Hyperdose Security Advisory Name: Local file detection bug found through Adobe SVG Viewer Systems Affected: v3.0 (unclear if earlier versions were affected) Severity: Low Author: Robert Fly - robfly@hyperdose.com Advisory URL: http://www.hyperdose.com/advisories/H2005-07.txt --Adobe Description-- >From Adobe.com, "Adobe helps people and businesses communicate better through its world-leading digital imaging, design, and document technology platforms for consumers, creative professionals, and enterprises.". --Bug Details-- Adobe SVG Viewer contains a Safe for Scripting ActiveX control (file NPSVG3.dll). The control contains a property named 'src'. When 'src' is set to a file that does exist, the web page will stop loading immediately. If 'src' is set to a file that does not exist the page will continue to load (specifically readystate will not hit the complete state). Using this trick a little bit of javascript can be used to determine if local files exist on a users hard drive. Knowing the existence of files can be a stepping stone for further attacks. Proof of concept: http://www.hyperdose.com/exploits/AdobeSVG.html Sample Javascript: function load(filename) { //foo is reference to SVG ActiveX control, filename is the filename you're looking for foo.src = filename; setTimeout("loading()", 5000); } function loading() { if (document.readyState != 'complete') { alert('File does not exist.'); } else { alert('File exists.'); } window.location.reload(false); } This bug is very similar to Hyperdose's last advisory on Adobe (http://www.hyperdose.com/advisories/H2005-06.txt). The exploit mechanism for this one though is more interesting. Be aware of timing based attacks. If you pay attention, they're out there. --Fix Information-- Upgrade to version 3.03. Details from Adobe found here: http://www.adobe.com/svg/viewer/install/mainframed.html --About Hyperdose-- Hyperdose Security was founded to provide companies with application security knowledge through all parts of an application's security development lifecycle. We specialize in all phases of software development ranging from security design and architectural reviews, security code reviews and penetration testing. web www.hyperdose.com email robfly@hyperdose.com