Introducing
Your new presentation assistant.
Refine, enhance, and tailor your content, source relevant images, and edit visuals quicker than ever before.
Trending searches
Offensive XSLT
46
offensiVEXSLT
Doing computer security for 10+ years
Half as a consultant, half as an end user
Now owner of Agarri
Offensive security only
(pentest, application audit, vulnerability research, ...)
Thanks to customer X !
Brainstorming & Money
Overview
Modern software is complex
Third party code is (very) common
Unaudited code
==
Untrusted code
We'll exploit (documented) features !
Not some design or implementation errors
Exploits reliability ++
;-)
XSLT ?
XSLT : XSL Transformations
http://www.w3.org/TR/xslt
A language used to transform a XML document into another document
(XML, PDF, TXT, SVG, ...)
exAmple #1
ExAmple #2
MethodologY
Select some XSLT engines
Enumerate theirs features
Standards
Automatically generated from {element|function}-available() and a XML representation of the norms
proprietary Extensions
Documentation
Source code
Strings
IDA
Identify the dangerous ones
Restricted to :
- engine fingerprinting
- file creation
- code execution
Not in scope :
- read access (including SOP bypass and XXE)
- fuzzing
For each dangerous feature, write a PoC
Rules :
- only one feature
- no container
- no obfuscation
- no payload
- working via CLI
For each format, write a "container"
A contAinER respects a format which allows XSL transformationS
(aka Trigger)
Test on numerous applications
Profit !
RisKs
Standards
As every engine supports
at least XSLT 1.0 ...
... we can easily fingerprint it
So far, nothing really risky
proprietary Extensions
VulnERABILITieS
Liferay
Commercial (or not) Java CMS
Numerous references
(with search engine ;-)
Of course, it's secure !
Even if the XSLT engine is Xalan-J ? Hum ...
Altova
WEBKIT
Uses libxslt
File creation :
- arbitrary path and name
- content must be valid UTF-8
Impacted vendors :
- Apple (Safari, iPhone, iPad, ...)
- RIM (Blackberry Torch)
- Linux distributions (Epiphany, Lifera, ...)
- and more !
Chrome isn't vulnerable,
because of its sandbox
A patch is available since February
Nobody applied it :-(
VidEo : SAfari + MOF
PHP 5
Uses libxslt
Patch #54446 :
Verified (by me) in April
Still not applied
to trunk
:-(
Wait, there's more !
void XSLTProcessor::registerPHPFunctions ([ mixed $restrict ] )
This method enables the ability to use PHP functions as XSLT functions within XSL stylesheets.
<xsl:stylesheet
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:php="http://php.net/xsl"
version="1.0">
...
<xsl:value-of select="php:function('phpinfo')"/>
...
</xsl:stylesheet>
XMLSEC
Uses libxslt
I love when security solutions have security bugs ;-)
Potentially impacted :
- PKI & SSO (SAML)
- SWIFT eBAM
- and more !
And if your XML-Dsig XSLT eNGine is Xalan-J ...
... it's worse :-(
What about W3C recommEndations
For XML-DSig ?
Nobody follows them :-(
Misc
ExploitatioN
Code Execution
Easy : just use a Java or JScript reverse-shell
Web context
Webshell PHP/JSP/CFM/...
Privilegied Windows user
Stuxnet MOF
File Creation
Unix user
See "USB Autorun attacks against Linux"
by IBM X-Force
CONCLUSION
FAQ
Q : How was this presentation created ?
A : With Prezi
Q : Did you test product XYZ ?
A : No, but I can do it for some money
Other Questions ?
Customers
Do NOT trust vendors
Audit every library of every critical application you have
Use your power (including $ and €) to influence vendors
There's a lot of bugs, come on and play !
Hackers
A "state of the art" (XML|SOAP)-dsig implementation should not be vulnerable
First XSLT advisories were published in 2001 !
Guninski vs Oracle/IE
Most engines can be deployed in a secure mode
(read the doc !)
XML
Xerces
Web Services
Axis
Spring
MVC
LOGS
log4j
AJAX
RichFaces
GRAPHS
JFreeChart
Lucene
Search
DAO
Hibernate
iText
AJAX
DWR
XSLT
Xalan J
Crypto
BouncyCastle
XSL-FO
FOP
Even if it's a Apache.Org project !
Read, understand and apply the recommendations and erratas from W3C
Be polite with researchers who find and report vulnerabilities in your products
Use Defense in Depth
EditOrs
http://en.wikipedia.org/wiki/Quine_(computing)
http://www.unidex.com/turing/utm.htm
http://www2.informatik.hu-berlin.de/~obecker/XSLT/
$> xsltproc catalog2xhtml.xsl catalog.xml > catalog.html
Offline transformation from XML to XHTML
Opening of the XHTML file in a browser
Visualization of the content
2 Ways
Opening of the XML file in a browser
On the fly transformation to XHTML
Visualization of the content
Generalist
Specific
Presto (Opera) AltovaXML (Altova)
Transformiix (Firefox)
...
XSLT 2.0
libxslt (Gnome)
Saxon (Saxonica)
Xalan-J (Apache)
Xalan-C (Apache)
MSXML (Microsoft)
…
W3C - 2007
XSLT 1.1
W3C - 2001 - Draft
XSLT 1.0
W3C - 1999
XSLT 1.0
EXSLT
Community based - WiP
Firefox 3.6.17
Dooble 0.07
Nicolas Gregoire
aka Nicob
http://www.agarri.fr/
Remote code execution
CVE-2011-1571
Patched in version 6.0.6 GA
(January 2011)
Video : Remote SHell
XHTML
SVG
DONE
XML-dsig
SOAP-dsig
SAML
SMIL
RSS
XACML
...
To do
...
MathML
...
ChemicalML
...
VRML
http://trac.webkit.org/changeset/79159
Image viewer
Office software
Word processing
...
SSO / SAML
Browser
CMS
Security
Web
XMLDsig
RSS reader
New !
XMLSpy v2011r3 now supports XML-DSig
(untested)
The user needs to press "F10"
http://php.net/manual/EN/xsltprocessor.registerphpfunctions.php
http://www.swift.com/corporates/resources/Getting_Started/MIG_ISO20022/EBAM_Signature_Specifications.pdf
http://clawslab.nds.rub.de/wiki/index.php/XML_Signature_–_XSLT_Code_Execution
*
* : includes XSLT 1.0 features too
XSLT 2.0
W3C - 2007
XSLT 1.1
W3C - 2001 - Draft
XSLT 1.0
W3C - 1999
EXSLT
Community based - WiP
libxslt
Xalan-J
libxslt
( File creation )
( code execution )
Dangerous
Altova
( code execution )
Xalan-J
Saxon 9
( code execution )
Safe by default
MSXML 6
( code execution )
Easy to backdoor
Xalan-C
Presto
Mail : nicolas.gregoire@agarri.fr
Blog : http://www.agarri.fr/blog/
Twitter : @Agarri_FR
Feature Less
Transformiix