Hi, Below you can find a short summary of discovered vulnerabilities in Maxthon and Avant browsers. Such vulnerabilities were demonstrated during HITBAMS2012 security conference and more recently at HackPra. Affected Products - Maxthon (www.maxthon.com) - Avant Browser (www.avantbrowser.com) Security advisories - [advisory] Maxthon multiple vulnerabilities: http://www.security-assessment.com/files/documents/advisory/Maxthon_multiple_vulnerabilities_advisory.pdf - [advisory] Avant multiple vulnerabilities: http://www.security-assessment.com/files/documents/advisory/Avant_multiple_vulnerabilities_advisory.pdf Individual security advisories, exploit modules and video links can be found below. [1] Maxthon - Cross Context Scripting - about: history - Remote Code Execution [advisory] http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-about-history-rce.html [metasploit module] https://github.com/malerisch/metasploit-framework/blob/maxthon3/modules/exploits/windows/browser/maxthon_history_xcs.rb [demo] http://www.youtube.com/watch?v=d-55asVLqNI [2] Maxthon - Cross Context Scripting (XCS) - RSS - Remote Code Execution [advisory] http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-rss-rce.html [metasploit module] https://github.com/malerisch/metasploit-framework/blob/maxthon3/modules/exploits/windows/browser/maxthon_rss_xcs.rb [demo] http://www.youtube.com/watch?v=d-55asVLqNI [3] Maxthon - Privileged APIs on i.maxthon.com [advisory] http://blog.malerisch.net/2012/12/maxthon-privileged-api-imaxthoncom.html [demo] http://www.youtube.com/watch?v=1IqZBS0O2Hs [4] Maxthon - Cross Context Scripting (XCS) - Bookmark Toolbar and Bookmark Sidebar - Code Execution [advisory] http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-bookmark.html [demo] http://www.youtube.com/watch?v=YR0RQz45t3M [5] Maxthon - Incorrect Executable File Handling and Same Origin Policy Implementation [advisory] http://blog.malerisch.net/2012/12/maxthon-incorrect-executable-file-sop.html [6] Avant Browser - Same of Origin Policy Bypass - browser:home [advisory] http://blog.malerisch.net/2012/12/avant-browser-same-of-origin-policy.html [BeEF module] https://github.com/malerisch/beef/tree/avant_browser/modules/exploits/avant_steal_history [demo] http://www.youtube.com/watch?v=I4LiSfTmuM0 [7] Avant Browser - Stored Cross Site Scripting - Feed Reader (browser://localhost/lst?*) [advisory] http://blog.malerisch.net/2012/12/avant-browser-stored-cross-site-scripting.html [demo] http://www.youtube.com/watch?v=-mShxsspxy8 [8] Avant Browser - Cross Context Scripting - browser:home - Most Visited And History Tabs [advisory] http://blog.malerisch.net/2012/12/avant-browser-cross-context-scripting.html [demo] http://www.youtube.com/watch?v=cHHtsOpYGH4 References [presentation] HITBAMS2012 - Window Shopping: Browser Bugs Hunting in 2012 - http://www.security-assessment.com/files/documents/presentations/window_shopping_browser_bug_hunting_in_2012_roberto_suggi_liverani_scott_bell.pdf [presentation] HackPra - Cross Context Scripting attacks & exploitation - http://www.slideshare.net/robertosl81/cross-context-scripting-attacks-exploitation Any further material, comments or updates will be communicated over Twitter, at https://twitter.com/malerisch Roberto Suggi Liverani
