This is a multi-part message in MIME format.

------=_NextPart_000_0013_01C53C65.EFC86BA0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit


Maxthon browser multiple vulnerabilities advisory


URL: http://www.raffon.net/advisories/maxthon/multvulns.html
Date: April 08, 2005
Author: Aviv Raff 


Introduction

"Maxthon Internet Browser software is a powerful tabbed browser with a
highly customizable interface. It is based on the Internet Explorer browser
engine..." (From Maxthon website <http://www.maxthon.com/> ).
In order to enhance the user experience, Maxthon uses a model of plug-ins.
Maxthon exposes an API, which allows plug-ins to read/write to files. These
functions allow the plug-ins to perform those operations on any directory in
the running computer. Moreover, In order to call Maxthon's API functions
from a plug-in, a "secure id" must be provided. This id can be easily
fetched, and therefore the API functions can be called from any web site the
user visits.


Technical Details

1) Maxthon's plug-ins use readFile and writeFile API functions to read and
write from/to files on the plug-in's directory. It is possible to read and
write from/to files on any other directory, due to lack of directory
traversal character sequences validation.
2) Maxthon allows calling to API functions only when a "security id" of a
plug-in is provided. The "security id" of a plug-in is auto-generated when a
plug-in is used for the first time in the current Maxthon session. Side bar
plug-ins include the "security id" in a file named "max.src" on the
plug-in's directory. By including this file in a script on a web page, it is
possible to call functions that will read and write to local files, manage
tabs, etc.

A combination of the above vulnerabilities can be exploited to potentially
allow remote code execution.
Tested versions: 1.2.0; 1.2.1
Older versions might also be affected. 


Proof of Concept

The following is a local file reading proof of concept.
Default Maxthon installation is assumed, and also that the, installed by
default, M2Bookmark side bar plug-in was already used on the current Maxthon
session.
http://www.raffon.net/advisories/maxthon/nosecidpoc.html



Timetable

27-Mar-2005: Vendor informed.
28-Mar-2005: Vendor confirmed vulnerability.
08-Apr-2005: Vendor published a fixed version.
08-Apr-2005: Public disclosure.



Solution

Upgrade to version 1.2.2.



Disclaimer: The information in this advisory and any of its demonstrations
is provided "as is" without warranty of any kind.

-- Copyright C 2005 Aviv Raff. --


------=_NextPart_000_0013_01C53C65.EFC86BA0
Content-Type: text/html;
  charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2900.2604" name=3DGENERATOR></HEAD>
<BODY>
<DIV><FONT size=3D2>
<H3>Maxthon browser multiple vulnerabilities advisory</H3>
<H5><SPAN class=3D296140516-08042005>URL: <A=20
href=3D"http://www.raffon.net/advisories/maxthon/multvulns.html">http://w=
ww.raffon.net/advisories/maxthon/multvulns.html</A><BR></SPAN>Date:=20
April 08, 2005<BR>Author: Aviv Raff </H5>
<H4><U>Introduction</U></H4>"Maxthon Internet Browser software is a =
powerful=20
tabbed browser with a highly customizable interface. It is based on the =
Internet=20
Explorer browser engine..." (From Maxthon <A=20
href=3D"http://www.maxthon.com/">website</A>).<BR>In order to enhance =
the user=20
experience, Maxthon uses a model of plug-ins. Maxthon exposes an API, =
which=20
allows plug-ins to read/write to files. These functions allow the =
plug-ins to=20
perform those operations on any directory in the running computer. =
Moreover, In=20
order to call Maxthon's API functions from a plug-in, a "secure id" must =
be=20
provided. This id can be easily fetched, and therefore the API functions =
can be=20
called from any web site the user visits.<BR>
<H4><U>Technical Details</U></H4>1) Maxthon's plug-ins use readFile and=20
writeFile API functions to read and write from/to files on the plug-in's =

directory. It is possible to read and write from/to files on any other=20
directory, due to lack of directory traversal character sequences=20
validation.<BR>2) Maxthon allows calling to API functions only when a =
"security=20
id" of a plug-in is provided. The "security id" of a plug-in is =
auto-generated=20
when a plug-in is used for the first time in the current Maxthon =
session. Side=20
bar plug-ins include the "security id" in a file named "max.src" on the=20
plug-in's directory. By including this file in a script on a web page, =
it is=20
possible to call functions that will read and write to local files, =
manage tabs,=20
etc.<BR><BR>A combination of the above vulnerabilities can be exploited =
to=20
potentially allow remote code execution.<BR><B>Tested versions:</B> =
1.2.0;=20
1.2.1<BR>Older versions might also be affected. <BR>
<H4><U>Proof of Concept</U></H4>The following is a local file reading =
proof of=20
concept.<BR>Default Maxthon installation is assumed, and also that the,=20
installed by default, M2Bookmark side bar plug-in was already used on =
the=20
current Maxthon session.<BR><A=20
href=3D"http://www.raffon.net/advisories/maxthon/nosecidpoc.html">http://=
www.raffon.net/advisories/maxthon/nosecidpoc.html</A><BR><BR>
<H4><U>Timetable</U></H4>27-Mar-2005: Vendor informed.<BR>28-Mar-2005: =
Vendor=20
confirmed vulnerability.<BR>08-Apr-2005: Vendor published a fixed=20
version.<BR>08-Apr-2005: Public disclosure.<BR><BR>
<H4><U>Solution</U></H4>Upgrade to version 1.2.2.<BR><BR>
<H5>Disclaimer: The information in this advisory and any of its =
demonstrations=20
is provided "as is" without warranty of any kind.</H5>-- Copyright =
&copy; 2005 Aviv=20
Raff. --<BR></FONT></DIV></BODY></HTML>

------=_NextPart_000_0013_01C53C65.EFC86BA0--