Changes for page Application_Webkit

Summary

• Page properties (2 modified, 0 added, 0 removed)

Details

Page properties

Tags

...	...	@@ -1,1 +1,1 @@
1		-webkit|libxslt|metasploit|webOS|Apple|Safari|iPhone|iPad
	1	+webkit|libxslt|metasploit|webOS|Apple|Safari|iPhone|iPad|exploit

Content

...	...	@@ -1,6 +1,10 @@
	1	+{{toc/}}
	2	+
	3	+= Introduction =
	4	+
1	1	Dixit [[Wikipedia>>http://en.wikipedia.org/wiki/Webkit||rel="__blank"]] : "//WebKit is a layout engine designed to allow web browsers to render web pages. WebKit powers Google Chrome and Apple Safari that by December 2011 held 33.35% of the browser market share between them (according to StatCounter). It is also used as the basis for the experimental browser included with the Amazon Kindle ebook reader, as well as the default browser in the iOS, Android and webOS mobile operating systems."//
2	2
3		-== Applications ==
	7	+= Applications =
4	4
5	5	Webkit is used as the rendering engine of numerous browsers :
6	6
...	...	@@ -21,7 +21,7 @@
21	21	* Valve Steam : untested
22	22	* and much more ...
23	23
24		-== File creation vulnerability ==
	28	+= File creation vulnerability =
25	25
26	26	Webkit uses [[libxslt>>Engine_libxslt]] as its XSLT engine. Old versions were not restricting __write__ access by the engine to the file system, leading to a remotely exploitable vulnerability ([[CVE-2011-1774>>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1774||rel="__blank"]]). This was patched in [[Changeset 79159>>http://trac.webkit.org/changeset/79159||rel="__blank"]] by adding appropriate calls to xsltSetSecurityPrefs().
27	27
...	...	@@ -34,7 +34,7 @@
34	34
35	35	[[image:ipad-tmp-owned.png||style="display: block; margin-left: auto; margin-right: auto"]]
36	36
37		-== Metasploit ==
	41	+= Metasploit =
38	38
39	39	Two modules are included in Metasploit :
40	40
...	...	@@ -41,7 +41,7 @@
41	41	* a [[auxiliary>>http://www.metasploit.com/modules/auxiliary/server/webkit_xslt_dropper||rel="__blank"]] working on any non-sandboxed non-patched Webkit device
42	42	* an [[exploit>>http://www.metasploit.com/modules/exploit/windows/browser/safari_xslt_output||rel="__blank"]] plugin targeting Safari users with Admin privileges (because of the MOF trick)
43	43
44		-== HP webOS 3.x ==
	48	+= HP webOS 3.x =
45	45
46	46	An exploit for HP webOS 3.x was developed. This exploit drops a backdoor which is later executed with root privileges at boot time. The exploit is composed of two files :
47	47
...	...	@@ -48,4 +48,4 @@
48	48	* [[webos-root-backdoor.xml>>attach:webos-root-backdoor.xml]] contains the configurable data (name and content of the destination file) and a processing instruction triggering the XSLT code
49	49	* [[webos-root-backdoor.xsl>>attach:webos-root-backdoor.xsl]] reads the XML file and create the requested file on disk. This version overwrites a script located in /etc/default/ with a version including a reverse-shell based on netcat
50	50
51		-Browsing the XML file from a vulnerable device is enough to trigger the exploit.
	55	+Browsing the XML file from a vulnerable device is enough to trigger the exploit. This was patched during the 3.0.2 OTA update.