Bug that grants admin rights to malware found in Maxthon, China's favorite browser

Hundreds of millions of Maxthon users allegedly impacted.

Maxthon

Image: Maxthon

An easy-to-exploit vulnerability exists in Maxthon, China's most popular web browser, according to a report shared today with ZDNet by cyber-security firm SafeBreach.

The vulnerability allows malware to obtain admin rights and boot persistence with the help of one of the Maxthon's components.

SafeBreach researchers reported the vulnerability to Maxthon developers at the start of September. A Maxthon spokesperson told ZDNet that the issue has been fixed in Maxthon 5.3.8.1600 beta, which will be released on the stable channel next week.

According to its website, the Maxthon browser is installed on more than 670 million computers, most of these being Windows systems in China.

Vulnerability details: CVE-2019-16647

The vulnerability is what security researchers call an "unquoted service path." Unquoted service path bugs are some of the oldest security issues known to have impacted Windows applications.

They are basic coding bugs where developers start an application from within another application using a correct but unsanitized path that contains spaces (but is not properly quoted, hence the name of unquoted service path bug).

In Maxthon's case, the browser's main app loads a secondary service called MxService.exe from the "C:\Program Files (x86)\Maxthon5\Bin\MxService.exe" path.

However, the space character in "Program Files" allows a malware author to drop a malicious file at "C:\Program.exe".

Because of the space in the app's path and how the Windows works, the OS will first try to load the "C:\Program.exe" app before loading the actual MxService.exe from the correct location.

Since Maxthon starts MxService.exe on every OS boot and with the highest SYSTEM-level access, this bug allows malware authors to gain admin rights on every computer they manage to infect and where a Maxthon browser is installed.

According to SafeBreach, the issue impacts all Maxthon 5.x versions, including the most recent release. A Maxthon spokesperson did not return a request for comment ZDNet sent yesterday, seeking details about an upcoming patch.

Unquoted service path, a neverending story

This type of vulnerability should take a few seconds to fix, and involves adding proper quotes to MxService.exe's binary path, in Maxthon's source code.

"It is so thoroughly documented that you would expect programmers to be well aware of the vulnerability," said Michael Gorelik, CTO at cyber-security Morphisec in a blog post about a different unquoted service path vulnerability, this time in iTunes for Windows.

Multiple scripts and programming resources exist to help developers avoid this type of vulnerability [1, 2, 3].

However, despite this, programmers continue to make the same mistake, decades after unquoted service path vulnerabilities have first been documented.

Some of the world's biggest tech companies and open-source projects have shipped software vulnerable to unquoted service path vulnerabilities in the past few years. From Dell to Intel, and from Forcepoint to BIND; they've all done it.

Many security experts have downplayed such bugs in the past, primarily because they require attackers to compromise a host before being exploitable.

However, this doesn't make the bugs less important. For example, the BitPaymer ransomware gang used an unquoted service path vulnerability they found in iTunes for Windows over the summer to gain admin rights on the system they infected.

The CVE-2019-16647 unquoted service path vulnerability in Maxthon is pretty important, not because of the bug's complexity, but because of the browser's huge install base. Cyber-crime groups will most likely find a way to weaponize this bug in the same way the BitPaymer gang used the one in iTunes.