A language used to transform a XML document into another document
(XML, PDF, TXT, SVG, ...)
Spring
Lucene
iText
Xalan J
Hibernate
log4j
BouncyCastle
JFreeChart
offensiVEXSLT
MethodologY
RisKs
VulnERABILITieS
ExploitatioN
CONCLUSION
Nicolas Gregoire
aka Nicob
http://www.agarri.fr/
Modern software is complex
Third party code is (very) common
We'll exploit (documented) features !

Not some design or implementation errors
Axis
RichFaces
DWR
FOP
Xerces
Exploits reliability ++
;-)
Enumerate theirs features
Standards
proprietary Extensions
Identify the dangerous ones
For each dangerous feature, write a PoC
Restricted to :
- engine fingerprinting
- file creation
- code execution
Not in scope :
- read access (including SOP bypass and XXE)
- fuzzing
Select some XSLT engines
For each format, write a "container"
XHTML
SVG
XML-dsig
libxslt (Gnome)
Saxon (Saxonica)
Xalan-J (Apache)
Xalan-C (Apache)
MSXML (Microsoft)
…
XSLT 1.0
EXSLT
XSLT 2.0
XSLT 1.1
Documentation
Source code
Strings
IDA
Presto (Opera) AltovaXML (Altova)
Transformiix (Firefox)
...
Test  on numerous applications
Profit !
Browser
SSO / SAML
CMS
Web
Security
XMLDsig
Office software
Word processing
Image viewer
RSS reader
...
As every engine supports
at least XSLT 1.0 ...
... we can easily fingerprint it
Dangerous
Safe by default
Feature Less
Xalan-C
Saxon 9
libxslt
Xalan-J
MSXML 6
Altova
Transformiix
Liferay
Commercial (or not) Java CMS
Of course, it's secure !
Numerous references
(with search engine ;-)
Even if the XSLT engine is Xalan-J ? Hum ...
CVE-2011-1571
Altova
PHP 5
XMLSEC
WEBKIT
Uses libxslt
File creation :
- arbitrary path and name
- content must be valid UTF-8
Impacted vendors :
- Apple (Safari, iPhone, iPad, ...)
- RIM (Blackberry Torch)
- Linux distributions (Epiphany, Lifera, ...)
- and more !
A patch is available since February
Nobody applied it :-(
Chrome isn't vulnerable,
because of its sandbox
VidEo  : SAfari + MOF
Uses libxslt
Wait, there's more !
void XSLTProcessor::registerPHPFunctions ([ mixed $restrict ] )

This method enables the ability to use PHP functions as XSLT functions within XSL stylesheets.
<xsl:stylesheet
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:php="http://php.net/xsl"
version="1.0">
...
<xsl:value-of select="php:function('phpinfo')"/>
...
</xsl:stylesheet>
I love when security solutions have security bugs ;-)
Potentially impacted :
- PKI & SSO (SAML)
- SWIFT eBAM
- and more !
Misc
( File creation )
http://trac.webkit.org/changeset/79159
Uses libxslt
Easy to backdoor
The user needs to press "F10"
Code Execution
Easy : just use a Java or JScript reverse-shell
File  Creation
Web context
Webshell PHP/JSP/CFM/...
Privilegied Windows user
Stuxnet MOF
Unix user
See "USB Autorun attacks against Linux"
by IBM X-Force
There's a lot of bugs, come on and play !
Most engines can be deployed in a secure mode
(read the doc !)
Read, understand and apply the recommendations and erratas from W3C

Be polite with researchers who find and report vulnerabilities in your products

Use Defense in Depth
XSLT ?
Overview
XSLT : XSL Transformations

http://www.w3.org/TR/xslt
http://www.unidex.com/turing/utm.htm
exAmple #1
http://www2.informatik.hu-berlin.de/~obecker/XSLT/
Unaudited code
==
Untrusted code
Even if it's a Apache.Org project !
http://en.wikipedia.org/wiki/Quine_(computing)
$> xsltproc catalog2xhtml.xsl catalog.xml > catalog.html
ExAmple #2
Firefox 3.6.17
Generalist
Specific
Rules :
- only one feature
- no container
- no obfuscation
- no payload
- working via CLI
DONE
To do
SAML
MathML
VRML
XACML
SMIL
ChemicalML
RSS
A contAinER respects a format which allows XSL transformationS
(aka Trigger)
...
...
...
...
Standards
proprietary Extensions
XML
XSLT
MVC
PDF
Crypto
AJAX
Web Services
LOGS
GRAPHS
DAO
Search
AJAX
XSL-FO
2 Ways
Offline transformation from XML to XHTML
Opening of the XHTML file in a browser
Visualization of the content
W3C - 1999
W3C - 2007
W3C - 2001 - Draft
Community based - WiP
XSLT 1.0
Dooble 0.07
Automatically generated from {element|function}-available() and a XML representation of the norms
Presto
XSLT 1.0
EXSLT
XSLT 2.0
XSLT 1.1
W3C - 1999
W3C - 2007
W3C - 2001 - Draft
Community based - WiP
*
*
So far, nothing really risky
Xalan-J
libxslt
( code execution )
* : includes XSLT 1.0 features too
http://php.net/manual/EN/xsltprocessor.registerphpfunctions.php
http://www.swift.com/corporates/resources/Getting_Started/MIG_ISO20022/EBAM_Signature_Specifications.pdf
What about W3C recommEndations
For XML-DSig ?
Nobody follows them :-(
And if your XML-Dsig XSLT eNGine is Xalan-J ...
... it's worse :-(
http://clawslab.nds.rub.de/wiki/index.php/XML_Signature_–_XSLT_Code_Execution
Patch #54446 :
Verified (by me) in April

Still not applied
to trunk

:-(
Do NOT trust vendors

Audit every library of every critical application you have

Use your power (including $ and €) to influence vendors
Customers
EditOrs
Hackers
A "state of the art" (XML|SOAP)-dsig implementation should not be vulnerable
First XSLT advisories were published in 2001 !
Guninski vs Oracle/IE
Remote code execution
Video : Remote SHell
SOAP-dsig
Other Questions ?
Opening of the XML file in a browser
On the fly transformation to XHTML
Visualization of the content
( code execution )
( code execution )
( code execution )
FAQ
Q : How was this presentation created ?
A : With  Prezi

Q : Did you test product XYZ ?
A : No, but I can do it for some money
Doing computer security for 10+ years
Half as a consultant, half as an end user
Thanks to customer X !

Brainstorming & Money
Now owner of Agarri

Offensive security only
(pentest, application audit, vulnerability research, ...)
Patched in version 6.0.6 GA
(January 2011)
XMLSpy v2011r3 now supports XML-DSig
(untested)
New !
Mail : nicolas.gregoire@agarri.fr
Blog : http://www.agarri.fr/blog/
Twitter : @Agarri_FR