Maxthon / Avant Browser XCS / Same Origin Bypass

2012.12.07
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Hi, Below you can find a short summary of discovered vulnerabilities in Maxthon and Avant browsers. Such vulnerabilities were demonstrated during HITBAMS2012 security conference and more recently at HackPra. Affected Products - Maxthon (www.maxthon.com) - Avant Browser (www.avantbrowser.com) Security advisories - [advisory] Maxthon multiple vulnerabilities: http://www.security-assessment.com/files/documents/advisory/Maxthon_multiple_vulnerabilities_advisory.pdf - [advisory] Avant multiple vulnerabilities: http://www.security-assessment.com/files/documents/advisory/Avant_multiple_vulnerabilities_advisory.pdf Individual security advisories, exploit modules and video links can be found below. [1] Maxthon - Cross Context Scripting - about: history - Remote Code Execution [advisory] http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-about-history-rce.html [metasploit module] https://github.com/malerisch/metasploit-framework/blob/maxthon3/modules/exploits/windows/browser/maxthon_history_xcs.rb [demo] http://www.youtube.com/watch?v=d-55asVLqNI [2] Maxthon - Cross Context Scripting (XCS) - RSS - Remote Code Execution [advisory] http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-rss-rce.html [metasploit module] https://github.com/malerisch/metasploit-framework/blob/maxthon3/modules/exploits/windows/browser/maxthon_rss_xcs.rb [demo] http://www.youtube.com/watch?v=d-55asVLqNI [3] Maxthon - Privileged APIs on i.maxthon.com [advisory] http://blog.malerisch.net/2012/12/maxthon-privileged-api-imaxthoncom.html [demo] http://www.youtube.com/watch?v=1IqZBS0O2Hs [4] Maxthon - Cross Context Scripting (XCS) - Bookmark Toolbar and Bookmark Sidebar - Code Execution [advisory] http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-bookmark.html [demo] http://www.youtube.com/watch?v=YR0RQz45t3M [5] Maxthon - Incorrect Executable File Handling and Same Origin Policy Implementation [advisory] http://blog.malerisch.net/2012/12/maxthon-incorrect-executable-file-sop.html [6] Avant Browser - Same of Origin Policy Bypass - browser:home [advisory] http://blog.malerisch.net/2012/12/avant-browser-same-of-origin-policy.html [BeEF module] https://github.com/malerisch/beef/tree/avant_browser/modules/exploits/avant_steal_history [demo] http://www.youtube.com/watch?v=I4LiSfTmuM0 [7] Avant Browser - Stored Cross Site Scripting - Feed Reader (browser://localhost/lst?*) [advisory] http://blog.malerisch.net/2012/12/avant-browser-stored-cross-site-scripting.html [demo] http://www.youtube.com/watch?v=-mShxsspxy8 [8] Avant Browser - Cross Context Scripting - browser:home - Most Visited And History Tabs [advisory] http://blog.malerisch.net/2012/12/avant-browser-cross-context-scripting.html [demo] http://www.youtube.com/watch?v=cHHtsOpYGH4 References [presentation] HITBAMS2012 - Window Shopping: Browser Bugs Hunting in 2012 - http://www.security-assessment.com/files/documents/presentations/window_shopping_browser_bug_hunting_in_2012_roberto_suggi_liverani_scott_bell.pdf [presentation] HackPra - Cross Context Scripting attacks & exploitation - http://www.slideshare.net/robertosl81/cross-context-scripting-attacks-exploitation Any further material, comments or updates will be communicated over Twitter, at https://twitter.com/malerisch Roberto Suggi Liverani

References:

http://www.security-assessment.com/files/documents/advisory/Avant_multiple_vulnerabilities_advisory.pdf


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top