Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62201568615
HistoryNov 04, 2015 - 12:00 a.m.

Than the gourd baby is also scary Baidu full system APP SDK vulnerability – WormHole wormhole vulnerability analysis report-vulnerability warning-the black bar safety net

2015-11-0400:00:00
佚名
www.myhack58.com
14
JSON

Than the gourd baby is also scary Baidu full system APP SDK vulnerability – WormHole wormhole vulnerability analysis report

APP vulnerability discovery,Android reverse analysis bydroidsec

”You can’t have a back door in the software because you can’t have a back door that’s only for the good guys.“ – Apple CEO Tim Cook

”You should not give software to install the back door because you can’t guarantee that this Backdoor only the good guys can use.” – Apple CEO cook

0x00 sequence

The earliest contact with the network security people must also remember when the RPC Blaster, WebDav and other remote attack vulnerability and the resulting worm. Hackers just write a program to scan a network for open a specific port of the machine, and then sending the corresponding remote attack code can control the other host, under the control of the other host, the program can continue to scan the other machine again to attack. Because of the vulnerability in the host itself, you want to fix the vulnerability must install the patch before the line, but because many people will not timely upgrade the system or install the patch, so the vulnerability or worm affects a large number of machines for a very long time, and even some worms can infect the world on a million servers, to the enterprise and the user to cause very serious losses.

Android after the release, we have been dreaming to find one like the PC on the remote to attack like powerful vulnerability, but the Android system by default does not open any ports, open the socket port of the APP is also very scarce, appears to be like the PC as a serious vulnerability is unlikely. But it is a pity that in the world there is no absolute security, just so a few scarce port, we are really looking for a very serious socket remote attack vulnerability, and the impact of a plurality of users over a billion APPS, we put this exploit called WormHole wormhole vulnerability.

0x01 impact and hazards

WormHole wormhole vulnerability in the end how serious? Take a look at our statistics of the affected APP list has not statistics of the whole: the

Baidu map detection version 8. 7

Baidu mobile assistant detects the version 6. 6. 0

Baidu browser detection version 6. 1. 1 3. 0

Phone Baidu detect the version 6. 9

hao123 detection version 6. 1

Baidu music detection version 5. 6. 5. 0

Baidu post bar detection version 6. 9. 2

Baidu cloud detection version 7. 8

Baidu video detection version 7. 1 8. 1

Android Market detect version 6. 0. 8 6

Baidu news detection version 5. 4. 0. 0

Iqiyi detection version 6. 0

Music, as the video detect version 5. 9

This list is a list 2 0 1 5 years 1 0 months 1 4 number statistics of Baidu Department APP to the latest version, in theory, all less than or equal to the detected version of these Baidu Department APP is a remote attack risk. According to analysys statistics ranking:

! [](/Article/UploadPic/2015-11/2 0 1 5 1 1 4 1 5 1 3 1 3 4 5 5. png)

You can see the phone Baidu, Baidu mobile assistant, Baidu map, Baidu Department APP has millions of download and install the amount and add up to more than three million active users.

Install the Baidu of these APPS what will be the consequences and harm?

  1. Whether it is a wifi wireless network or 3G/4G cellular network, as long as the phone is in network status are likely to be attacked. The attacker to advance without touching the phone, without the use of DNS spoofing.
  2. This vulnerability only with app related, not subject to the system version of the affected, in the google latest android 6.0 on all tests successful.
  3. Vulnerability can achieve the following attack results:
  • Remote silent installation of the application
  • Remotely start any application
  • Remote open any web page
  • Remote silent add a contact
  • Remote access to user’s GPS location information of the/To obtain the imei information/installation Application information
  • Remote transmission of any intent broadcast
  • Remote read and write files, etc.

Below is a video DEMO(I do video effect too difference,next demo video is from lei Feng see online.): the

http://v.qq.com/page/f/5/v/f01705fjy5v.html

0x02 vulnerability analysis

Install Baidu Department app, through the Android adb shell to connect your phone, then use netstat will find the phone open 4 0 3 1 0/6 2 5 9 port, and any IP can connect.

! [](/Article/UploadPic/2015-11/2 0 1 5 1 1 4 1 5 1 3 1 3 2 6 8. png)

It turned out that the port is by the java layer of the nano http, and the http service, and Baidu to name the immortal service of the immortal/undead. Why do you call immortal? Because this service will in the background has been run, and if your phone is loaded with a plurality of wormhole vulnerability of the app, these apps will Time check 4 0 3 1 0/6 2 5 9 port, if the monitor 4 0 3 1 0/6 2 5 9 port the app is uninstalled and another app will immediately start the service re-listening 4 0 3 1 0/6 2 5 9 port.

!

We continue the analysis, the entire immortal Service service is actually a http service, however in accepting the data of the function have some validation,such as http header remote-addr field is”127.0.0.1”but will be a bit of web skills of the people you know, as long as the forged look of the header information you can put the remote-addr field becomes”127.0.0.1”is.

! [](/Article/UploadPic/2015-11/2 0 1 5 1 1 4 1 5 1 3 1 3 6 4 2. png)

Success and http server communication, you can pass the url to the APP instructions. Take Baidu map, for example, the following is the Baidu map APP in the presence of the remote control instruction in the disassembly code:

! [](/Article/UploadPic/2015-11/2 0 1 5 1 1 4 1 5 1 3 1 3 3 0 6. png)

  1. the geolocation get the user phone’s GPS location, city, longitude, latitude
  2. getsearchboxinfo get the phone Baidu version information
  3. getapn get the current network status, WIFI/3G/4G operators
  4. getserviceinfo get offers nano http Application information
  5. getpackageinfo get the phone application version information
  6. sendintent send any intent can be used to open a web page or other app interaction
  7. getcuid get the imei
  8. getlocstring get the local string information
  9. scandownloadfile scan the downloaded file(UCDownloads/QQDownloads/360Download…)
    1 0. addcontactinfo to the phone to add contacts
    1 1. getapplist get all installed app information
    1 2. downloadfile to download an arbitrary file to the specified path if the file is an apk you install
    1 3. uploadfile upload arbitrary files to the specified path if the file is an apk you install

[1] [2] [3] next

JSON