Mario Heiderich OWASP Sweden the Image That Called Me

5/27/2018 Mario Heiderich OWASP Sweden the Image That Called Me

1/24

The Image that called meActive Content Injection with SVG Files

A presentation by Mario Heiderich, 20


2/24

Introduction

Mario Heiderich

Researcher and PhD student at the Ruhr-University, Bochum

Security Researcher for Microsoft, Redmond Security Consultant for XI! "!, Ham#ur$

Pu#lished author and international s%ea&er

H'M() Security Cheatsheet * H)SC PHPIDS Pro+ect


3/24

Today

S!s and the modern e#

.hat are S!s/

.hat are they ca%a#le of/

.hich #rosers 0understand1 S!/

.hy there are conflicted areas/

And what does that have to do withsecurity?


4/24

SVG Images

Scala#le ector !ra%hics

XM( #ased, therefore

ersatile

"ccessi#le

Com%ressi#le

0Styla#le1 2 CSS

3%en

!reat for mo#ile devices

4asy to %arse and %rocess

"ncient format, older than 56 years

Relations to H'M(), the living standard


5/24

SVG History

Pro%osed #y several .7C mem#ers in 5889

Derived from "do#e Postscri%t and M(

Develo%ed in 5888

Currently at version 525

ersion 52: still a or&in$ draft

Mi$ht #e overta&en #y S! :26

!ood #roser su%%ort

!ec&o, .e#&it, Presto, and 'rident


6/24

Basic Example
http://www.w3.org/1999/svghttp://www.w3.org/1999/svg


7/24

SVG amily

SVG Tiny !"#

Desi$ned for cell%hones and smart-%hones

;< 'a$s

SVG Basic !"!

Desi$ned for handhelds, ta#lets and net-#oo&s


8/24

eatures

!eometrical sha%es

Circles, elli%ses, s>uares, lines and more

S! fonts

=ont s%ecific formattin$ and $ly%h styles $in%s

"nimations and 'ransformations

!radients and 4ffects

Meta-data

Scripting and Events

Inclusion o& ar'itrary o'(ects


9/24

SVG in Action


10/24

Scripting

'he folloin$ S! e?ecutes @avaScri%t

More e?am%les/

lert!1"
http://www.w3.org/1999/svghttp://www.w3.org/1999/svg


11/24

)ore Scripting

alert(1)
http://www.w3.org/2000/svghttp://alert%281/http://www.w3.org/2000/svghttp://alert%281/http://www.w3.org/2000/svghttp://alert%281/http://alert%281/http://www.w3.org/2000/svghttp://alert%281/http://www.w3.org/2000/svghttp://alert%281/http://www.w3.org/2000/svg


12/24

*eploying SVGs

Several ays of de%loyin$ S!s,im%lemented #y modern #rosers

ive important ones are+

3%enin$ the file directly

De%loyment via or

De%loyment via or

De%loyment via CSS #c%gro&nd*list'st(le*content*c&rsor

In-line S!


13/24

Security Boundaries

S! ca%a#ilities #ased on de%loymentmethod

" model, #ased on e?%ectations

Hetero$eneous im%lementations

And a whole new world o& 'ugs andvulnera'ilities


14/24

,SS

S!s de%loyed via and ta$ shouldnot e?ecute @avaScri%t

Same $oes for S!s used via CSS

3r S! fonts

S!s de%loyed via , or should, thou$h

So #rosers need different a%%roaches

(earnin$ #y fi?in$/


15/24

$ocal SVGs

S!s o%ened directly are alloed to scri%t

Ima$ine the folloin$ attac&A

"ttac&er u%loads an ima$e ith an e?citin$ motive to a server

ictim navi$ates to the ima$e, li&es it, saves it locally, donloads

folder or des&to% ictim ants to atch the ima$e a$ain and dou#le-clic&s it

Ima$e is an S! and e?ecutes @avaScri%t locally

Attac%er can read local &iles -same directory. su'/&olders0

"ttac&er can even load and start @ava a%%lets or orse

ery li&ely too #e used in real life attac&s

Porn sites, 4mail attachments, Malare


16/24

In/line SVG

Su$$ested #y the H'M() s%ecs

.or&in$ on all modern #rosers e?ce%t3%era

o strict XM( %arser anymore

See no >uotes, no trailin$ slash

Reduced feature set introduces many ne XSS vectors

XSS filter #y%asses


17/24

Scoping

S! ima$es are treated #y #rosers as ,)$

Same is for in-line S! #loc&s

,)$ treats plain/text tags di&&erently

4ntities and canonical character re%resentations are treated e>ually

6-Day filter #y%asses ahead 'his ena#les a ne attac& techni>ue on =irefo?

