lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <42569de3.724fd6b3.31c8.15d7@mx.gmail.com>
Date: Fri Apr  8 16:06:18 2005
From: avivra at gmail.com (Aviv Raff)
Subject: Maxthon browser multiple vulnerabilities advisory


Maxthon browser multiple vulnerabilities advisory


URL: http://www.raffon.net/advisories/maxthon/multvulns.html
Date: April 08, 2005
Author: Aviv Raff 


Introduction

"Maxthon Internet Browser software is a powerful tabbed browser with a
highly customizable interface. It is based on the Internet Explorer browser
engine..." (From Maxthon website <http://www.maxthon.com/> ).
In order to enhance the user experience, Maxthon uses a model of plug-ins.
Maxthon exposes an API, which allows plug-ins to read/write to files. These
functions allow the plug-ins to perform those operations on any directory in
the running computer. Moreover, In order to call Maxthon's API functions
from a plug-in, a "secure id" must be provided. This id can be easily
fetched, and therefore the API functions can be called from any web site the
user visits.


Technical Details

1) Maxthon's plug-ins use readFile and writeFile API functions to read and
write from/to files on the plug-in's directory. It is possible to read and
write from/to files on any other directory, due to lack of directory
traversal character sequences validation.
2) Maxthon allows calling to API functions only when a "security id" of a
plug-in is provided. The "security id" of a plug-in is auto-generated when a
plug-in is used for the first time in the current Maxthon session. Side bar
plug-ins include the "security id" in a file named "max.src" on the
plug-in's directory. By including this file in a script on a web page, it is
possible to call functions that will read and write to local files, manage
tabs, etc.

A combination of the above vulnerabilities can be exploited to potentially
allow remote code execution.
Tested versions: 1.2.0; 1.2.1
Older versions might also be affected. 


Proof of Concept

The following is a local file reading proof of concept.
Default Maxthon installation is assumed, and also that the, installed by
default, M2Bookmark side bar plug-in was already used on the current Maxthon
session.
http://www.raffon.net/advisories/maxthon/nosecidpoc.html



Timetable

27-Mar-2005: Vendor informed.
28-Mar-2005: Vendor confirmed vulnerability.
08-Apr-2005: Vendor published a fixed version.
08-Apr-2005: Public disclosure.



Solution

Upgrade to version 1.2.2.



Disclaimer: The information in this advisory and any of its demonstrations
is provided "as is" without warranty of any kind.

-- Copyright C 2005 Aviv Raff. --

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050408/606ac4f8/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