Baidu really fixed all of the WormHole vulnerability?-vulnerability warning-the black bar safety net

ID MYHACK58:62201568641
Type myhack58
Reporter 佚名
Modified 2015-11-05T00:00:00


You can’t have a back door in the software because you can’t have a back door that's only for the good guys.“ - Apple CEO Tim Cook You should not give software to install the back door, because you can't guarantee that this Backdoor only the good guys can use the--Apple CEO cook 0×0 developments Recently Baidu WormHole vulnerability of the door went to the uproar,the impact of the National hundreds of millions of users,N app is affected,just install the Baidu related to the app,the phone is networked state,the phone will have a controlled risk,below we recall the events of the development: 1 0 On 1 4, Black clouds submitted to the Baidu map\keyboard remote vulnerabilities,and vendors have been confirmed,details are not disclosed ! 1 0 on 2 0 November,white hat steamed rice hair microblogging said they found a vulnerability,the impact of Android on a billion users,just installed a vulnerability app the phone connected to the network, there is the risk of attack,and there is video to verify its indeed the feasibility ! 1 1 On 1 Number,Trend Micro released analysis report,claiming that they have detected malicious samples(ANDROIDOS_WORMHOLE. HRXA)in the use Moplus SDK automatically and periodically download the user does not need the application when these applications are downloaded to the user device, if the user device has been rooted, then the app will be automatically installed while using the Baidu Moplus SDK the other vendor's app will also be subject to vulnerability attacks of the risk; 1 1 on No. 2,the vulnerability is found also in the clouds reissue of the vulnerability analysis report,vulnerability details are not disclosed,at the same time Baidu a representative claiming their 1 0 month 3 0 previous vulnerability issues have all been solved; ! 1 1 on No. 2,at the same time we started Emergency the vulnerability of the event,after working overtime analysis,we constructed a poc,while we found that the Baidu each product bug fixes the situation is slightly different,some products may still not fix completely the vulnerability,or even simply not for any bug fixes action,such as the earliest exposure of Baidu input method; The following is our recording of a presentation video,just installed the latest version of Baidu input method, through the browser access open 6 2 5 9 port,you can control the phone of some operations:

0×1 vulnerability analysis 1. Historical vulnerability analysis We analyze the vulnerability of the version of the app, its main function in the Moplus SDK,they'll most will open 4 0 3 1 0 or 6 2 5 9 port,or even possibly open up other ports(who knows?) ! And we found that the use of Baidu map cases,using a mobile phone browser to access the 7 0 0 0 port will get the phone's current location information,but also in Baidu, the current new version(8.7.5), the port is still open: ! The vulnerability of the core functions are as follows: ! the geolocation get the user phone's GPS geographic location(city,longitude,latitude) getsearchboxinfo get the phone Baidu version information getapn to obtain the current network conditions(WIFI/3G/4G operators) getserviceinfo get offers nano http Application information getpackageinfo get the phone application version information sendintent send any intent getcuid get the imei getlocstring get the local string information scandownloadfile scan the downloaded file(UCDownloads/QQDownloads/360Download...) addcontactinfo to the phone to add contacts Getapplist get all installed app information downloadfile to download an arbitrary file to the specified path if the file is an apk you install uploadfile upload arbitrary files to the specified path,if the file is an apk you install However Moplus SDK code, just the http header to do a simple check,such as analyzing remote-addr is 1 2 7. 0. 0. 1,so take advantage of this vulnerability of the method is extremely simple,in the know the target phone the case of ip,you just need a browser,setting the appropriate http headers,you can attack to control the mobile phone of some operation; ! 2. After the repair Baidu input method analysis We tested Baidu part of the product,find its solution, mostly to cut out some of the hazards function(the following figure a block within a function),and close the open port(6 2 5 9 | 4 0 3 1 0),a different product,the repair details are slightly different,the cut function may be different;


[1] [2] next