The thunder game box can be attacked by man-in-the-middle, resulting in persistent denial-of-service and solutions.

The thunder game box can be attacked by man-in-the-middle, resulting in persistent denial-of-service and solutions.

Thunder game boxes can be attacked by man-in-the-middle, resulting in persistent denial of service. Version: 2.2.21.0360

When the Thunder game box is opened, a request is sent to http://v2.boxpage.niu.xunlei.com/v3/index.html. By studying this html file, I found that the API window. external. SetConfigData () can be written to a local configuration file without any restrictions. For example, window. external. SetConfigData ("~ XLGameBoxConfig ~ "," IsAutoRun "," true ") enables the game box to start automatically when it is started. This local file is saved in % APPDATA % \ Thunder game \ XLGameBox \ Data \ xggb_config.ini. Because HTTPS is not used, the man-in-the-middle can hijack the webpage request of the game box so that the man-in-the-middle can write local configuration files as needed. I have been searching for a long time and have not found any particularly dangerous configuration, such as code execution and file download. I don't want to forget it either, so that's the point of destruction. So I use setInterval to write a large amount of useless information to the configuration file in a loop. The actual measurement can be about MB. Because the program reads the configuration file every time it starts, when the file is very large, the program will never open normally. When the actual measurement is about MB, it can be opened within 2 minutes without response. Even if the window is opened, it will take half a day to move the window.

Version:
 

 

Hijack http://v2.boxpage.niu.xunlei.com/v3/index.html and return to the following content:

<! DOCTYPE html> 

Then run the program and you can see that the configuration file is growing rapidly:
 

In an environment without attack, When you enable the service again:
 

 

Even if it is opened, move the window:
 

 

Solution:

First, it is dangerous to directly modify local files on the webpage. If you add a configuration that can be used to execute code, it is not just as simple as DOS. Any page downloaded through HTTP (non-HTTPS) cannot be trusted. Therefore, if SetConfigData can be made public to a webpage, it will not be made public. Even if it is necessary to use it, either Use HTTPS to force the HTTPS webpage to change the settings; or restrict the content that can be set (select one or more ). In addition, GetConfigData should check the file size before reading the file. When it is too large, it should be deleted and overwritten with the default value, or only read the first few KB.