Full Disclosure mailing list archives
Maxthon browser multiple vulnerabilities advisory
From: "Aviv Raff" <avivra () gmail com>
Date: Fri, 8 Apr 2005 18:08:11 +0200
Maxthon browser multiple vulnerabilities advisory URL: http://www.raffon.net/advisories/maxthon/multvulns.html Date: April 08, 2005 Author: Aviv Raff Introduction "Maxthon Internet Browser software is a powerful tabbed browser with a highly customizable interface. It is based on the Internet Explorer browser engine..." (From Maxthon website <http://www.maxthon.com/> ). In order to enhance the user experience, Maxthon uses a model of plug-ins. Maxthon exposes an API, which allows plug-ins to read/write to files. These functions allow the plug-ins to perform those operations on any directory in the running computer. Moreover, In order to call Maxthon's API functions from a plug-in, a "secure id" must be provided. This id can be easily fetched, and therefore the API functions can be called from any web site the user visits. Technical Details 1) Maxthon's plug-ins use readFile and writeFile API functions to read and write from/to files on the plug-in's directory. It is possible to read and write from/to files on any other directory, due to lack of directory traversal character sequences validation. 2) Maxthon allows calling to API functions only when a "security id" of a plug-in is provided. The "security id" of a plug-in is auto-generated when a plug-in is used for the first time in the current Maxthon session. Side bar plug-ins include the "security id" in a file named "max.src" on the plug-in's directory. By including this file in a script on a web page, it is possible to call functions that will read and write to local files, manage tabs, etc. A combination of the above vulnerabilities can be exploited to potentially allow remote code execution. Tested versions: 1.2.0; 1.2.1 Older versions might also be affected. Proof of Concept The following is a local file reading proof of concept. Default Maxthon installation is assumed, and also that the, installed by default, M2Bookmark side bar plug-in was already used on the current Maxthon session. http://www.raffon.net/advisories/maxthon/nosecidpoc.html Timetable 27-Mar-2005: Vendor informed. 28-Mar-2005: Vendor confirmed vulnerability. 08-Apr-2005: Vendor published a fixed version. 08-Apr-2005: Public disclosure. Solution Upgrade to version 1.2.2. Disclaimer: The information in this advisory and any of its demonstrations is provided "as is" without warranty of any kind. -- Copyright C 2005 Aviv Raff. --
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Maxthon browser multiple vulnerabilities advisory Aviv Raff (Apr 08)