Sonatype Delivers Premium Open Source Controls to GitHub | Press Release

blog-logo Sonatype Blog

Nexus Intelligence Insights - CVE-2017-5662 - Cross-Site Scripting (XSS)

January 25, 2019 By Elisa Velarde

Happy New Year!

To kick off 2019 we will be covering a vulnerability that is complex in context. All developers are aware of the varieties of privilege escalation and Cross-Site Scripting (XSS) that allow bad actors to exploit their way to sensitive files. CVE-2017-5662 is another example of one of those vulnerabilities and, in this case, allows a very specific vector for the hack  – SVG files.

Name of the Vuln/Sonatype ID: CVE-2017-5662

Type of vulnerability: DoS

Components affected: Apache Batik before version 1.8 

Vulnerability Description:

SVG file exploits are not new, nor are they unique. With literally thousands documented over the years, SVG file attacks are common enough that they’ve inspired the creation of a couple of different filters to make them somewhat safer. Their capability as a scalable XML text file for images versus true image files like JPEG, GIF, or BMP permit both their design flexibility and inherent danger.

Because SVG files are often simply treated as images and accepted in lieu of traditional image files, it is common for developers to fall into routine thinking and treat any user-submitted SVG file as syntactically valid. However, because at their core, SVG files are far more dynamic, there is a high probability of their misuse if every XML tag and value in the SVG file is not scrutinized when they are processed. As a minor example, an SVG created with an older, deprecated standard could be storing a metadata value, such as the name of the Author within it. If a developer is not careful and blindly trusts these values, rendering them can lead to XSS attacks if an attacker is able to supply a crafted SVG.

The Attack Mechanics:

Treating SVG files carelessly means that compromise is much easier than developers might think. It only takes a few lines of malformed XML against a root account for an attacker to gain access to sensitive files or data, or initiate a Denial of Service (DoS) by triggering an amplification attack.

The critical point to remember is that SVG files aren’t image files and, as such, their XML format makes them a powerful means to exploit a variety of vulnerabilities.

In this case, an image could be worth a thousand words - literally.

A Real-world example:

CVE-2017-5662 specifically addresses an Apache Batik manipulation that allows a bad actor to create malformed XML in an SVG file in order to create a DoS attack on the server.

An example of a real, crafted SVG file is: https://issues.apache.org/jira/secure/attachment/12776137/ssrf.svg 
When rendered within a web browser or an SVG viewer, a simple text from the SVG document is displayed: I♡XML!

However, the XML source reveals an external DTD link within the  <!DOCTYPE> tag, which if parsed by the application could cause security issues, depending on how it is being used. In this particular case, the crafted SVG may cause Server-Side Request Forgery (SSRF) attacks or be misused for port-scanning.

Preview of the SVG file in Chrome web browser:

I heart XML v2

Source of `ssrf.svg`:

Batik v3

When inspected with netcat (nc), the following HTTP request headers are observed having been sent sent by Apache Batik, as the SVG is parsed.

chaotic@m0lly:~$ nc -l 2323
GET / HTTP/1.1
User-Agent: Java/1.7.0_60-ea
Host: localhost:2323
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

As you can see, the command is issued to accept text/html and then keep the connection open. If the server processes the syntax as written, a DoS attack is executed.

Why it matters:

Administering an attack like the SVG vector exploit could take down a server running any Batik component version before 1.8. In addition, depending on the context and user being compromised, could expose an organization’s most sensitive data.

The best remediation path:

Upgrade to Batik version 2.2, where this vulnerability has been fixed.

DevOps-native organizations with the ability to continuously deploy software releases have an automation advantage that allows them to stay one step ahead of the hackers. Customers of Sonatype Nexus were notified of CVE-2017-5662 within days of the discovery. Their development teams automatically received instructions on how to remediate the risk.

Visit the Nexus Intelligence Insights page for a deep dive into other vulnerabilities.

If you're not a Sonatype customer, and want to find out if you're using the vulnerable version of Apache Batik in a specific application, you can use Sonatype's free Nexus Vulnerability Scanner to quickly find out.  


 

 

 

Tags: vulnerabilities, Nexus Intelligence, apache batik, Nexus Intelligence Insights, cve-2017-5662

Written by Elisa Velarde

Elisa is a Senior Product Marketing Manager at Sonatype. She brings over 10 years of experience in sourcing, mentoring, and leading Marketing or full Agile product teams while maintaining a collaborative, cross-departmental approach to support company goals.