Multiple critical vulnerabilities in Maxthon and Avant browsers
Hi, Below you can find a short summary of discovered vulnerabilities in Maxthon and Avant browsers. Such vulnerabilities were demonstrated during HITBAMS2012 security conference and more recently at HackPra. Affected Products - Maxthon (www.maxthon.com) - Avant Browser (www.avantbrowser.com) Security advisories - [advisory] Maxthon multiple vulnerabilities: http://www.security-assessment.com/files/documents/advisory/Maxthon_multiple_vulnerabilities_advisory.pdf - [advisory] Avant multiple vulnerabilities: http://www.security-assessment.com/files/documents/advisory/Avant_multiple_vulnerabilities_advisory.pdf Individual security advisories, exploit modules and video links can be found below. [1] Maxthon - Cross Context Scripting - about: history - Remote Code Execution [advisory] http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-about-history-rce.html [metasploit module] https://github.com/malerisch/metasploit-framework/blob/maxthon3/modules/exploits/windows/browser/maxthon_history_xcs.rb [demo] http://www.youtube.com/watch?v=d-55asVLqNI [2] Maxthon - Cross Context Scripting (XCS) - RSS - Remote Code Execution [advisory] http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-rss-rce.html [metasploit module] https://github.com/malerisch/metasploit-framework/blob/maxthon3/modules/exploits/windows/browser/maxthon_rss_xcs.rb [demo] http://www.youtube.com/watch?v=d-55asVLqNI [3] Maxthon - Privileged APIs on i.maxthon.com [advisory] http://blog.malerisch.net/2012/12/maxthon-privileged-api-imaxthoncom.html [demo] http://www.youtube.com/watch?v=1IqZBS0O2Hs [4] Maxthon - Cross Context Scripting (XCS) - Bookmark Toolbar and Bookmark Sidebar - Code Execution [advisory] http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-bookmark.html [demo] http://www.youtube.com/watch?v=YR0RQz45t3M [5] Maxthon - Incorrect Executable File Handling and Same Origin Policy Implementation [advisory] http://blog.malerisch.net/2012/12/maxthon-incorrect-executable-file-sop.html [6] Avant Browser - Same of Origin Policy Bypass - browser:home [advisory] http://blog.malerisch.net/2012/12/avant-browser-same-of-origin-policy.html [BeEF module] https://github.com/malerisch/beef/tree/avant_browser/modules/exploits/avant_steal_history [demo] http://www.youtube.com/watch?v=I4LiSfTmuM0 [7] Avant Browser - Stored Cross Site Scripting - Feed Reader (browser://localhost/lst?*) [advisory] http://blog.malerisch.net/2012/12/avant-browser-stored-cross-site-scripting.html [demo] http://www.youtube.com/watch?v=-mShxsspxy8 [8] Avant Browser - Cross Context Scripting - browser:home - Most Visited And History Tabs [advisory] http://blog.malerisch.net/2012/12/avant-browser-cross-context-scripting.html [demo] http://www.youtube.com/watch?v=cHHtsOpYGH4 References [presentation] HITBAMS2012 - Window Shopping: Browser Bugs Hunting in 2012 - http://www.security-assessment.com/files/documents/presentations/window_shopping_browser_bug_hunting_in_2012_roberto_suggi_liverani_scott_bell.pdf [presentation] HackPra - Cross Context Scripting attacks exploitation - http://www.slideshare.net/robertosl81/cross-context-scripting-attacks-exploitation Any further material, comments or updates will be communicated over Twitter, at https://twitter.com/malerisch Roberto Suggi Liverani
Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass
Hi Michael, Let me share some background on this advisory... I came to this result when I was looking into a way of exploiting the Apache Web Server Compatibility with older browser feature. A separate paper has been published here: http://www.security-assessment.com/files/whitepapers/Leveraging_XSRF_with_Apache_Web_Server_Compatibility_with_older_browser_feature_and_Java_Applet.pdf Interestingly enough, I got the idea of using Java Applet to achieve the attack described above after I bumped into the following from your browser security handbook (http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_Java): The ability to send same-origin HTTP requests using the browser stack via the URLConnection API, with virtually no security