Re: spample of "data" URL in well-crafted Phish

Thu, 15 Sep 2016 11:00:07 -0700 

On Wed, 15 Sep 2016, Chip M. wrote:


Sadly, I have more FP data for you. :(

Here's one specific example (just a single very long line from
one corpse):
 background-image: url("data:image/svg+xml;charset=utf8,%3Csvg width='104px' 
height='82px' viewBox='0 0 104 82' version='1.1' xmlns='http://www.w3.org/2000/svg' 
xmlns:xlink='http://www.w3.org/1999/xlink'%3E%3C!-- Generator: Sketch 3.6.1 (26313) 
- http://www.bohemiancoding.com/sketch 
--%3E%3Ctitle%3Ediamond%3C/title%3E%3Cdesc%3ECreated with 
Sketch.%3C/desc%3E%3Cdefs%3E%3C/defs%3E%3Cg id='Current' stroke='none' 
stroke-width='1' fill='none' fill-rule='evenodd'%3E%3Cg 
id='Settings-Not-Supported-Grammarly-2' transform='translate(-241.000000, 
-183.000000)'%3E%3Cg id='4-copy-4' transform='translate(45.000000, 
41.000000)'%3E%3Cg id='The-Settings' transform='translate(75.000000, 
63.000000)'%3E%3Cg id='Not-Suported' transform='translate(1.000000, 
56.000000)'%3E%3Cg id='Google-Docs' transform='translate(34.000000, 
0.000000)'%3E%3Cg id='diamond' transform='translate(75.000000, 0.000000)'%3E%3Cimage 
id='Image-1' x='0' y='0.0800019' width='127.919997' height='127.919997' 
xlink:href='dat!

a:image/pn
Ok, I excluded image data from URI_DATA. This should reduce FPs without hurting spam/phish detection (I hope).
This is an exploitable attack surface. SVG unfortunately does appear to support javascript, and binary image processing libraries have had exploitable bugs before.
But I doubt SA is the proper place to detect either of those. At the least, detecting javascript (much less hostile javascript) within a data:image/svg+xml block probably would be really inefficient. 

--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhar...@impsec.org    FALaholic #11174     pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
 What nuts do with guns is terrible, certainly. But what
 evil or crazy people do with *anything* is not a valid argument
 for banning that item.           -- John C. Randolph <j...@idiom.com>
-----------------------------------------------------------------------
 2 days until the 229th anniversary of the signing of the U.S. Constitution

Reply via email to