Vendor Site: Maxthon (www.maxthon.com)
Date: December, 5 2012 – CVE (TBA)
Affected Software: Maxthon 126.96.36.1990 and previous versions
Researcher: Roberto Suggi Liverani - @malerisch
PDF version: Maxthon_multiple_vulnerabilities_advisory.pdf
Incorrect Executable File Handling
This vulnerability can be exploited in multiple ways:
2. User unblocks the pop up blocker
Scenario 1 - Impact
The window will open as a new window, SOP is not enforced and this vulnerability would allow arbitrary code execution.
User is fooled into bookmarking an executable file
Scenario 2 - Impact
Executable is executed directly by Maxthon. User is not prompted to either downloading the executable or discarding the download.
SOP vulnerability discovered that would allow direct access to file:// zone from an untrusted zone
Scenario 3 - Impact
Arbitrary command execution.
Same Of Origin (SOP) Incorrect Implementation
It is possible to bypass Same of Origin of Policy (SOP) by using window.open() method against about: URI scheme. Such URI are mapped to privileged zone mx://res/*. However, by invoking directly against mx://res/, the SOP is applied and access is forbidden. The following table summarises test case conducted with window.open() method:
- http:// -> file:// - Prompts a popup blocker, if the user allows the pop up, the file:// window is opened.
- http:// -> about:* - Spawns a new window
- http:// -> mx://res/* - Forbidden by SOP
13/02/2012 - Bug reported to multiple contacts
21/02/2012 - Reception of report confirmed but no further reply
21/02/2012 - Chased vendors - no reply
12/05/2012 - HITB2012AMS - bug disclosed during presentation
02/11/2012 - 25 new releases following the report – 2 bugs silently fixed
14/11/2012 - HackPra - bug and exploit module presented
Do not use Maxthon browser.