Wiki source code of Application_Webkit

Version 4.1 by Nicolas Gregoire on 2012/01/13 23:56

Show last authors
1 Dixit [[Wikipedia>>http://en.wikipedia.org/wiki/Webkit||rel="__blank"]] : "//WebKit is a layout engine designed to allow web browsers to render web pages. WebKit powers Google Chrome and Apple Safari that by December 2011 held 33.35% of the browser market share between them (according to StatCounter). It is also used as the basis for the experimental browser included with the Amazon Kindle ebook reader, as well as the default browser in the iOS, Android and webOS mobile operating systems."//
2
3 == Applications ==
4
5 Webkit is used as the rendering engine of numerous browsers :
6
7 * Google Chrome : not vulnerable, because of its sandbox
8 * Apple Safari : patch available (v5.1)
9 * Apple iTunes : patch available (v10.5)
10 * Apple iOS : patch available (v5)
11 * Maxthon MX3 : v3.0.22.2000 is vulnerable, recent versions weren't tested
12 * HP webOS : patch available (v3.0.2)
13 * Nokia S60 : untested
14 * Blackberry Torch / Playbook : not vulnerable according to the BBSIRT
15 * Epiphany : v2.30.2 available in Ubuntu 10.04 is vulnerable
16
17 It is also used in others softwares rendering HTML :
18
19 * Liferea (RSS reader) : v1.6.2 available in Ubuntu 10.04 is vulnerable
20 * Amazon Kindle : untested
21 * Valve Steam : untested
22 * and much more ...
23
24 == File creation vulnerability ==
25
26 Webkit uses [[libxslt>>Engine_libxslt]] as its XSLT engine. Old versions were not restricting __write__ access by the engine to the file system, leading to a remotely exploitable vulnerability ([[CVE-2011-1774>>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1774||rel="__blank"]]). This was patched in [[Changeset 79159>>http://trac.webkit.org/changeset/79159||rel="__blank"]] by adding appropriate calls to xsltSetSecurityPrefs().
27
28
29 PoC included on the [[libxslt>>Engine_libxslt]] page demonstrate the vulnerability.
30
31 == Exploits ==
32
33 Two modules are included in Metasploit :
34
35 * a [[auxiliary>>http://www.metasploit.com/modules/auxiliary/server/webkit_xslt_dropper||rel="__blank"]] working on any non-sandboxed non-patched Webkit device
36 * an [[exploit>>http://www.metasploit.com/modules/exploit/windows/browser/safari_xslt_output||rel="__blank"]] plugin targeting Safari users with Admin privileges (because of the MOF trick)
37
38 An exploit for HP webOS is attached. This exploit drops a backdoor executed with root privileges at boot time :
39
40 * XML contains the payload : destination file name + file content. A reverse-shell based on netcat is added to the script
41 * XSL reads the XML file and create the requested file on disk