Maxthon browser multiple vulnerabilities advisory

["Aviv Raff" <avivra () gmail com>]

Maxthon browser multiple vulnerabilities advisory


URL: http://www.raffon.net/advisories/maxthon/multvulns.html
Date: April 08, 2005
Author: Aviv Raff 


Introduction

"Maxthon Internet Browser software is a powerful tabbed browser with a
highly customizable interface. It is based on the Internet Explorer browser
engine..." (From Maxthon website <http://www.maxthon.com/> ).
In order to enhance the user experience, Maxthon uses a model of plug-ins.
Maxthon exposes an API, which allows plug-ins to read/write to files. These
functions allow the plug-ins to perform those operations on any directory in
the running computer. Moreover, In order to call Maxthon's API functions
from a plug-in, a "secure id" must be provided. This id can be easily
fetched, and therefore the API functions can be called from any web site the
user visits.


Technical Details

1) Maxthon's plug-ins use readFile and writeFile API functions to read and
write from/to files on the plug-in's directory. It is possible to read and
write from/to files on any other directory, due to lack of directory
traversal character sequences validation.
2) Maxthon allows calling to API functions only when a "security id" of a
plug-in is provided. The "security id" of a plug-in is auto-generated when a
plug-in is used for the first time in the current Maxthon session. Side bar
plug-ins include the "security id" in a file named "max.src" on the
plug-in's directory. By including this file in a script on a web page, it is
possible to call functions that will read and write to local files, manage
tabs, etc.

A combination of the above vulnerabilities can be exploited to potentially
allow remote code execution.
Tested versions: 1.2.0; 1.2.1
Older versions might also be affected. 


Proof of Concept

The following is a local file reading proof of concept.
Default Maxthon installation is assumed, and also that the, installed by
default, M2Bookmark side bar plug-in was already used on the current Maxthon
session.
http://www.raffon.net/advisories/maxthon/nosecidpoc.html



Timetable

27-Mar-2005: Vendor informed.
28-Mar-2005: Vendor confirmed vulnerability.
08-Apr-2005: Vendor published a fixed version.
08-Apr-2005: Public disclosure.



Solution

Upgrade to version 1.2.2.



Disclaimer: The information in this advisory and any of its demonstrations
is provided "as is" without warranty of any kind.

-- Copyright C 2005 Aviv Raff. --

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/