About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

When URL parsers disagree (CVE-2023-38633)- 1235

Zac Sims - Canva Posted 2 Years Ago
  • URL parsing is super hard to do properly. There is a standard that has been updated and changed over the years. Additionally, if there is a difference in verification vs. use at any point, this can lead to massive security issues. In this article, they were looking at an SVG parser.
  • Previous research has showed that the Inkscape CLI parser is vulnerable to path traversal within rendered SVGs. Within this parser, the XInclude format is also supported, a method of merging XML documents (SVGs are just XML). The underlying library for Inkscape is librsvg, which Canva uses.
  • Within librsvg, every URL goes through validation to ensure it is not malicious. For instance, being able to include arbitrary local files would be a big no-no. The rules are VERY strict, making it relatively safe to use.
  • The parser for validation is done with one parser but the loading of the SVG is done using the parser Gio. Anytime there are two parsers operating on the same data, there is likely many bugs lurking. A slight misunderstanding on one end could lead to the break you need.
  • The authors of the post setup a fuzzer to test the differences in the file resolve process. While doing this, they noticed that current.svg?../../../../../../../etc/passwd passes the validation but can resolve files. How is this? From my understanding, the ? gets stripped from the resolver and is unhandled by the validator.
  • The Gio parser will happily traverse files and traverse further up. A canonicalization process is done on the link. As it turns out, it starts in the directory in which the program is at. So, placing a . at the beginning can be used to force the program to traverse further up.
  • The full SVG link is .?../../../../../../../etc/passwd. To me, this really shows the power of differential fuzzing. Who would have thought about a question mark in the path? Not me, only the fuzzer.
  • At the end, they note some interesting things going forward for similar research. My favorite is that the file URIs support query strings, but this varies depending on the library.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed