Wiki source code of Homoiconicity

Version 13.1 by Nicolas Gregoire on 2012/01/05 00:39
Hide last authors
Nicolas Gregoire 9.1 1 == General definition ==
Nicolas Gregoire 2.2 2
Nicolas Gregoire 2.1 3 Homoiconicity is the property of a programming language that the code and the data are stored in the same format. For example, the following languages are homoiconics :
Nicolas Gregoire 1.1 4
Nicolas Gregoire 10.1 5 * Lisp : using lists and theirs sub-types
Nicolas Gregoire 1.1 6 * ASM : using bytes stored in memory
Nicolas Gregoire 2.1 7 * XSLT : using the XML format
Nicolas Gregoire 1.1 8
Nicolas Gregoire 10.1 9 In some memory corruption exploits, shellcode is transmitted as data and later executed when the execution flow is altered. This is possible because of homoiconicity. Executing code transmitted as data is sometimes possible with XSLT too.
10
Nicolas Gregoire 2.2 11 == Triggering embedded code ==
12
13 In some contexts (like browsers), XSLT code execution can be triggered while a XML document is parsed, via a xsl:stylesheet tag. The executed XSLT code can be stored on the Internet or in the XML document itself (homoiconicity + self-reference trick). A [[blog post>>http://scarybeastsecurity.blogspot.com/2011/01/harmless-svg-xslt-curiousity.html||rel="__blank"]] by Chris Evans describes a pseudo SVG file triggering a simple RAM DoS . But we can do better ;-)
14
Nicolas Gregoire 7.1 15 == Exploiting via dynamic SVG images ==
Nicolas Gregoire 2.2 16
Nicolas Gregoire 11.1 17 We can create XML files which will be interpreted by browsers like perfectly valid self-contained dynamic SVG images. The SVG image is generated on the fly by the (Turing complete) XSLT engine of the browser and rendered.
Nicolas Gregoire 2.2 18
Nicolas Gregoire 4.1 19 In the following example, the XSLT code will :
20
Nicolas Gregoire 2.2 21 * fingerprint the underlying XSLT engine
Nicolas Gregoire 7.1 22 * draw a circle (red if Webkit, green otherwise)
Nicolas Gregoire 8.1 23 * try to exploit [[CVE-2011-1774>>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1774||rel="__blank" title="CVE-2011-1774"]] if Webkit is detected
Nicolas Gregoire 2.2 24
Nicolas Gregoire 8.1 25 Screenshot of Opera :
Nicolas Gregoire 7.1 26 [[image:svg-opera-small.png||style="display: block; margin-left: auto; margin-right: auto"]]
Nicolas Gregoire 6.1 27
Nicolas Gregoire 8.1 28
29
30 Screenshot of Epiphany :
Nicolas Gregoire 7.1 31 [[image:svg-webkit-small.png||style="display: block; margin-left: auto; margin-right: auto"]]
32
Nicolas Gregoire 12.1 33 == Analysis of the exploit ==
Nicolas Gregoire 2.2 34
Nicolas Gregoire 8.1 35 Exploitcolor depends of the OS, ...) and exploit a specific vulnerability. This was demonstrated with [[CVE-2011-1774>>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1774||rel="__blank" title="CVE-2011-1774"]] and a Webkit exploit tested on Windows, Linux, iOS and webOS.
Nicolas Gregoire 2.2 36
Nicolas Gregoire 13.1 37 XML document :
38
Nicolas Gregoire 2.2 39 From a security point of view, it is important to audit
40
41
42
43
44 As the SVG format is valid XML too, t
45
46 The process is the following :
47
48 * The source XML file (do not