| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 5 Dec 2012 21:21:44 +0100
From: Roberto Suggi Liverani <malerischnet@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Multiple critical vulnerabilities in Maxthon and
Avant browsers
Hi,
Below you can find a short summary of discovered vulnerabilities in Maxthon
and Avant browsers.
Such vulnerabilities were demonstrated during HITBAMS2012 security
conference and more recently at HackPra.
Affected Products
- Maxthon (www.maxthon.com)
- Avant Browser (www.avantbrowser.com)
Security advisories
- [advisory] Maxthon multiple vulnerabilities:
http://www.security-assessment.com/files/documents/advisory/Maxthon_multiple_vulnerabilities_advisory.pdf
- [advisory] Avant multiple vulnerabilities:
http://www.security-assessment.com/files/documents/advisory/Avant_multiple_vulnerabilities_advisory.pdf
Individual security advisories, exploit modules and video links can be
found below.
[1] Maxthon - Cross Context Scripting - about: history - Remote Code
Execution
[advisory]
http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-about-history-rce.html
[metasploit module]
https://github.com/malerisch/metasploit-framework/blob/maxthon3/modules/exploits/windows/browser/maxthon_history_xcs.rb
[demo] http://www.youtube.com/watch?v=d-55asVLqNI
[2] Maxthon - Cross Context Scripting (XCS) - RSS - Remote Code Execution
[advisory]
http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-rss-rce.html
[metasploit module]
https://github.com/malerisch/metasploit-framework/blob/maxthon3/modules/exploits/windows/browser/maxthon_rss_xcs.rb
[demo] http://www.youtube.com/watch?v=d-55asVLqNI
[3] Maxthon - Privileged APIs on i.maxthon.com
[advisory]
http://blog.malerisch.net/2012/12/maxthon-privileged-api-imaxthoncom.html
[demo] http://www.youtube.com/watch?v=1IqZBS0O2Hs
[4] Maxthon - Cross Context Scripting (XCS) - Bookmark Toolbar and Bookmark
Sidebar - Code Execution
[advisory]
http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-bookmark.html
[demo] http://www.youtube.com/watch?v=YR0RQz45t3M
[5] Maxthon - Incorrect Executable File Handling and Same Origin Policy
Implementation
[advisory]
http://blog.malerisch.net/2012/12/maxthon-incorrect-executable-file-sop.html
[6] Avant Browser - Same of Origin Policy Bypass - browser:home
[advisory]
http://blog.malerisch.net/2012/12/avant-browser-same-of-origin-policy.html
[BeEF module]
https://github.com/malerisch/beef/tree/avant_browser/modules/exploits/avant_steal_history
[demo] http://www.youtube.com/watch?v=I4LiSfTmuM0
[7] Avant Browser - Stored Cross Site Scripting - Feed Reader
(browser://localhost/lst?*)
[advisory]
http://blog.malerisch.net/2012/12/avant-browser-stored-cross-site-scripting.html
[demo] http://www.youtube.com/watch?v=-mShxsspxy8
[8] Avant Browser - Cross Context Scripting - browser:home - Most Visited
And History Tabs
[advisory]
http://blog.malerisch.net/2012/12/avant-browser-cross-context-scripting.html
[demo] http://www.youtube.com/watch?v=cHHtsOpYGH4
References
[presentation] HITBAMS2012 - Window Shopping: Browser Bugs Hunting in 2012
-
http://www.security-assessment.com/files/documents/presentations/window_shopping_browser_bug_hunting_in_2012_roberto_suggi_liverani_scott_bell.pdf
[presentation] HackPra - Cross Context Scripting attacks & exploitation -
http://www.slideshare.net/robertosl81/cross-context-scripting-attacks-exploitation
Any further material, comments or updates will be communicated over
Twitter, at https://twitter.com/malerisch
Roberto Suggi Liverani
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists