Apple Safari Webkit libxslt File Creation Vulnerability

November 8, 2011

Safari is a web browser application developed by Apple Inc. and included with the Mac OS X and iOS operating systems. It supports retrieving, presenting, and traversing information resources such as web page, image, video on the World Wide Web. Safari is capable of parsing multiple file formats including HTML, CSS, XML, JPG, PIC and so on. Safari is the default web browser for Mac OS X. A simplified version, MobileSafari, runs on Apple iPhone devices. Safari is based on the WebKit rendering engine. WebKit is a development toolkit, which allows third party developers to build applications that use technologies such as HTML and JavaScript. WebKit provides the WebCore HTML parser and the JavaScriptCore JavaScript engine.

Extensible Markup Language (XML) is a set of rules for encoding documents in machine-readable form. It is defined in the XML 1.0 Specification produced by the W3C, and several other related specifications. XSLT is a language with an XML-based syntax that is used to transform XML documents into other XML documents, HTML, or other, unstructured formats such as plain text or RTF. For example:

Sample of incoming XML document:

          John     Smith           Morka     Ismincius     

XSLT stylesheet provides templates to transform the XML document:


Its evaluation results in a new XML document, having another structure:

     John   Morka  

WebKit uses the GNOME project's libxslt library for applying XSLT to XML documents. Libxslt supports multiple extensions to XSLT, including many proposed by the EXSLT XSLT extensions initiative, and some found in the Saxon XSLT and XQuery processor. An arbitrary file creation vulnerability exists in Safari's use of the WebKit rendering engine. A remote attacker can exploit this vulnerability create arbitrary files on the target user's machine. Remote code execution is possible if the attacker can write a file that will be executed by the host OS.

SonicUTM team has researched this vulnerability and created the following IPS signatures to detect attacks addressing this vulnerability.

  • 2524 Apple Safari Webkit libxslt Arbitrary File Creation 1
  • 2534 Apple Safari Webkit libxslt Arbitrary File Creation 2
  • 7047 Apple Safari Webkit libxslt Arbitrary File Creation Exploit

This vulnerability has been referred by CVE as CVE-2011-1774.