Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62201568641
HistoryNov 05, 2015 - 12:00 a.m.

Baidu really fixed all of the WormHole vulnerability?-vulnerability warning-the black bar safety net

2015-11-0500:00:00
佚名
www.myhack58.com
23
JSON

You can’t have a back door in the software because you can’t have a back door that’s only for the good guys.“ - Apple CEO Tim Cook
You should not give software to install the back door, because you can’t guarantee that this Backdoor only the good guys can use the–Apple CEO cook
0×0 developments
Recently Baidu WormHole vulnerability of the door went to the uproar,the impact of the National hundreds of millions of users,N app is affected,just install the Baidu related to the app,the phone is networked state,the phone will have a controlled risk,below we recall the events of the development:
1 0 On 1 4, Black clouds submitted to the Baidu map\keyboard remote vulnerabilities,and vendors have been confirmed,details are not disclosed
! [](/Article/UploadPic/2015-11/2 0 1 5 1 1 5 9 3 9 5 8 3 7 8. png? www. myhack58. com)
1 0 on 2 0 November,white hat steamed rice hair microblogging said they found a vulnerability,the impact of Android on a billion users,just installed a vulnerability app the phone connected to the network, there is the risk of attack,and there is video to verify its indeed the feasibility
! [](/Article/UploadPic/2015-11/2 0 1 5 1 1 5 9 3 9 5 8 6 4 0. png? www. myhack58. com)
1 1 On 1 Number,Trend Micro released analysis report,claiming that they have detected malicious samples(ANDROIDOS_WORMHOLE. HRXA)in the use Moplus SDK automatically and periodically download the user does not need the application when these applications are downloaded to the user device, if the user device has been rooted, then the app will be automatically installed while using the Baidu Moplus SDK the other vendor’s app will also be subject to vulnerability attacks of the risk;
1 1 on No. 2,the vulnerability is found also in the clouds reissue of the vulnerability analysis report,vulnerability details are not disclosed,at the same time Baidu a representative claiming their 1 0 month 3 0 previous vulnerability issues have all been solved;
! [](/Article/UploadPic/2015-11/2 0 1 5 1 1 5 9 3 9 5 8 5 5 3. png? www. myhack58. com)
1 1 on No. 2,at the same time we started Emergency the vulnerability of the event,after working overtime analysis,we constructed a poc,while we found that the Baidu each product bug fixes the situation is slightly different,some products may still not fix completely the vulnerability,or even simply not for any bug fixes action,such as the earliest exposure of Baidu input method;
The following is our recording of a presentation video,just installed the latest version of Baidu input method, through the browser access open 6 2 5 9 port,you can control the phone of some operations:

0×1 vulnerability analysis

  1. Historical vulnerability analysis
    We analyze the vulnerability of the version of the app, its main function in the Moplus SDK,they’ll most will open 4 0 3 1 0 or 6 2 5 9 port,or even possibly open up other ports(who knows?)
    ! [](/Article/UploadPic/2015-11/2 0 1 5 1 1 5 9 4 0 0 8 1 8. png? www. myhack58. com)
    And we found that the use of Baidu map cases,using a mobile phone browser to access the 7 0 0 0 port will get the phone’s current location information,but also in Baidu, the current new version(8.7.5), the port is still open:
    ! [](/Article/UploadPic/2015-11/2 0 1 5 1 1 5 9 4 0 0 7 6 3. png? www. myhack58. com)
    The vulnerability of the core functions are as follows:
    ! [](/Article/UploadPic/2015-11/2 0 1 5 1 1 5 9 4 0 0 7 1 5. png? www. myhack58. com)
    the geolocation get the user phone’s GPS geographic location(city,longitude,latitude)
    getsearchboxinfo get the phone Baidu version information
    getapn to obtain the current network conditions(WIFI/3G/4G operators)
    getserviceinfo get offers nano http Application information
    getpackageinfo get the phone application version information
    sendintent send any intent
    getcuid get the imei
    getlocstring get the local string information
    scandownloadfile scan the downloaded file(UCDownloads/QQDownloads/360Download…)
    addcontactinfo to the phone to add contacts
    Getapplist get all installed app information
    downloadfile to download an arbitrary file to the specified path if the file is an apk you install
    uploadfile upload arbitrary files to the specified path,if the file is an apk you install
    However Moplus SDK code, just the http header to do a simple check,such as analyzing remote-addr is 1 2 7. 0. 0. 1,so take advantage of this vulnerability of the method is extremely simple,in the know the target phone the case of ip,you just need a browser,setting the appropriate http headers,you can attack to control the mobile phone of some operation;
    ! [](/Article/UploadPic/2015-11/2 0 1 5 1 1 5 9 4 0 0 1 6 8. png? www. myhack58. com)
  2. After the repair Baidu input method analysis
    We tested Baidu part of the product,find its solution, mostly to cut out some of the hazards function(the following figure a block within a function),and close the open port(6 2 5 9 | 4 0 3 1 0),a different product,the repair details are slightly different,the cut function may be different;

! [](/Article/UploadPic/2015-11/2 0 1 5 1 1 5 9 4 0 0 4 5 9. png? www. myhack58. com)

[1] [2] next

JSON