controls, including the ability to set Host headers, or insert conflicting caching directives. On the upside, it appears that there is no ability to read 30x redirect bodies or httponly cookies from within applets. After that, I thought Java Applet could be quite handy when it comes to force the browser performing a non-standard/malformed HTTP request (e.g. multiple Host: headers which exploits the Apache feature mentioned above). At the same time, I also realised that in my testing environment I was using virtual hosts resolving to the same IP address. Following a discussion with Apache Security Team and after further research, I have found that the Java Applet could be used to control the cookie header sent to a different domain... But let's come back to your response - you mention about a bug from Stefano but I am not aware if it is the same bug or a different one though. When I contacted the vendor, they created a new ticket for the bug and told me that it would have been fixed with the next critical patch release in October 2010. They haven't mentioned about anyone with an identical bug was already reported, as they normally do when cross-referring bug reports. Apologies in advance if this is a bug Stefano or someone else reported before August the 1st . Furthermore, my testing was performed on the latest version JRE (build 1.6.0_21-b07) so I assumed (wrongly?) that all previous critical bugs were fixed. The main issue reported is related to the getRequestProperty('cookie') property which can be controlled by a Java Applet. This could lead to leaking cookie to unauthorised domains given the attack is performed between domains that resolve to the same IP address. The fix provided by Oracle is that getRequestProperty('cookie') now returns a 'Null' value and cannot be any more controlled via the Java Applet, even if URLconnection class is used to performed a cross site request between domains that resolve to the same IP address. The fix effectively mitigates the attack shown in the PoC but does not resolve the behavior you mention: Two hosts are considered equivalent if both host names can be resolved into the same IP addresses Unfortunately, the above statement is still enforced in Java Applet as the URLConnection class can be used to make a request between two domains that resolve to the same IP address without a crossdomain.xml policy. In my advisory, I stated: The Java Applet bypasses the Same-of-Origin policy (SOP) as an unsigned Java Applet should not be able to communicate from www.badsite.com to www.targetsite.net without a crossdomain.xml. According to the documentation/design, there is no SOP bypass as both hosts are considered equivalent. However, in practice, there is a SOP bypass, as cookie can leak to an unauthorised domain. Hope this sheds some light on this research ;-). Apologies if I didn't explain well enough the above in the original advisory. Cheers, Roberto Michal Zalewski wrote: Security-Assessment.com follows responsible disclosure and promptly contacted Oracle after discovering the issue. Oracle was contacted on August 1, 2010. My understanding is that Stefano Di Paola of Minded Security reported this back in April; and further, the feature was a part of reasonably well-documented functionality of Java pretty much ever since: http://download.oracle.com/javase/6/docs/api/java/net/URL.html Two hosts are considered equivalent if both host names can be resolved into the same IP addresses This was a pretty horrible design, so it's good to see it gone, though. /mz -- Roberto Suggi Liverani Senior Security Consultant Mob. +64 21 928 780 www.security-assessment.com
Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass
