Changes for page Application_Webkit

Last modified by Nicolas Gregoire on 2012/01/14 17:48

From version < 3.1 >
edited by Nicolas Gregoire
on 2012/01/13 21:59
To version < 4.1 >
edited by Nicolas Gregoire
on 2012/01/13 23:56
Change comment: There is no comment for this version



Icon Page properties
... ... @@ -26,4 +26,16 @@
26 26  Webkit uses [[libxslt>>Engine_libxslt]] as its XSLT engine. Old versions were not restricting __write__ access by the engine to the file system, leading to a remotely exploitable vulnerability ([[CVE-2011-1774>>||rel="__blank"]]). This was patched in [[Changeset 79159>>||rel="__blank"]] by adding appropriate calls to xsltSetSecurityPrefs().
27 27  
28 28  
29 -PoC included on the [[libxslt>>Engine_libxslt]] page are enough to demonstrate the vulnerability. A auxiliary plugin is available in Metasploit
29 +PoC included on the [[libxslt>>Engine_libxslt]] page demonstrate the vulnerability.
30 +
31 +== Exploits ==
32 +
33 +Two modules are included in Metasploit :
34 +
35 +* a [[auxiliary>>||rel="__blank"]] working on any non-sandboxed non-patched Webkit device
36 +* an [[exploit>>||rel="__blank"]] plugin targeting Safari users with Admin privileges (because of the MOF trick)
37 +
38 +An exploit for HP webOS is attached. This exploit drops a backdoor executed with root privileges at boot time :
39 +
40 +* XML contains the payload : destination file name + file content. A reverse-shell based on netcat is added to the script
41 +* XSL reads the XML file and create the requested file on disk


Welcome on the XSLT Hacking Encyclopedia !

You may be interested by the Engines and Applications pages.

Link to the blog
Twitter: @Agarri_FR

Tag Cloud

Failed to execute the [velocity] macro. Cause: [The execution of the [velocity] script macro is not allowed in [xhe:XWiki.TagCloud]. Check the rights of its last author or the parameters if it's rendered from another script.]. Click on this message for details.

Content by Nicolas Grégoire / Agarri
Blog - Follow me @Agarri_FR