Hi,
Below you can find a short summary of discovered vulnerabilities in
Maxthon and Avant browsers.
Such vulnerabilities were demonstrated during HITBAMS2012 security
conference and more recently at HackPra.
Affected Products
Security advisories
Individual security advisories, exploit modules and video links can be
found below.
[1] Maxthon - Cross Context Scripting - about: history - Remote Code Execution
[advisory] http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-about-history-rce.html
[metasploit module]
https://github.com/malerisch/metasploit-framework/blob/maxthon3/modules/exploits/windows/browser/maxthon_history_xcs.rb
[demo] http://www.youtube.com/watch?v=d-55asVLqNI
[2] Maxthon - Cross Context Scripting (XCS) - RSS - Remote Code Execution
[advisory] http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-rss-rce.html
[metasploit module]
https://github.com/malerisch/metasploit-framework/blob/maxthon3/modules/exploits/windows/browser/maxthon_rss_xcs.rb
[demo] http://www.youtube.com/watch?v=d-55asVLqNI
[3] Maxthon - Privileged APIs on i.maxthon.com
[advisory] http://blog.malerisch.net/2012/12/maxthon-privileged-api-imaxthoncom.html
[demo] http://www.youtube.com/watch?v=1IqZBS0O2Hs
[4] Maxthon - Cross Context Scripting (XCS) - Bookmark Toolbar and
Bookmark Sidebar - Code Execution
[advisory] http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-bookmark.html
[demo] http://www.youtube.com/watch?v=YR0RQz45t3M
[5] Maxthon - Incorrect Executable File Handling and Same Origin
Policy Implementation
[advisory] http://blog.malerisch.net/2012/12/maxthon-incorrect-executable-file-sop.html
[6] Avant Browser - Same of Origin Policy Bypass - browser:home
[advisory] http://blog.malerisch.net/2012/12/avant-browser-same-of-origin-policy.html
[BeEF module] https://github.com/malerisch/beef/tree/avant_browser/modules/exploits/avant_steal_history
[demo] http://www.youtube.com/watch?v=I4LiSfTmuM0
[7] Avant Browser - Stored Cross Site Scripting - Feed Reader
(browser://localhost/lst?*)
[advisory] http://blog.malerisch.net/2012/12/avant-browser-stored-cross-site-scripting.html
[demo] http://www.youtube.com/watch?v=-mShxsspxy8
[8] Avant Browser - Cross Context Scripting - browser:home - Most
Visited And History Tabs
[advisory] http://blog.malerisch.net/2012/12/avant-browser-cross-context-scripting.html
[demo] http://www.youtube.com/watch?v=cHHtsOpYGH4
References
[presentation] HITBAMS2012 - Window Shopping: Browser Bugs Hunting in
2012 - http://www.security-assessment.com/files/documents/presentations/window_shopping_browser_bug_hunting_in_2012_roberto_suggi_liverani_scott_bell.pdf
[presentation] HackPra - Cross Context Scripting attacks &
exploitation - http://www.slideshare.net/robertosl81/cross-context-scripting-attacks-exploitation
Any further material, comments or updates will be communicated over
Twitter, at https://twitter.com/malerisch
Roberto Suggi Liverani