(, ) (, . `.' ) ('.', ). , ('. ( ) ( (_,) .`), ) _ _, / _/ / _ \ _ \ \==/ /_\ \ _/ ___\/ _ \ / \ / \/ |\\ \__( _ ) Y Y \ /__ /\___|__ / \___ /|__|_| / \/ \/.-.\/ \/:wq (x.0) '=.|w|.=' _='```=. presents.. Oracle JRE - java.net.URLConnection class – Same-of-Origin (SOP) Policy Bypass PDF: http://www.security-assessment.com/files/advisories/Oracle_JRE_java_net_urlconnection_SOP_Bypass.pdf CVE Identifier: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3573 +---+ |Description| +---+ Security-Assessment.com discovered that a Java Applet making use of java.net.URLConnection class can be used to bypass same-of-origin (SOP) policy and domain based security controls in modern browsers when communication occurs between two domains that resolve to the same IP address. This advisory includes a Proof-of-Concept (PoC) demo and a Java Applet source code, which demonstrates how this security can be exploited to leak cookie information to an unauthorised domain, which resides on the same host IP address. ++ |Exploitation| ++ The Flash movie demo can be viewed at the following link: http://www.security-assessment.com/files/advisories/java_net_urlconnection_sop_bypass_demo.swf Proof of Concept (PoC) in demo demonstrates that a Cross Site Request Forgery (XSRF) attack can be leveraged by using a Java Applet which implements the java.net.URLConnection class. Traditionally, XSRF is used to force a user to perform an unwanted action on a target web site. In this case, the PoC shows that XSRF can be used to capture sensitive information such as cookie associated to a target web site. The following assumptions are made in this PoC: 1. Virtual hosts www.targetsite.net and www.badsite.com resolve to the same IP address; 2. Malicious user controls www.badsite.com web site; 3. Malicious user targets www.targetsite.net users. The following list summarises the sequence of actions shown in the demo: 1. User has a valid cookie for www.targetsite.net 2. The same user visits www.badsite.com which performs a cross site forged request to www.targetsite.net . The forged request is performed by a Java Applet embedded on the malicious site. The Java Applet bypasses the Same-of-Origin policy as an unsigned Java Applet should not be able to communicate from www.badsite.com to www.targetsite.net without a crossdomain.xml policy file. 3. Java Applet performs first GET request to www.targetsite.net. At this stage, the Java Applet controls the Cookie: header sent to www.targetsite.net through the getRequestProperty(cookie) method. This is in breach with SOP. 4. A second request is done for the purpose of the demo which leaks www.targetsite.net cookie’s to www.badsite.com via an HTTP GET request. Testing was successfully performed using Java(TM) SE Runtime Environment (build 1.6.0_21-b07) and the following browsers: - Mozilla Firefox 3.5.8 (Windows XP) - Opera 10.60 (Windows XP) - Internet Explorer 6.0.2900.5512 (Windows XP) - Google Chrome 5.0.375.9 (Windows XP) - Internet Explorer 8.0.6001.18702 (Windows XP) - Safari 5.0 (7533.16) (Windows XP) The Java Applet source code used in the demo can be downloaded at the following link: http://www.security-assessment.com/files/advisories/MaliciousJavaApplet.zip ++ |Solution| ++ Security-Assessment.com follows responsible disclosure and promptly contacted Oracle after discovering the issue. Oracle was contacted on August 1, 2010. Oracle has created a fix for this vulnerability which has been included as part of Critical Patch Update Advisory - October 2010. Security-Assessment.com recommends all users of JRE and JDK to upgrade to the latest version as soon as possible. For more information on the new release of JRE/JDK please refer to the link: http://www.oracle.com/technetwork/java/javase/downloads/index.html +--+ |Credit| +--+ Discovered and advised to Oracle August 2010 by Roberto Suggi Liverani of Security-Assessment.com. Personal site: http://malerisch.net +-+ |Extra| +-+ Another interesting attack was discovered as part of the research on this vulnerability. This attack is another example of leveraging XSRF with the potential of leaking cookie, basic and digest authentication tokens using Java Applet and the Compability with older browser feature in Apache Web Server. For a PDF version of this research please follow the link below: http://www.security-assessment.com/files/whitepapers/Leveraging_XSRF_with_Apache_Web_Server_Compatibility_with_older_browser_feature_and_Java_Applet.pdf +-+ |About Security-Assessment.com| +-+ Security-Assessment.com is a New Zealand based world leader in web
