The verification vulnerability of the installation package during sogou pinyin upgrade can be found in the LAN

The verification vulnerability of the installation package during sogou pinyin upgrade can be found in the LAN

The sogou PinYin Input Method (including the sogou browser) can bypass the client's verification of the installation package during upgrade.
By the way, let me talk nonsense: I remember that some time ago, I did not need an account to view the basic reverse knowledge of wooyun knowledge base. Later I found that I needed an account. I learned how to reverse it for less than two months, eager to learn the reverse knowledge, so I had to use this post to get the invitation code.

The sogou PinYin Input Method (including sogou browser) can be replaced between the client and the server during upgrade, and the installation package is not verified by the client.

Tools used: a packet capture and sending tool, WireShark, OllyDbg

Soudog pinyin's general upgrade process: After ollydbg.pdf, it will be found that a pinyinup.exe process will be created by sending the transfer between mongo-m6. this process or its sub-process downloads the configuration file with the latest version of soudog pinyin information (different versions are responsible for downloading and verifying, however, this does not affect the final replacement of the installation package and the avoidance of verification). IDA analyzes the verification algorithm using MD5, and use WireShark to capture packets to get the format of the configuration file (because http is used, this protocol is transmitted in plaintext, so it is very good ). The entire process needs to replace two data packets. The first time you replace the data packet of the latest installation package, the second time you replace the installation package. Here, sogou Pinyin is used as an example:

(1) forge a configuration file to replace the configuration file of the latest version of sogou pinyin. The configuration file must be consistent with the original configuration file except the modified configuration file. The content of the configuration file is as follows:
 

[Sogouime] versiontype = finalwebversion = 2.0.0.0webversiontype = finalversion = 7.2.0.2935url = Response

(2) Replace your own program. the md5 value and file size of your program must be consistent with the md5 value in the forged configuration file and the file size.

Of course, the above two steps require a packet capture and sending tool. I tested it in the XP Virtual Machine Installed in the VM, and the target Nic is vmnet8.

 

 

 

 

 

 

Solution:

I didn't think of a good solution. I feel that verification has always been a problem, at least in my mind. We recommend that you use https for transmission.