Apple Safari Webkit libxslt File Creation Vulnerability (Oct 27, 2011)

By

Safari is a web browser application developed by Apple Inc. and included with the Mac OS X and iOS operating systems. It supports retrieving, presenting, and traversing information resources such as web page, image, video on the World Wide Web. Safari is capable of parsing multiple file formats including HTML, CSS, XML, JPG, PIC and so on. Safari is the default web browser for Mac OS X. A simplified version, MobileSafari, runs on Apple iPhone devices. Safari is based on the WebKit rendering engine. WebKit is a development toolkit, which allows third party developers to build applications that use technologies such as HTML and JavaScript. WebKit provides the WebCore HTML parser and the JavaScriptCore JavaScript engine.

Extensible Markup Language (XML) is a set of rules for encoding documents in machine-readable form. It is defined in the XML 1.0 Specification produced by the W3C, and several other related specifications. XSLT is a language with an XML-based syntax that is used to transform XML documents into other XML documents, HTML, or other, unstructured formats such as plain text or RTF. For example:

Sample of incoming XML document:

          John     Smith           Morka     Ismincius     

XSLT stylesheet provides templates to transform the XML document:

                                                           

Its evaluation results in a new XML document, having another structure:

     John   Morka  

WebKit uses the GNOME project’s libxslt library for applying XSLT to XML documents. Libxslt supports multiple extensions to XSLT, including many proposed by the EXSLT XSLT extensions initiative, and some found in the Saxon XSLT and XQuery processor. An arbitrary file creation vulnerability exists in Safari’s use of the WebKit rendering engine. A remote attacker can exploit this vulnerability create arbitrary files on the target user’s machine. Remote code execution is possible if the attacker can write a file that will be executed by the host OS.

SonicUTM team has researched this vulnerability and created the following IPS signatures to detect attacks addressing this vulnerability.

  • 2524 Apple Safari Webkit libxslt Arbitrary File Creation 1
  • 2534 Apple Safari Webkit libxslt Arbitrary File Creation 2
  • 7047 Apple Safari Webkit libxslt Arbitrary File Creation Exploit

This vulnerability has been referred by CVE as CVE-2011-1774.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.