The Image that called me

Active Content Injection with SVG Files A presentation by Mario Heiderich, 20

Introduction

Mario Heiderich

Researcher and PhD student at the RuhrUniversity, Bochum Security Researcher for Microsoft, Redmond Security Consultant for XI ! "!, Ham#ur$ Pu#lished author and international s%ea&er H'M() Security Cheatsheet * H)SC PHPIDS Pro+ect

Today

S,!s and the modern -e#

.hat are S,!s/ .hat are they ca%a#le of/ .hich #ro-sers 0understand1 S,!/ .hy there are conflicted areas/

And what does that have to do with security?

SVG Images

Scala#le ,ector !ra%hics XM( #ased, therefore

,ersatile "ccessi#le Com%ressi#le 0Styla#le1 -2 CSS 3%en

!reat for mo#ile devices 4asy to %arse and %rocess "ncient format, older than 56 years Relations to H'M(), the living standard

SVG History

Pro%osed #y several .7C mem#ers in 5889 Derived from "do#e Postscri%t and ,M( Develo%ed in 5888 Currently at version 525

,ersion 52: still a -or&in$ draft Mi$ht #e overta&en #y S,! :26 !ec&o, .e#&it, Presto, and 'rident

!ood #ro-ser su%%ort

Basic Example

<svg xmlns=http://www.w3.org/1999/svg> <circle r=40 fill=red></circle> </svg>

SVG amily

SVG Tiny !"#

Desi$ned for cell%hones and smart-%hones ;< 'a$s Desi$ned for handhelds, ta#lets and net-#oo&s <5 ta$s =ull feature set 95 ta$s

SVG Basic !"!

SVG ull !"!

eatures

!eometrical sha%es

Circles, elli%ses, s>uares, lines and more S,! fonts

=ont s%ecific formattin$ and $ly%h styles $in%s "nimations and 'ransformations !radients and 4ffects Meta-data Scripting and Events Inclusion o& ar'itrary o'(ects

SVG in Action

Scripting

'he follo-in$ S,! e?ecutes @avaScri%t

<svg xmlns=http://www.w3.org/1999/svg> <script> lert!1" </script> </svg>

More e?am%les/

)ore Scripting
<svg xmlns="http://www.w3.org/2000/svg"> <g onload="javascript:alert(1)"></g> </svg> <svg xmlns="http://www.w3.org/2000/svg"> <animation xlink:href="javascript:alert(1)"/> </svg> <svg xmlns="http://www.w3.org/2000/svg"> <foreignObject xlink:href="javascript:alert(1)"/> </svg> <svg xmlns="http://www.w3.org/2000/svg"> <set attributeName="onmouseover" to="alert(1)"/> </svg> <svg xmlns="http://www.w3.org/2000/svg"> <handler xmlns:ev="http://www.w3.org/2001/xml-events" ev:event="load" >alert(1)</handler> </svg>

*eploying SVGs

Several -ays of de%loyin$ S,!s, im%lemented #y modern #ro-sers ive important ones are+

3%enin$ the file directly De%loyment via <o#$ect> or <em#ed> De%loyment via <img> or <im ge> De%loyment via CSS # c%gro&nd*list' st(le*content*c&rsor In-line S,!

Security Boundaries

S,! ca%a#ilities #ased on de%loyment method " model, #ased on e?%ectations Hetero$eneous im%lementations And a whole new world o& 'ugs and vulnera'ilities

,SS

S,!s de%loyed via <img> and <im ge> ta$ should not e?ecute @avaScri%t Same $oes for S,!s used via CSS 3r S,! fonts S,!s de%loyed via <ifr me>, <em#ed> or <o#$ect> should, thou$h So #ro-sers need different a%%roaches (earnin$ #y fi?in$/

$ocal SVGs

S,!s o%ened directly are allo-ed to scri%t Ima$ine the follo-in$ attac&A

"ttac&er u%loads an ima$e -ith an e?citin$ motive to a server ,ictim navi$ates to the ima$e, li&es it, saves it locally, do-nloads folder or des&to% ,ictim -ants to -atch the ima$e a$ain and dou#le-clic&s it Ima$e is an S,! and e?ecutes @avaScri%t locally Attac%er can read local &iles -same directory. su'/&olders0 "ttac&er can even load and start @ava a%%lets or -orse

