Changes for page Application_Webkit

Last modified by Nicolas Gregoire on 2012/01/14 17:48

From 6.1 to 7.1 From 10.1 to 11.1

From version

7.1

edited by Nicolas Gregoire
on 2012/01/13 23:57

Change comment: Upload new attachment webos-root-backdoor.xml

To version

10.1

edited by Nicolas Gregoire
on 2012/01/14 00:31

Change comment: There is no comment for this version

Raw
Rendered

Summary

Page properties (1 modified, 0 added, 0 removed)
Attachments (0 modified, 2 added, 0 removed)
- ipad-tmp-owned.png
- macos-tmp-owned.png

Details

Page properties

Content

@@ -26,16 +26,22 @@
  Webkit uses [[libxslt>>Engine_libxslt]] as its XSLT engine. Old versions were not restricting __write__ access by the engine to the file system, leading to a remotely exploitable vulnerability ([[CVE-2011-1774>>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1774||rel="__blank"]]). This was patched in [[Changeset 79159>>http://trac.webkit.org/changeset/79159||rel="__blank"]] by adding appropriate calls to xsltSetSecurityPrefs().
--PoC included on the [[libxslt>>Engine_libxslt]] page demonstrate the vulnerability.
++PoC included on the [[libxslt>>Engine_libxslt]] page demonstrate the vulnerability :
--== Exploits ==
++[[image:macos-tmp-owned.png||style="display: block; margin-left: auto; margin-right: auto"]]
++[[image:ipad-tmp-owned.png||style="display: block; margin-left: auto; margin-right: auto"]]
++
++== Meatsploit ==
++
  Two modules are included in Metasploit :
  * a [[auxiliary>>http://www.metasploit.com/modules/auxiliary/server/webkit_xslt_dropper||rel="__blank"]] working on any non-sandboxed non-patched Webkit device
  * an [[exploit>>http://www.metasploit.com/modules/exploit/windows/browser/safari_xslt_output||rel="__blank"]] plugin targeting Safari users with Admin privileges (because of the MOF trick)
--An exploit for HP webOS is attached. This exploit drops a backdoor executed with root privileges at boot time :
++== HP webOS 3.x ==
--* XML contains the payload : destination file name + file content. A reverse-shell based on netcat is added to the script
--* XSL reads the XML file and create the requested file on disk
++An exploit for HP webOS 3.x was developed. This exploit drops a backdoor which is later executed with root privileges at boot time. The exploit is composed of two files :
++
++* [[webos-root-backdoor.xml>>attach:webos-root-backdoor.xml]] contains the configurable data (name and content of the destination file) and a processing instruction trigger the XSLT code
++* [[webos-root-backdoor.xsl>>attach:webos-root-backdoor.xsl]] reads the XML file and create the requested file on disk. This version overwrites a script located in /etc/default/ with a version including a reverse-shell based on netcat

ipad-tmp-owned.png

Author

...	...	@@ -1,0 +1,1 @@
	1	+xwiki:XWiki.NicolasGregoire

Size

...	...	@@ -1,0 +1,1 @@
	1	+11.9 KB

Content

macos-tmp-owned.png

Author

...	...	@@ -1,0 +1,1 @@
	1	+xwiki:XWiki.NicolasGregoire

Size

...	...	@@ -1,0 +1,1 @@
	1	+12.4 KB

Content

Changes for page Application_Webkit

Summary

Details

Welcome

Recently Modified

Changes for page Application_Webkit

Summary

Details

Welcome

Recently Modified

Tag Cloud