Security-Assessment.com WhitePaper/Addendum: Cross Context Scripting with Firefox Exploiting Cross Context Scripting vulnerabilities in Firefox
(, ) (, . `.' ) ('.', ). , ('. ( ) ( (_,) .`), ) _ _, / _/ / _ \ _ \ \==/ /_\ \ _/ ___\/ _ \ / \ / \/ |\\ \__( _ ) Y Y \ /__ /\___|__ / \___ /|__|_| / \/ \/.-.\/ \/:wq (x.0) '=.|w|.=' _='```=. presents.. Hi there, For the last year, we have been focusing on Firefox Extension security and we have now released a research paper and an addendum on the topic of Cross Context Scripting (XCS). The research paper Cross Context Scripting with Firefox demonstrates different ways of attacking Firefox extensions via Cross Context Scripting (XCS) vulnerabilities. Several XCS cases are detailed, including vulnerable extension code and exploit. Cross Context Scripting with Firefox - Roberto Suggi Liverani Link: http://www.security-assessment.com/files/whitepapers/Cross_Context_Scripting_with_Firefox.pdf The addendum Exploiting Cross Context Scripting vulnerabilities in Firefox includes a number of exploits tailored for Cross Context Scripting vulnerabilities. Exploiting Cross Context Scripting vulnerabilities in Firefox - Nick Freeman, Roberto Suggi Liverani Link: http://www.security-assessment.com/files/whitepapers/Exploiting_Cross_Context_Scripting_vulnerabilities_in_Firefox.pdf ++ |Abstract| ++ Cross Context Scripting (XCS) is a term coined for a browser based content injection in the Firefox chrome zone. This term was originally used by researcher Petro D. Petkov (pdp), when David Kierznowski found a vulnerability in the Sage RSS Reader Firefox extension . XCS injection occurs between different security zones, an untrusted and a trusted zone. This paper details several XCS cases. XCS attacks may be possible due to a lack of input filtering controls for example. However, other components may be vulnerable as well, including wrappers, XPCOM components, XUL overlays, the browser sandbox and DOM events. This paper can be seen as complimentary to the presentations given at EUSecWest 2009 , DEFCON 17 and SecurityByte OWASP AppSec Asia 2009 security conferences. ++ |Acknowledgements| ++ Special thanks go to Paul Craig, kuza55 and Stefano Di Paola for their invaluable feedback. +-+ |About Security-Assessment.com| +-+ Security-Assessment.com is a New Zealand based world leader in web application testing, network security and penetration testing. Security-Assessment.com services organisations across New Zealand, Australia, Asia Pacific, the United States and the United Kingdom. -- Roberto Suggi Liverani Senior Security Consultant Mob. +64 21 928 780 www.security-assessment.com
Multiple Adobe Products - XML External Entity And XML Injection Vulnerabilities
BlazeDS 3.2.0.39 Linux Ubuntu 9.04 / Tomcat 6.0.14 Endpoint URIs: {server.name}:{server.port}/ {context.root}/messagebroker/http {server.name}:{server.port}/ {context.root}/messagebroker/httpsecure Methods: POST, GET Protocols: HTTP, HTTPS 2. Adobe LiveCycle Data Services ES2 3.0 Windows XP SP2 / Tomcat 6.0.14 Endpoint URIs: {server.name}:{server.port}/ {context.root}/messagebroker/http {server.name}:{server.port}/ {context.root}/messagebroker/httpsecure Methods: POST, GET Protocols: HTTP, HTTPS 3. ColdFusion 9.0 Windows XP SP2 / Tomcat 6.0.14 Endpoint URIs: {server.name}:{server.port}/ {context.root}/flex2gateway/http {server.name}:{server.port}/ {context.root}/flex2gateway/httpsecure Methods: POST, GET Protocols: HTTP, HTTPS 4. Adobe LiveCycle ES2 Windows XP SP2 / IBM Websphere 7.0 Endpoint URIs: {server.name}:{server.port}/ {context.root}/messagebroker/http {server.name}:{server.port}/ {context.root}/messagebroker/httpsecure Methods: POST, GET Protocols: HTTP, HTTPS The vendor has released several patches for this vulnerability. See the Solution section of this document for more information. ++ |Exploitation - XML Injection| ++ The XML parser lacks of proper input and output validation controls. Security-Assessment.com managed to inject arbitrary XML content which was returned in the XML response. The following table shows an XML injection in the BlazeDS HTTPChannel. The injected payload becomes part of the response. In