,ery li&ely too #e used in real life attac&sB Porn sites, 4mail attachments, Mal-are

In/line SVG

Su$$ested #y the H'M() s%ecs .or&in$ on all modern #ro-sers C e?ce%t 3%era o strict XM( %arser anymore

<svg><circle r=40 fill=red></svg> See C no >uotes, no trailin$ slash

Reduced feature set <svg> introduces many ne- XSS vectors XSS filter #y%asses

Scoping

S,! ima$es are treated #y #ro-sers as ,)$ Same is for in-line S,! #loc&s ,)$ treats plain/text tags di&&erently

4ntities and canonical character re%resentations are treated e>ually 6-Day filter #y%asses ahead

'his ena#les a ne- attac& techni>ue on =irefo? *E)1 "nd itDs even -orse In-line S,! 0self-terminates1 o%en H'M( elements

1pera

" lon$ history of S,! fla-s

@avaScri%t e?ecution via S,! fonts XSS via CSS #ac&$round ima$es

o- S,!s de%loyed via CSS*<img> cannot scri%t anymore But - not all &inds of attac&s need scri%tin$ to succeed *E)1

1ther Browsers

=irefo? ; crashed #adly on S,!s em#eddin$ @S Chrome %roduces -eird thin$s -hen usin$ Eforei$n3#+ectF and Eiframes 3%era de%loys @ava a%%lets via S,! fonts "nd -hat a#out other XM( related attac& %atterns/

4?ternal entities S,! 'iny 52: @ava 4vents 4ntity #om#s 4tc2 etc2

Some #ro-sers su%%ort S,! Mas&s, %erfect for clic&+ac&in$

2rap/3p

S,!s are not (ust images #ut mini-a%%lications <img> ta$s can no- de%loy @ava, PD= and =lash C and call you on S&y%e In-line S,! creates small XM( islands ena#lin$ XM( attac&s on H'M( -e#sites S,! and XS(' -or& too, ena#lin$ DoS and other attac&s .e#-security and XM( security, they meet a$ainB "nd XX4 is #ac& C remem#er :66:Ds advisories/ SVG is not getting enough attention in the security community SVG provides a lot o& room &or more security research

*e&ense

More difficult than one mi$ht assume

o e?istin$ filter li#s o $ood documentation XSS vectors are hard to com%rehend e- vectors comin$ u% -ee&ly

S,! files should not #e %erceived as images "llo-in$ S,! for u%load GG allo-in$ H'M( for u%load S,! can em#ed, lin& or reference any &ind of content over cross domain #orders S,! %rovides ne- -ays of %ayload o#fuscation

uture 2or%

SVG 4uri&ier

Based on H'M(Purifier ;2:26 Still very youn$, and so far un%u#lished

More articles on the H'M() Sec Cheatsheet .i&i 4u'lications. to raise awareness

"cademic %u#lication is in %re%aration

More demo vectors on the H)SC to demonstrate im%act 3."SP research and documentation/

$in%s

.i&i%edia on S,! htt%A**en2-i&i%edia2or$*-i&i*Scala#leH,ectorH!ra%hics .7C S,! .or&in$ !rou% htt%A**---2-72or$*!ra%hics*S,!* S,! =ull 525 I.7CJ htt%A**---2-72or$*'R*S,!55*

S,! Basic 525 and S,! 'iny 52: htt%A**---2-72or$*'R*S,!Mo#ile* S,! :26 htt%A**dev2-72or$*S,!*%rofiles*:26*%u#lish*intro2html

"do#eDs S,! Kone htt%A**---2ado#e2com*sv$* H)SC htt%A**html)sec2or$*

XS(' and S,! htt%A**scary#eastsecurity2#lo$s%ot2com*:6222riousity2html 3%era S,! Bu$ htt%A**heideri2ch*o%era* H'M(Purifier htt%A**html%urifier2or$* @SBin htt%A**+s#in2com* More S,! fun htt%A**maliciousmar&u%2#lo$s%ot2com*:6222re-?ml-fun2html

Than%s

'han&s for listenin$ Luestions MM Comments/ Discussion and tool %revie-/

'han&s to

!areth Heyes and Manuel Ca#allero from U H "le?ey Silin * (ever3ne Dave Ross