Saved the day: QQ music“wormhole”adventures-vulnerability warning-the black bar safety net

ID MYHACK58:62201569844
Type myhack58
Reporter Gmxp
Modified 2015-12-08T00:00:00


0x00 background

A weekend afternoon, the terminal security team of little friends at the seaside mission built to roast meat and drink wine, TSRC vulnerability report mailbox receive Trend Micro's classmates sent the vulnerability report, the report referred to the mobile phone QQ music using the third library libupnp there is a similar wormhole(WormHole of vulnerability. Friends to put down the ongoing activities, immediately with the TSRC team start on the vulnerability of the emergency response process.

The entire process is fairly smooth, the product team quickly released a new version to fix the vulnerability--and mobile QQ music just like in the wormhole in around in a circle near misses back to the place.

The Trend Micro security team adhering to the user responsible spirit, gives us enough time to fix the problem, but also technically as we provide help, we are here for Trend Micro gratitude and respect.

0x01 vulnerability processing timeline

2 0 1 5 year 1 1 On 1 4 May 1 June 6: 2 0, received LeoZhang@TrendMicro on the phone QQ music introduced into the third library libupnp existence of“wormholes”vulnerability report;

2 0 1 5 year 1 1 May 1 4 May 2 0: 0 to 0, the completion of vulnerability confirm the vulnerability details and fix scheme synchronized to the QQ music development team;

2 0 1 5 year 1 1 month 1 4 day 2 3: The 0 0, QQ music to develop the team to complete the bug-fix and verify the Fix ok, start a new release process;

2 0 1 5 year 1 1 month 1 9 day, mobile QQ music released upgraded version 5. 7. 1. 5 out of trend articles in the error of 2 to 4 November; and

2 0 1 5 year 1 2 month 3 day, Trend Micro blog post about libupnp vulnerability technical details;

2 0 1 5 year 1 2 December 7, TSRC blog published herein.

0x02 vulnerability causes

Mobile QQ music in order to achieve a local area network within the convenient playback function, using the industry's extensive use of the UPnP architecture, UPnP capability built directly using the open source third-party library libupnp from. Lead to the vulnerability of the places in the QQ music initially in 2 0 1 2 year 4 month uses libupnp v1. 6. 1 7 version later, and the delay in holding the library version of the update, and put this version in the presence of a known Vulnerability, CVE-2 0 1 2-5 9 5 8 – CVE-2 0 1 2-5 9 6 5, and has been brought to the Now of the now network version.

0x03 principles of analysis

These CVE points to a key vulnerability, is a textbook stack overflow vulnerability. We simply look under the vulnerability principle.


Code: upnp/src/ssdp/ssdp_server.c@480

Wherein the TempBuf is from the stack on the fixed buffer area, The size of 3 0 of 0 bytes. And ptr1 and ptr3 are never from UDP 1 9 0 0 port on the received command number data type to a string, the contents of which through the strstr function from the command number in the data extraction. Although in the string copy time, the use of strncpy in this safe version of the string-handling functions, unfortunately the length of the n field is not handled well, can still be an external input control.

Thus, strncpy, destination buffer is fixed the contents of the stack, the source buffer from the network, the copy length of the network can be controlled, a textbook stack overflow thus formed. Standard vulnerability, the solution is also very standard, the n the length of the limit, make sure not to exceed the stack buffer range.


Code: upnp/src/ssdp/ssdp_server.c@479

This classic strncpy function causes of vulnerability, believing that to do vulnerability discovery students must be familiar. In fact, the same is in the 2 0 1 2 in a version of the QQ video, almost exactly the same stack overflow vulnerability. However, based on Java or OBJ-C to write mobile APP, stack overflow attacks although not the demise, but the Golden age is gone.

0x04 attack scene

This bug just broke the time, taking into account the 2 0 1 2 years of PC or serveroperating systemin the vulnerability mitigation mechanism is far better than today Mature, so this exploits the difficulty is very low: simple stack overflow overwriting the return address, with some of the key functions of positioning techniques, remote code execution is not a difficult thing. This from the metasploit the exploit/multi/upnp/libupnp_ssdp_overflow module in a large number of hard-coded address can also be seen some clues.

But now when we step back to consider the in Android on stack overflow use when, suddenly found to have totally not the year of the case. Android 4.0 and later versions introduced ASLR with NX protection, without considering these security mechanisms itself, vulnerability of the case, want to complete a remote code execution attack becomes difficult for many. One of the most difficult part is in an ASLR environment, the shellcode is difficult to predict the completion of the code execution when the desired Critical the system The address of the function, the General need of an additional remote information disclosure vulnerability. Access to the information leakage vulnerability after the ROP chain configuration, virus stability, it is not an easy thing. We are also in Android 5.0 on the actual try out this vulnerability to the use, pity the final can only be done remote denial of service attack.

Now we are also not captured to exploit this vulnerability the user of the actual attack.

0x05 extrapolate

1 0 month Baidu wormhole vulnerabilities, so security circles in this two months is not idle.

From the beginning of the wormhole, to the subsequent a variety of SDK products of a similar issue, to We of Tencent itself the product of the investigation, the UDP port attack scenarios have been ignored. We can see that the Trend Micro security team of the vulnerability carried out a more detailed in-depth analysis.

In fact UPnP in our daily lives is widely used, wherein the main usage scenarios are two: within the network to wear NAT and video and audio playback. In what is now called“Smart”TVs, smartphones, a wide range of use's, I believe we should have heard of DLNA?

DLNA is built on UPnP on the basis of, by the UPnP implementation of video, audio, control, device interconnect, then the essential need to open UDP 1 9 0 0 port.

After analysis, we found that many have DLNA capabilities of the audio and video APPS, Smart TV, intelligent speaker and even some with Interconnecting ability of the car, directly open a UDP 1 9 0 0 port, and these ports behind by older versions of libupnp library to achieve UPnP capabilities also are not the minority we will also find issues the notification of the affected vendors to. In addition to the Trend Micro small partners mentioned the difficulty of remote code execution attacks, combined with the DLNA multimedia characteristics, in fact there will be more some back hair cool attack scene.

Imagine, in the middle of the night sleeping in the bedroom when the TV suddenly came a period of the midnight fierce bell in you carry the intelligent speaker, to add some influence the mood of the low-frequency interference in your car listening to music when suddenly a car accident scene Brake the impact of the sound, what would you feel? If you can safely Watch TV, listen to music or drive? If you can safely enjoy the intelligent household life?

[1] [2] next