[Full-disclosure] Maxthon browser multiple vulnerabilities advisory

Fri, 08 Apr 2005 08:06:43 -0700

Maxthon browser multiple vulnerabilities advisory

URL: http://www.raffon.net/advisories/maxthon/multvulns.html
Date: April 08, 2005
Author: Aviv Raff

Introduction

"Maxthon Internet Browser software is a powerful tabbed browser with a highly customizable interface. It is based on the Internet Explorer browser engine..." (From Maxthon website).
In order to enhance the user experience, Maxthon uses a model of plug-ins. Maxthon exposes an API, which allows plug-ins to read/write to files. These functions allow the plug-ins to perform those operations on any directory in the running computer. Moreover, In order to call Maxthon's API functions from a plug-in, a "secure id" must be provided. This id can be easily fetched, and therefore the API functions can be called from any web site the user visits.

Technical Details

1) Maxthon's plug-ins use readFile and writeFile API functions to read and write from/to files on the plug-in's directory. It is possible to read and write from/to files on any other directory, due to lack of directory traversal character sequences validation.
2) Maxthon allows calling to API functions only when a "security id" of a plug-in is provided. The "security id" of a plug-in is auto-generated when a plug-in is used for the first time in the current Maxthon session. Side bar plug-ins include the "security id" in a file named "max.src" on the plug-in's directory. By including this file in a script on a web page, it is possible to call functions that will read and write to local files, manage tabs, etc.

A combination of the above vulnerabilities can be exploited to potentially allow remote code execution.
Tested versions: 1.2.0; 1.2.1
Older versions might also be affected.

Proof of Concept

The following is a local file reading proof of concept.
Default Maxthon installation is assumed, and also that the, installed by default, M2Bookmark side bar plug-in was already used on the current Maxthon session.
http://www.raffon.net/advisories/maxthon/nosecidpoc.html

Timetable

27-Mar-2005: Vendor informed.
28-Mar-2005: Vendor confirmed vulnerability.
08-Apr-2005: Vendor published a fixed version.
08-Apr-2005: Public disclosure.

Solution

Upgrade to version 1.2.2.

Disclaimer: The information in this advisory and any of its demonstrations is provided "as is" without warranty of any kind.
-- Copyright © 2005 Aviv Raff. --
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Reply via email to