this case, injection is possible via the “responseURI” attribute. XMLInjection – BlazeDS - Request POST /samples/messagebroker/http HTTP/1.1 Content-type: application/x-amf ?xml version=1.0 encoding=utf-8? amfx ver=3body targetURI= responseURI=dquot; injectedattr=quot;anythingnull/ /body/amfx XMLInjection – BlazeDS - Response ?xml version=1.0 encoding=utf-8? amfx ver=3body targetURI=d injectedattr=anything responseURI=null//body/amfx/body/amfx The above injection was successfully tested on multiple Adobe products, as shown below: 1. Product: Adobe BlazeDS 3.2.0.39 Linux Ubuntu 9.04 / Tomcat 6.0.14 Endpoint URIs: {server.name}:{server.port}/ {context.root}/messagebroker/http {server.name}:{server.port}/ {context.root}/messagebroker/httpsecure Methods: POST, GET Protocols: HTTP, HTTPS 2. Adobe LiveCycle Data Services ES2 3.0 Windows XP SP2 / Tomcat 6.0.14 Endpoint URIs: {server.name}:{server.port}/ {context.root}/messagebroker/http {server.name}:{server.port}/ {context.root}/messagebroker/httpsecure Methods: POST, GET Protocols: HTTP, HTTPS 3. ColdFusion 9.0 Windows XP SP2 / Tomcat 6.0.14 Endpoint URIs: {server.name}:{server.port}/ {context.root}/flex2gateway/http {server.name}:{server.port}/ {context.root}/flex2gateway/httpsecure Methods: POST, GET Protocols: HTTP, HTTPS 4. Adobe LiveCycle ES2 Windows XP SP2 / IBM Websphere 7.0 Endpoint URIs: {server.name}:{server.port}/ {context.root}/messagebroker/http {server.name}:{server.port}/ {context.root}/messagebroker/httpsecure Methods: POST, GET Protocols: HTTP, HTTPS The vendor has released several patches for this vulnerability. See the Solution section of this document for more information. ++ |Solution| ++ Security-Assessment.com follows responsible disclosure and promptly contacted the vendor after discovering the issues. The vendor was contacted on the 6th November 2009 and a reply was received on the same day. The vendor released security patches on the 11th February 2010. The security patches can be downloaded at the following website: http://www.adobe.com/support/security/bulletins/apsb10-05.html +--+ |Credit| +--+ Discovered and advised to Adobe in November 2009 by Roberto Suggi Liverani of Security- Assessment.com. Personal Page: http://malerisch.net/ For full details regarding this vulnerability download the PDF from our website: http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf +-+ |Greetings| +-+ Bug found at Hack in The Sun 2009, Waiheke Island. +-+ |About Security-Assessment.com| +-+ Security-Assessment.com is a New Zealand based world leader in web application testing, network security and penetration testing. Security-Assessment.com services organisations across New Zealand, Australia, Asia Pacific, the United States and the United Kingdom. Roberto Suggi Liverani
CoolPreviews - Firefox Extension - Chrome Privileged Code Injection
(, ) (, . `.' ) ('.', ). , ('. ( ) ( (_,) .`), ) _ _, / _/ / _ \ _ \ \==/ /_\ \ _/ ___\/ _ \ / \ / \/ |\\ \__( _ ) Y Y \ /__ /\___|__ / \___ /|__|_| / \/ \/.-.\/ \/:wq (x.0) '=.|w|.=' _='```=. presents.. CoolPreviews Chrome Privileged Code Injection +---+ |Description| +---+ Security-Assessment.com discovered that Coolpreviews stack feature is vulnerable to Cross Site Scripting injection. The Coolpreviews stack previews link content within a Chrome window positioned on the right side of the browser window. A malicious page is then able to pass arbitrary browser code, such as JavaScript, via a link that points to a data URI which embeds the cross site scripting payload. The injected browser code is rendered and executed in the chrome privileged Firefox zone. The code is automatically executed when the user adds the malicious link to the stack (by default, right click and then Cool Previews – Add To Stack). ++ |Exploitation| ++ This vulnerability can be exploited in several ways. As the injection point is in the chrome privileged browser zone, it is possible to bypass Same Origin Policy (SOP) protections, and also access Mozilla built-in XPCOM components. XPCOM components can be used to read and write from the file system, as well as execute arbitrary commands, steal stored