht" discovered two use-after-frees in SVG processing, which
could lead to the execution of arbitrary code.
CVE-2011-0085
"regenrecht" discovered a use-after-free in XUL processing, which
Several vulnerabilities have been found in the Iceape internet suite, an
unbranded version of Seamonkey:
CVE-2011-0084
"regenrecht" discovered that incorrect pointer handling in the SVG
processing code could lead to the execution of arbitrary code.
CVE-2011-2378
"regenrecht" discovered that incorrect memory management in DOM
Next Page>>
|
