Mozilla Firefox XSL Vulnerability (April 3, 2009)

By

Mozilla Firefox is a web browser which is capable of interpreting and rendering HTML, XML, XUL, JavaScript and so on. The XSL engine built into Firefox supports standard Extensible Stylesheet Language (XSL). The XSL family comprises three languages: XSL Transformations (XSLT), XSL Formatting Objects (XSL-FO) and the XML Path Language (XPath).

The xsl:key element is used to declare keys. It has the following format:

For example, an XML defined as:




An XSL document developer can provide the XPath expression “@id” for the use attribute of the xsl:key element, arbitrarily specifying that the “id” attribute of the company element is to be interpreted as a key value. The XML above can be transformed into an HTML document containing only the company with id=161787:




  
  
  
    Id:

    Name:
    

  
  
  

There exists a memory corruption vulnerability in Mozilla Firefox products. Specifically, there is an implementation error when an invalid XPath expression is provided for the use attribute of an xsl:key element. When an XSL transform is taking place using a malicious xsl:key, internal memory is not properly released and leads to memory corruption. A remote attacker could exploit this vulnerability by persuading a target user to open a specially crafted web page. Successful exploitation may allow the attacker to execute arbitrary code on the vulnerable system with the privileges of the target user.

The vulnerability has been assigned as CVE-2009-1169.

SonicWALL has released IPS signatures to detect and block specific exploitation attempts targeting this vulnerability. The signatures are listed bellow:

  • 5457 – Mozilla Firefox XSL Transformation Memory Corruption PoC 1
  • 5458 – Mozilla Firefox XSL Transformation Memory Corruption PoC 2
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.