In 2011, there was a vulnerability released in an open source web content management system called Liferay. The vulnerability exists in the XSLT processing engine that is used to allow setting dynamic XML feeds to be displayed as content on a page. It was discovered that a malicious user with access to modify a page could add an XSL “portlet” which could be configured to be hosted on any HTTP server. The vulnerability is specific to certain XSLT implementations. Specifically, the XALAN engine used by Tomcat and JBOSS are vulnerable due to the XSL directives that allow the processing of Java code. By crafting the XSL resource that is hosted, the malicious user can execute commands in the context of the user running the Liferay application.
In order to trigger the vulnerability, a user must have the privileges necessary to modify a page. The user needs to add an XSL portlet to the desired page and then configure it to retrieve the XSL and XML from a server of the attacker’s choosing. When the page is viewed, the server will send an HTTP request to the server configured by the attacker to retrieve the XSL and XML page in order to process the information. By using the “xsl:variable” tag with the “select” parameter, Java functions can be called and variables can be set.
SecureState is releasing a Metasploit module that can exploit this vulnerability and obtain command execution on the server hosting the vulnerable Liferay application. The module performs the following steps to obtain command execution:
- Log in to the portal with the provided credentials
- Optionally create a new page
- Embed and configure an XSL Portlet
- Request the page where the XSL Portlet is held to trigger execution
- Clean up the XSL Portlet and page
The module will handle creation of the malicious XSL page as well as hosting an HTTP server for it to be requested from. There are slight variations between versions 5.2.3, 6.0.0, and 6.0.1 and up. The version of the application that is being tested can be set using the target directive. The user may also leave it on its default setting of “Automatic.” When using automatic selection, the version will be retrieved from the “Liferay-Portal” header that is returned from the server. This allows for automatic selection and more reliable exploitation.
The tool for this can be found here.