This year, Black Hat (BH) 2015 came, as it usually does, with major security flaws and some “dojos” aside from the major android vulnerabilities we were exposed to and other types of security issues that are much less talked about, but still expose serious problems. Over the next couple of blog posts we’ll look at wrapping-up some of the vulnerabilities that fell under the shadow of Certigate and other super star vulnerabilities exposed at the BH 2015 USA conference.
Abusing XSLT for Practical Attacks
As a base knowledge before the real subject(vulnerability) is explained, XSLT is a language for transforming XML documents into other XML documents, text documents or HTML documents. You might want to format a chapter of a book using XSL-FO, or you might want to take a database query and format it as HTML.
This language can be used either by client side processors (i.e. web browsers) or server side processors (standalone parsers or libraries from programming languages).
The flaw discussed on this quick review is mostly a technique that uses XSLT to produce documents that are vulnerable to new exploits. XSLT can be leveraged to affect the integrity of arithmetic operations, lead to code logic failure, or cause random values to use the same initialization vector. Error disclosure has always provided valuable information, but thanks to XSLT, it is possible to partially read system files that could disclose service or system passwords. Finally, XSLT can be used to compromise end-user confidentiality by abusing the same-origin policy concept present in web browsers. All the research and PoC can be found in the official paper : https://www.blackhat.com/docs/us-15/materials/us-15-Arnaboldi-Abusing-XSLT-For-Practical-Attacks-wp.pdf.
As technology is introduced and subsequently deprecated over time in the Windows operating system, one powerful technology that has remained consistent since Windows NT 4.01 and Windows 95 is Windows Management Instrumentation (WMI). Present on all Windows operating systems, WMI is comprised of a powerful set of tools used to manage Windows systems both locally and remotely. As attackers increasingly utilize WMI, it is important for defenders, incident responders, and forensic analysts to have knowledge of WMI and to know how they can wield it to their advantage. This Flaw was revealed mostly on how WMI can be used as a rudimentary intrusion detection system (IDS), and how to perform forensics on the WMI repository file format.
Template Injection is only apparent to auditors who explicitly look for it, and may incorrectly appear to be low severity until resources are invested in assessing the template engine's security posture. This explains why Template Injection has remained relatively unknown up till now, and its prevalence in the wild remains to be determined.
To contact Nettitude's editor, please email firstname.lastname@example.org.