passwords, or modify other Firefox extensions. ++ |Solution| ++ Security-Assessment.com follows responsible disclosure and promptly contacted the developer after discovering the issue. The developer was contacted on March 5, 2009, and no response was received. A fix was silently released on April 20, 2009. Install the latest CoolPreviews version. This is available from Mozilla Add-ons website (https://addons.mozilla.org/en-US/firefox/addon/2207). +--+ |Credit| +--+ Discovered and advised to the CoolPreviews vendor March 2009 by Roberto Suggi Liverani of Security- Assessment.com. Personal Page: http://malerisch.net/ For full details regarding this vulnerability (including a detailed proof of concept exploit) download the PDF from our website: http://www.security-assessment.com/files/advisories/CoolPreviews_Firefox_Extension_Security_Advisory.pdf For more details regarding exploitation of Firefox extensions, refer to our DEFCON 17 presentation at http://www.security-assessment.com/files/presentations/liverani_freeman_abusing_firefox_extensions_defcon17.pdf Security-Assessment.com is a New Zealand based world leader in web application testing, network security and penetration testing. Security-Assessment.com services organisations across New Zealand, Australia, Asia Pacific, the United States and the United Kingdom. Roberto Suggi Liverani
Update Scanner - Firefox Extension - Chrome Privileged Code Injection
(, ) (, . `.' ) ('.', ). , ('. ( ) ( (_,) .`), ) _ _, / _/ / _ \ _ \ \==/ /_\ \ _/ ___\/ _ \ / \ / \/ |\\ \__( _ ) Y Y \ /__ /\___|__ / \___ /|__|_| / \/ \/.-.\/ \/:wq (x.0) '=.|w|.=' _='```=. presents.. Update Scanner Chrome Privileged Code Injection +---+ |Description| +---+ Security-Assessment.com discovered that Update Scanner is vulnerable to Cross Site Scripting injection. Update Scanner renders scanned site content within a chrome window located at chrome://updatescan/content/diffPage.xul. A malicious web page is then able to pass arbitrary browser code, such as JavaScript, following a scan performed by Update Scanner. The browser code is directly rendered and executed in the chrome privileged Firefox zone related to Update Scanner. Update Scanner performs input data filtering by stripping script tags but this is not enough to prevent JavaScript code execution. For example, it is possible to trigger JavaScript code execution by using event handlers such as “onerror”. ++ |Exploitation| ++ This vulnerability can be exploited in several ways. As the injection point is in the chrome privileged browser zone, it is possible to bypass Same Origin Policy (SOP) protections, and also access Mozilla built-in XPCOM components. XPCOM components can be used to read and write from the file system, as well as execute arbitrary commands, steal stored passwords, or modify other Firefox extensions. ++ |Solution| ++ Security-Assessment.com follows responsible disclosure and promptly contacted the developer after discovering the issue. The developer was contacted on June 8, 2009, and a response was received on the June 11. A fix was released on June 15, 2009. Install latest Update Scanner version. This is available from Mozilla Add-ons web site (https://addons.mozilla.org/en-US/firefox/addon/3362). +--+ |Credit| +--+ Discovered and advised to the Update Scanner developer June 2009 by Roberto Suggi Liverani of Security- Assessment.com. Personal Page: http://malerisch.net/ For full details regarding this vulnerability (including a detailed proof of concept exploit) download the PDF from our website: http://www.security-assessment.com/files/advisories/Update_Scanner_Firefox_Extension_Security_Advisory.pdf For more details regarding exploitation of Firefox extensions, refer to our DEFCON 17 presentation at http://www.security-assessment.com/files/presentations/liverani_freeman_abusing_firefox_extensions_defcon17.pdf Security-Assessment.com is a New Zealand based world leader in web application testing, network security and penetration testing. Security-Assessment.com services organisations across New Zealand, Australia, Asia Pacific, the United States and the United Kingdom. Roberto Suggi Liverani