Vendor Site: Maxthon (www.maxthon.com)
Date: December, 5 2012 – CVE (TBA)
Affected Software: Maxthon 220.127.116.110 and previous versions
Status: Unpatched (at the time of publishing)
Researcher: Roberto Suggi Liverani - @malerisch
PDF version: Maxthon_multiple_vulnerabilities_advisory.pdf
Cross Context Scripting
http://x.x.x.x/maliciouspage.html#"><img src=a onerror='var b= new maxthon.io.File.createTempFile("test","bat");c=maxthon.io.File(b);maxthon.io.FileWriter(b);maxthon.io.writeText("cmd /k dir");maxthon.program.Program.launch(b.name_,"C:")'>
Injected payload is rendered in both the <img> and <a> elements of a history item, as shown below:
Most recently, only a single injection point is possible after some silent fixes from Maxthon. The about:history is mapped to mx://res/history/index.htm, as shown in the screen shot below:
A malicious user would need to convince a user to visit a link to exploit this vulnerability.
The exploitation is divided into three phases:
 Create an entry in the history page which contains the injection - injection via location.hash
 Redirect browser to the about:history page to trigger execution in the Maxthon trusted zone maliciouspage.html would contain something as:
Note this redirection should not occur since it is invoked from a page on the Internet (http://) - due to the protocol mismatch, same-origin policy should trigger.
 Invoke privileged Maxthon DOM API interfaces/objects to achieve remote code execution
From the about:history which is mapped to the mx:// it is possible to invoke special DOM API interfaces and objects, such as maxthon.io and maxthon.program. These special objects can be misused to achieve code execution.
Following disclosure of the bugs during HITB2012AMS conference, it was observed that the maxthon.program object was silently removed by Maxthon in recent versions. This only allows a malicious user to read and write files on the system.
Code execution without incurring in a warning or user prompt can still be achieved by overwriting an executable which can be called directly by the browser. A "dirty" way is to overwrite j2plauncher.exe assuming the victim has either JRE/JDK installed on the machine. The second step would be to force Maxthon to load java.exe (e.g. create an iframe that points to a page which loads a Java Applet). This approach was successfully tested on Windows 7.
On Windows XP, there are more choices to overwrite executable files, e.g. C:\\Program\ Files\\Outlook\ Express\\wab.exe and then force browser to invoke wab.exe via window.location='ldap://dummy'.
The PoC Metasploit module includes the "dirty" Java overwrite approach described above.
Maxthon - Cross Context Scripting (XCS) - about:history - Java overwrite technique - Metasploit in action:
Maxthon - Cross Context Scripting (XCS) - about:history - maxthon.program technique - Metasploit in action:
13/02/2012 - Bug reported to multiple contacts
21/02/2012 - Reception of report confirmed but no further reply
21/02/2012 - Chased vendors - no reply
12/05/2012 - HITB2012AMS - bug disclosed during presentation
02/11/2012 - 25 new releases following the report – 2 bugs silently fixed
14/11/2012 - HackPra - bug and exploit module presented
Do not use Maxthon browser.