Introduction

Dixit Wikipedia : "WebKit is a layout engine designed to allow web browsers to render web pages. WebKit powers Google Chrome and Apple Safari that by December 2011 held 33.35% of the browser market share between them (according to StatCounter). It is also used as the basis for the experimental browser included with the Amazon Kindle ebook reader, as well as the default browser in the iOS, Android and webOS mobile operating systems."

Applications

Webkit is used as the rendering engine of numerous browsers :

  • Google Chrome : not vulnerable, because of its sandbox
  • Apple Safari : patch available (v5.1)
  • Apple iTunes : patch available (v10.5)
  • Apple iOS : patch available (v5)
  • Maxthon MX3 : v3.0.22.2000 is vulnerable, recent versions weren't tested
  • HP webOS : patch available (v3.0.2)
  • Nokia S60 : untested
  • Blackberry Torch / Playbook : not vulnerable according to the BBSIRT 
  • Epiphany : v2.30.2 available in Ubuntu 10.04 is vulnerable

It is also used in others softwares rendering HTML :

  • Liferea (RSS reader) :  v1.6.2 available in Ubuntu 10.04 is vulnerable
  • Amazon Kindle : untested
  • Valve Steam : untested
  • and much more ...

File creation vulnerability

Webkit uses libxslt as its XSLT engine. Old versions were not restricting write access by the engine to the file system, leading to a remotely exploitable vulnerability (CVE-2011-1774). This was patched in Changeset 79159 by adding appropriate calls to xsltSetSecurityPrefs().

PoC included on the libxslt page demonstrate the vulnerability :

macos-tmp-owned.png

ipad-tmp-owned.png

Metasploit

Two modules are included in Metasploit :

  • a auxiliary working on any non-sandboxed non-patched Webkit device
  • an exploit plugin targeting Safari users with Admin privileges (because of the MOF trick)

HP webOS 3.x

An exploit for HP webOS 3.x was developed. This exploit drops a backdoor which is later executed with root privileges at boot time. The exploit is composed of two files :

  • webos-root-backdoor.xml contains the configurable data (name and content of the destination file) and a processing instruction triggering the XSLT code
  • webos-root-backdoor.xsl reads the XML file and create the requested file on disk. This version overwrites a script located in /etc/default/ with a version including a reverse-shell based on netcat

Browsing the XML file from a vulnerable device is enough to trigger the exploit. This was patched during the 3.0.2 OTA update.

Created by Nicolas Gregoire on 2012/01/13 20:54
     

Welcome

Welcome on the XSLT Hacking Encyclopedia !

You may be interested by the Engines and Applications pages.

Link to the blog
Twitter: @Agarri_FR

Tag Cloud

Unknown macro: tagcloud.
Content by Nicolas Grégoire / Agarri
Blog - Follow me @Agarri_FR