Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58瘦蛟舞,蒸米MYHACK58:62201568571
HistoryNov 03, 2015 - 12:00 a.m.

Than the gourd baby is also scary Baidu full system APP SDK vulnerability - WormHole wormhole vulnerability analysis report-vulnerability warning-the black bar safety net

2015-11-0300:00:00
瘦蛟舞,蒸米
www.myhack58.com
11
JSON

”You can’t have a back door in the software because you can’t have a back door that’s only for the good guys.“ - Apple CEO Tim Cook
”You should not give software to install the back door because you can’t guarantee that this Backdoor only the good guys can use.” – Apple CEO cook
0x00 sequence
The earliest contact with the network security people must also remember when the RPC Blaster, WebDav and other remote attack vulnerability and the resulting worm. Hackers just write a program to scan a network for open a specific port of the machine, and then sending the corresponding remote attack code can control the other host, under the control of the other host, the program can continue to scan the other machine again to attack. Because of the vulnerability in the host itself, you want to fix the vulnerability must install the patch before the line, but because many people will not timely upgrade the system or install the patch, so the vulnerability or worm affects a large number of machines for a very long time, and even some worms can infect the world on a million servers, to the enterprise and the user to cause very serious losses.
Android after the release, we have been dreaming to find one like the PC on the remote to attack like powerful vulnerability, but the Android system by default does not open any ports, open the socket port of the APP is also very scarce, appears to be like the PC as a serious vulnerability is unlikely. But it is a pity that in the world there is no absolute security, just so a few scarce port, we are really looking for a very serious socket remote attack vulnerability, and the impact of a plurality of users over a billion APPS, we put this exploit called WormHole wormhole vulnerability.
0x01 impact and hazards
WormHole wormhole vulnerability in the end how serious? Take a look at our statistics of the affected APP list has not statistics of the whole: the
Baidu map detection version 8. 7 Baidu mobile assistant detects the version 6. 6. 0 Baidu browser detection version 6. 1. 1 3. 0 phone Baidu detect the version 6. 9hao123 detection version 6. 1 Baidu music detection version 5. 6. 5. 0 Baidu post bar detection version 6. 9. 2 Baidu cloud detection version 7. 8 Baidu video detection version 7. 1 8. 1 Android Market detect version 6. 0. 8 6 Baidu news detection version 5. 4. 0. 0 iqiyi detection version 6. 0 Music Video Video detect version 5. 9…a complete list see Appendix
This list is a list 2 0 1 5 years 1 0 months 1 4 number statistics of Baidu Department APP to the latest version, in theory, all less than or equal to the detected version of these Baidu Department APP is a remote attack risk. According to analysys statistics ranking:
! [](/Article/UploadPic/2015-11/2 0 1 5 1 1 3 3 1 6 3 7 7 2 3. png)
You can see the phone Baidu, Baidu mobile assistant, Baidu map, Baidu Department APP has millions of download and install the amount and add up to more than three million active users.
Install the Baidu of these APPS what will be the consequences and harm?
Whether it is a wifi wireless network or 3G/4G cellular network, as long as the phone is in network status are likely to be attacked. The attacker to advance without touching the phone, without the use of DNS spoofing.
This vulnerability only with app related, not subject to the system version of the affected, in the google latest android 6.0 on all tests successful.
Vulnerability can achieve the following attack results:
Remote silent install of the application
Remotely start any application
Remote open any web page
Remote silent add a contact
Remote access to the user’s GPS location information of the/To obtain the imei information/installation Application information
The remote sends any intent broadcast
The remote read and write files, etc.
Below is a video DEMO:

I do video effect too difference,next demo video is from lei Feng online see:
http://www.leiphone.com/news/201510/abTSIxRjPmIibScW.html

0x02 vulnerability analysis
Install Baidu Department app, through the Android adb shell to connect your phone, then use netstat will find the phone open 4 0 3 1 0/6 2 5 9 port, and any IP can connect.
! [](/Article/UploadPic/2015-11/2 0 1 5 1 1 3 3 1 6 3 7 6 7 8. png)
It turned out that the port is by the java layer of the nano http, and the http service, and Baidu to name the immortal service of the immortal/undead. Why do you call immortal? Because this service will in the background has been run, and if your phone is loaded with a plurality of wormhole vulnerability of the app, these apps will Time check 4 0 3 1 0/6 2 5 9 port, if the monitor 4 0 3 1 0/6 2 5 9 port the app is uninstalled and another app will immediately start the service re-listening 4 0 3 1 0/6 2 5 9 port.
!
We continue the analysis, the entire immortal Service service is actually a http service, however in accepting the data of the function have some validation,such as http header remote-addr field is”127.0.0.1”but will be a bit of web skills of the people you know, as long as the forged look of the header information you can put the remote-addr field becomes”127.0.0.1” is.
! [](/Article/UploadPic/2015-11/2 0 1 5 1 1 3 3 1 6 3 7 3 9 6. png)

[1] [2] [3] next

JSON