Wiki source code of Homoiconicity

Version 8.1 by Nicolas Gregoire on 2012/01/05 00:25
Show last authors
1 == Definition ==
2
3 Homoiconicity is the property of a programming language that the code and the data are stored in the same format. For example, the following languages are homoiconics :
4
5 * ASM : using bytes stored in memory
6 * Lisp : using lists and theirs sub-types
7 * XSLT : using the XML format
8
9
10
11 == Triggering embedded code ==
12
13 In some contexts (like browsers), XSLT code execution can be triggered while a XML document is parsed, via a xsl:stylesheet tag. The executed XSLT code can be stored on the Internet or in the XML document itself (homoiconicity + self-reference trick). A [[blog post>>http://scarybeastsecurity.blogspot.com/2011/01/harmless-svg-xslt-curiousity.html||rel="__blank"]] by Chris Evans describes a pseudo SVG file triggering a simple RAM DoS . But we can do better ;-)
14
15 == Exploiting via dynamic SVG images ==
16
17 We can create XML files which will be interpreted by browsers like perfectly valid self-contained dynamic SVG images. The SVG file is then generated on the fly by the (Turing complete) XSLT engine of the browser.
18
19 In the following example, the XSLT code will :
20
21 * fingerprint the underlying XSLT engine
22 * draw a circle (red if Webkit, green otherwise)
23 * try to exploit [[CVE-2011-1774>>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1774||rel="__blank" title="CVE-2011-1774"]] if Webkit is detected
24
25 Screenshot of Opera :
26 [[image:svg-opera-small.png||style="display: block; margin-left: auto; margin-right: auto"]]
27
28
29
30 Screenshot of Epiphany :
31 [[image:svg-webkit-small.png||style="display: block; margin-left: auto; margin-right: auto"]]
32
33 == Evil SVG images ==
34
35 Exploitcolor depends of the OS, ...) and exploit a specific vulnerability. This was demonstrated with [[CVE-2011-1774>>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1774||rel="__blank" title="CVE-2011-1774"]] and a Webkit exploit tested on Windows, Linux, iOS and webOS.
36
37 From a security point of view, it is important to audit
38
39
40
41
42 As the SVG format is valid XML too, t
43
44 The process is the following :
45
46 * The source XML file (do not