*E)1

"nd its even orse

In-line S! 0self-terminates1 o%en H'M( elements
http://jsbin.com/orufu4http://jsbin.com/orufu4


18/24

1pera

" lon$ history of S! flas

@avaScri%t e?ecution via S! fonts

XSS via CSS #ac&$round ima$es

o S!s de%loyed via CSS*cannotscri%t anymore

But - not all &inds of attac&s need scri%tin$

to succeed

*E)1
http://html5sec.org/#43http://heideri.ch/operahttp://heideri.ch/operahttp://html5sec.org/#43


19/24

1ther Browsers

=irefo? ; crashed #adly on S!s em#eddin$ @S

Chrome %roduces eird thin$s hen usin$Eforei$n3#+ectF and Eiframes

3%era de%loys @ava a%%lets via S! fonts

"nd hat a#out other XM( related attac& %atterns/

4?ternal entities

S! 'iny 52: @ava 4vents

4ntity #om#s 4tc2 etc2

Some #rosers su%%ort S! Mas&s, %erfect for clic&-+ac&in$


20/24

2rap/3p

S!s are not (ust images#ut mini-a%%lications

ta$s can no de%loy @ava, PD= and =lash and call youon S&y%e

In-line S! creates small XM( islands ena#lin$ XM( attac&s onH'M( e#sites

S! and XS(' or& too, ena#lin$ DoS and other attac&s

.e#-security and XM( security, they meet a$ain

"nd XX4 is #ac& remem#er :66:s advisories/

SVG is not getting enough attention in the securitycommunity

SVG provides a lot o& room &or more security research


21/24

*e&ense

More difficult than one mi$ht assume

o e?istin$ filter li#s

o $ood documentation

XSS vectors are hard to com%rehend

e vectors comin$ u% ee&ly

S! files should not #e %erceived as images

"lloin$ S! for u%load GG alloin$ H'M( for u%load

S! can em#ed, lin& or reference any &ind of contentover cross domain #orders

S! %rovides ne ays of %ayload o#fuscation


22/24

uture 2or%

SVG 4uri&ier

Based on H'M(Purifier ;2:26

Still very youn$, and so far un%u#lished

More articles on the H'M() Sec Cheatsheet .i&i 4u'lications. to raise awareness

"cademic %u#lication is in %re%aration

More demo vectors on the H)SC to demonstrate

im%act

3."SP research and documentation/


23/24

$in%s

.i&i%edia on S! htt%A**en2i&i%edia2or$*i&i*Scala#leector!ra%hics

.7C S! .or&in$ !rou% htt%A**272or$*!ra%hics*S!*

S! =ull 525 .7CJ htt%A**272or$*'R*S!55*

S! Basic 525 and S! 'iny 52: htt%A**272or$*'R*S!Mo#ile*

S! :26 htt%A**dev272or$*S!*%rofiles*:26*%u#lish*intro2html

"do#es S! Kone htt%A**2ado#e2com*sv$*

H)SC htt%A**html)sec2or$*

XS(' and S! htt%A**scary#eastsecurity2#lo$s%ot2com*:6222riousity2html

3%era S! Bu$ htt%A**heideri2ch*o%era*

H'M(Purifier htt%A**html%urifier2or$* @SBin htt%A**+s#in2com*

More S! fun htt%A**maliciousmar&u%2#lo$s%ot2com*:6222re-?ml-fun2html
http://en.wikipedia.org/wiki/Scalable_Vector_Graphicshttp://www.w3.org/Graphics/SVG/http://www.w3.org/TR/SVG11/http://www.w3.org/TR/SVGMobile/http://dev.w3.org/SVG/profiles/2.0/publish/intro.htmlhttp://www.adobe.com/svg/http://html5sec.org/http://scarybeastsecurity.blogspot.com/2011/01/harmless-svg-xslt-curiousity.htmlhttp://heideri.ch/opera/http://htmlpurifier.org/http://jsbin.com/http://maliciousmarkup.blogspot.com/2008/11/svg-and-more-xml-fun.htmlhttp://maliciousmarkup.blogspot.com/2008/11/svg-and-more-xml-fun.htmlhttp://jsbin.com/http://htmlpurifier.org/http://heideri.ch/opera/http://scarybeastsecurity.blogspot.com/2011/01/harmless-svg-xslt-curiousity.htmlhttp://html5sec.org/http://www.adobe.com/svg/http://dev.w3.org/SVG/profiles/2.0/publish/intro.htmlhttp://www.w3.org/TR/SVGMobile/http://www.w3.org/TR/SVG11/http://www.w3.org/Graphics/SVG/http://en.wikipedia.org/wiki/Scalable_Vector_Graphics


24/24

Than%s

'han&s for listenin$

Luestions Comments/

Discussion and tool %revie/

'han&s to

!areth Heyes and Manuel Ca#allero from UH

"le?ey Silin * (ever3ne

Dave Ross

Mario Heiderich OWASP Sweden the Image That Called Me

Documents