Baidu HD client remote command execution and Solution

Baidu HD client remote command execution and Solution

Remote Command Execution caused by malicious links accessed by Baidu HD Client

Currently, the latest version of Baidu HD client (v1.3) is used in Android 4.2.2. There are still Webview objects for Javascript injection commands on the webpage. The object names include go_back_js_interface_name and Bdbox_android_utils, bdbox_android_videoCore, bd_searchbox_interface, Bdbox_android_send_intent

Phone test for Cobi cube TALK 7X, model U51GT-C4B, Android 4.2.2

We found this vulnerability on the webview test page of wooyun.
 

Decompiling the Baidu HD client. The compilation level is

<uses-sdk android:minSdkVersion="14" android:targetSdkVersion="17" />

The following code snippet exists in package com. baidu. browser. framework. BdWindow:

v0.addJavascriptInterface(new BdWindow$GobackJSInterface(this, null), "go_back_js_interface_name");        v0.addJavascriptInterface(new BdWindow$JavaScriptInterface(this, null), "bd_searchbox_interface");        v0.addJavascriptInterface(new SendIntentJavaScriptInterface(((BWebView)v0)), "Bdbox_android_send_intent");        v0.addJavascriptInterface(new UtilsJavaScriptInterface(this.g, ((BWebView)v0)), "Bdbox_android_utils");        v0.addJavascriptInterface(new VideoCoreJSInterface(this.g, this), "Bdbox_android_videoCore");

Indicates a Java object that can be manipulated by Javascript.



We can check the BdWindow $ GobackJSInterface, BdWindow $ JavaScriptInterface, SendIntentJavaScriptInterface, UtilsJavaScriptInterface, and VideoCoreJSInterface classes, and find that all of them have the @ javascript annotation public method. For example, in com. baidu. searchbox. browser. the following method exists in UtilsJavaScriptInterface,

     @JavascriptInterface public void currPageUrl(String arg2) {        if(this.currPageUrlCallback != null && (f.a(this.mBWebView))) {            this.currPageUrlCallback.a(arg2);        }    }    @JavascriptInterface public String getNetInfo() {        String v0 = null;        if(this.mContext != null && (f.a(this.mBWebView))) {            v0 = ah.g(this.mContext) ? ah.a(1, u.a(this.mContext).k()) : ah.a(0, "0");        }        return v0;    }    @JavascriptInterface public String paramsRender(String arg2) {        String v0 = this.mContext == null || !f.a(this.mBWebView) ? null : u.a(this.mContext).d(arg2);        return v0;

This further illustrates the vulnerability. In Android 4.2 and later versions, only the public method annotated with @ JavascriptInterface can be called through Javascript.


Attackwebview2.html in the web server to access the website using the Baidu HD client.

Access malicious links
 

Generate the rat6.apk (Androrat) in the/sdcarddirectory and use the adb that comes with the mobile phone for automatic Silent Installation (the prerequisite is that adb connects to the local machine with the root permission)


 

 

Solution:

1. Disable addJavascriptInterface of Webview, or use addJavascriptInterface only when the Webview component loads trusted content.

2. Use shouldOverrideUrlLoading to develop the java operation interface for Javascipt, and check the loaded URL and user input.