cbcvebase.
CVE-2011-1774
published 2011-07-21

CVE-2011-1774: WebKit in Apple Safari before 5.0.6 has improper libxslt security settings, which allows remote attackers to create arbitrary files, and consequently execute…

PriorityP265high8.8CVSS 2.0
AVNACMAuNCNICAC
EXPLOIT
EPSS
43.20%
98.6th percentile
WebKit in Apple Safari before 5.0.6 has improper libxslt security settings, which allows remote attackers to create arbitrary files, and consequently execute arbitrary code, via a crafted web site. NOTE: this may overlap CVE-2011-1425.

Affected

56 ranges· showing 25
VendorProductVersion rangeFixed in
applesafari<= 5.0.5
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari

Detection & IOCsextracted from sources · hover to see the quote

pathC:\Windows\system32\wbem\mof\
filename*.mof
filename*.vbs
  • Detect exploit delivery by inspecting HTTP responses with Content-Type 'application/xml' that contain XSLT transformation markup redirecting output to a file path (xsl:result-document or equivalent libxslt output redirection).
  • Alert on Safari User-Agent strings matching Windows NT 5.1 combined with Version/5.0.x, as the exploit specifically targets this combination.
  • Monitor for creation of random-named .vbs and .mof file pairs on Windows systems, particularly in WMI MOF directories, as the exploit drops a VBS payload and a MOF file to achieve code execution via WMI.
  • Monitor Windows Management Instrumentation (WMI) service for execution of VBS files dropped via browser exploit, as the MOF file is used to trigger WMI execution of the VBS payload.
  • Flag file write operations originating from the Safari/WebKit browser process to arbitrary filesystem paths, especially under C:\Program Files\, as the exploit redirects XSLT output to attacker-controlled paths.
  • ·The exploit only targets Windows XP (NT 5.1) systems running Safari Version 5.0.x; other platforms or Safari versions are rejected by the exploit's user-agent check.
  • ·The dropped file content must be ASCII or UTF-8; binary payloads are not directly writable, which is why the exploit wraps the payload in a VBS wrapper before dropping.
  • ·The destination path for the dropped file can be relative or absolute, meaning detection rules must account for writes to arbitrary locations, not just fixed paths.
  • ·The module has been tested on Safari and Maxthon browsers, so Maxthon users on Windows XP may also be at risk.
  • ·This CVE may overlap with CVE-2011-1425, so detections and patches for one may apply to the other.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.