APP vulnerability discovery,Android reverse analysis bydroidsec
”You can’t have a back door in the software because you can’t have a back door that’s only for the good guys.“ – Apple CEO Tim Cook
”You should not give software to install the back door because you can’t guarantee that this Backdoor only the good guys can use.” – Apple CEO cook
The earliest contact with the network security people must also remember when the RPC Blaster, WebDav and other remote attack vulnerability and the resulting worm. Hackers just write a program to scan a network for open a specific port of the machine, and then sending the corresponding remote attack code can control the other host, under the control of the other host, the program can continue to scan the other machine again to attack. Because of the vulnerability in the host itself, you want to fix the vulnerability must install the patch before the line, but because many people will not timely upgrade the system or install the patch, so the vulnerability or worm affects a large number of machines for a very long time, and even some worms can infect the world on a million servers, to the enterprise and the user to cause very serious losses.
Android after the release, we have been dreaming to find one like the PC on the remote to attack like powerful vulnerability, but the Android system by default does not open any ports, open the socket port of the APP is also very scarce, appears to be like the PC as a serious vulnerability is unlikely. But it is a pity that in the world there is no absolute security, just so a few scarce port, we are really looking for a very serious socket remote attack vulnerability, and the impact of a plurality of users over a billion APPS, we put this exploit called WormHole wormhole vulnerability.
WormHole wormhole vulnerability in the end how serious? Take a look at our statistics of the affected APP list has not statistics of the whole: the
Baidu map detection version 8. 7
Baidu mobile assistant detects the version 6. 6. 0
Baidu browser detection version 6. 1. 1 3. 0
Phone Baidu detect the version 6. 9
hao123 detection version 6. 1
Baidu music detection version 5. 6. 5. 0
Baidu post bar detection version 6. 9. 2
Baidu cloud detection version 7. 8
Baidu video detection version 7. 1 8. 1
Android Market detect version 6. 0. 8 6
Baidu news detection version 5. 4. 0. 0
Iqiyi detection version 6. 0
Music, as the video detect version 5. 9
This list is a list 2 0 1 5 years 1 0 months 1 4 number statistics of Baidu Department APP to the latest version, in theory, all less than or equal to the detected version of these Baidu Department APP is a remote attack risk. According to analysys statistics ranking:
! [](/Article/UploadPic/2015-11/2 0 1 5 1 1 4 1 5 1 3 1 3 4 5 5. png)
You can see the phone Baidu, Baidu mobile assistant, Baidu map, Baidu Department APP has millions of download and install the amount and add up to more than three million active users.
Install the Baidu of these APPS what will be the consequences and harm?
Below is a video DEMO(I do video effect too difference,next demo video is from lei Feng see online.): the
http://v.qq.com/page/f/5/v/f01705fjy5v.html
Install Baidu Department app, through the Android adb shell to connect your phone, then use netstat will find the phone open 4 0 3 1 0/6 2 5 9 port, and any IP can connect.
! [](/Article/UploadPic/2015-11/2 0 1 5 1 1 4 1 5 1 3 1 3 2 6 8. png)
It turned out that the port is by the java layer of the nano http, and the http service, and Baidu to name the immortal service of the immortal/undead. Why do you call immortal? Because this service will in the background has been run, and if your phone is loaded with a plurality of wormhole vulnerability of the app, these apps will Time check 4 0 3 1 0/6 2 5 9 port, if the monitor 4 0 3 1 0/6 2 5 9 port the app is uninstalled and another app will immediately start the service re-listening 4 0 3 1 0/6 2 5 9 port.
We continue the analysis, the entire immortal Service service is actually a http service, however in accepting the data of the function have some validation,such as http header remote-addr field is”127.0.0.1”but will be a bit of web skills of the people you know, as long as the forged look of the header information you can put the remote-addr field becomes”127.0.0.1”is.
! [](/Article/UploadPic/2015-11/2 0 1 5 1 1 4 1 5 1 3 1 3 6 4 2. png)
Success and http server communication, you can pass the url to the APP instructions. Take Baidu map, for example, the following is the Baidu map APP in the presence of the remote control instruction in the disassembly code:
! [](/Article/UploadPic/2015-11/2 0 1 5 1 1 4 1 5 1 3 1 3 3 0 6. png)