Changes for page Application_Webkit

Summary

• Page properties (1 modified, 0 added, 0 removed)

Details

Page properties

Content

...	...	@@ -26,4 +26,16 @@
26	26	Webkit uses [[libxslt>>Engine_libxslt]] as its XSLT engine. Old versions were not restricting __write__ access by the engine to the file system, leading to a remotely exploitable vulnerability ([[CVE-2011-1774>>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1774||rel="__blank"]]). This was patched in [[Changeset 79159>>http://trac.webkit.org/changeset/79159||rel="__blank"]] by adding appropriate calls to xsltSetSecurityPrefs().
27	27
28	28
29		-PoC included on the [[libxslt>>Engine_libxslt]] page are enough to demonstrate the vulnerability. A auxiliary plugin is available in Metasploit
	29	+PoC included on the [[libxslt>>Engine_libxslt]] page demonstrate the vulnerability.
	30	+
	31	+== Exploits ==
	32	+
	33	+Two modules are included in Metasploit :
	34	+
	35	+* a [[auxiliary>>http://www.metasploit.com/modules/auxiliary/server/webkit_xslt_dropper||rel="__blank"]] working on any non-sandboxed non-patched Webkit device
	36	+* an [[exploit>>http://www.metasploit.com/modules/exploit/windows/browser/safari_xslt_output||rel="__blank"]] plugin targeting Safari users with Admin privileges (because of the MOF trick)
	37	+
	38	+An exploit for HP webOS is attached. This exploit drops a backdoor executed with root privileges at boot time :
	39	+
	40	+* XML contains the payload : destination file name + file content. A reverse-shell based on netcat is added to the script
	41	+* XSL reads the XML file and create the requested file on disk