CVE-2011-1774
published 2011-07-21CVE-2011-1774: WebKit in Apple Safari before 5.0.6 has improper libxslt security settings, which allows remote attackers to create arbitrary files, and consequently execute…
PriorityP265high8.8CVSS 2.0
AVNACMAuNCNICAC
EXPLOIT
EPSS
43.20%
98.6th percentile
WebKit in Apple Safari before 5.0.6 has improper libxslt security settings, which allows remote attackers to create arbitrary files, and consequently execute arbitrary code, via a crafted web site. NOTE: this may overlap CVE-2011-1425.
Affected
56 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | safari | <= 5.0.5 | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploit delivery by inspecting HTTP responses with Content-Type 'application/xml' that contain XSLT transformation markup redirecting output to a file path (xsl:result-document or equivalent libxslt output redirection). ↗
- →Alert on Safari User-Agent strings matching Windows NT 5.1 combined with Version/5.0.x, as the exploit specifically targets this combination. ↗
- →Monitor for creation of random-named .vbs and .mof file pairs on Windows systems, particularly in WMI MOF directories, as the exploit drops a VBS payload and a MOF file to achieve code execution via WMI. ↗
- →Monitor Windows Management Instrumentation (WMI) service for execution of VBS files dropped via browser exploit, as the MOF file is used to trigger WMI execution of the VBS payload. ↗
- →Flag file write operations originating from the Safari/WebKit browser process to arbitrary filesystem paths, especially under C:\Program Files\, as the exploit redirects XSLT output to attacker-controlled paths. ↗
- ·The exploit only targets Windows XP (NT 5.1) systems running Safari Version 5.0.x; other platforms or Safari versions are rejected by the exploit's user-agent check. ↗
- ·The dropped file content must be ASCII or UTF-8; binary payloads are not directly writable, which is why the exploit wraps the payload in a VBS wrapper before dropping. ↗
- ·The destination path for the dropped file can be relative or absolute, meaning detection rules must account for writes to arbitrary locations, not just fixed paths. ↗
- ·The module has been tested on Safari and Maxthon browsers, so Maxthon users on Windows XP may also be at risk. ↗
- ·This CVE may overlap with CVE-2011-1425, so detections and patches for one may apply to the other. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Apple Safari Webkit - libxslt Arbitrary File Creation (Metasploit)
exploitdb·2011-10-18
CVE-2011-1774 Apple Safari Webkit - libxslt Arbitrary File Creation (Metasploit)
Apple Safari Webkit - libxslt Arbitrary File Creation (Metasploit)
---
##
# $Id: safari_xslt_output.rb 13987 2011-10-18 07:39:50Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Apple Safari Webkit libxslt Arbitrary File Creation',
'Description' => %q{
This module exploits a file creation vulnerability in the Webkit
rendering engine. It is possible to redirect the output of a XSLT
transformation to an arbitrary file. The content of the created file must be
ASCII or UTF-8. The destination path can be relative or absolute. This modul
Metasploit
Cross Platform Webkit File Dropper
metasploit
Cross Platform Webkit File Dropper
Cross Platform Webkit File Dropper
This module exploits a XSLT vulnerability in Webkit to drop ASCII or UTF-8 files to the target file-system. By default, the file will be dropped in C:\Program Files\
Metasploit
Apple Safari Webkit libxslt Arbitrary File Creation
metasploit
Apple Safari Webkit libxslt Arbitrary File Creation
Apple Safari Webkit libxslt Arbitrary File Creation
This module exploits a file creation vulnerability in the Webkit rendering engine. It is possible to redirect the output of a XSLT transformation to an arbitrary file. The content of the created file must be ASCII or UTF-8. The destination path can be relative or absolute. This module has been tested on Safari and Maxthon. Code execution can be achieved by first uploading the payload to the remote machine in VBS format, and then upload a MOF file, which enables Windows Management Instrumentation service to execute the VBS.
No writeups or analysis indexed.
http://lists.apple.com/archives/Security-announce/2011//Oct/msg00000.htmlhttp://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.htmlhttp://lists.apple.com/archives/security-announce/2011//Jul/msg00002.htmlhttp://securityreason.com/securityalert/8481http://support.apple.com/kb/HT4808http://support.apple.com/kb/HT4981http://support.apple.com/kb/HT4999http://lists.apple.com/archives/Security-announce/2011//Oct/msg00000.htmlhttp://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.htmlhttp://lists.apple.com/archives/security-announce/2011//Jul/msg00002.htmlhttp://securityreason.com/securityalert/8481http://support.apple.com/kb/HT4808http://support.apple.com/kb/HT4981http://support.apple.com/kb/HT4999
2011-07-21
Published