This article is an update to our previous report “The WormHole Vulnerability: The Number of Affected Apps is Increasing”. We will introduce more technical details about this vulnerability going forward.
Apk version used: Baidu map 7.7.0 for Android
The cause of the vulnerability:
The Moplus SDK creates a local server for in- and cross- app communications. It links on special ports (6259 or 40310), but doesn’t need to match the request source correctly. It only checks the Host/remote-addr/Referer field of the arrived packet. If their specifications align, it will allow their connection and accept/execute many powerful commands in the url’s parameters, such as downloading files from the internet, installing Apps, running apps, uploading user’s phone information, etc. These packet headers can be easily forged, allowing an attacker to send specially made urls to the user’s phone remotely, and executing dangerous commands on the user’s phone. Moplus SDK is so useful that many third party apps contain Moplus SDK for search engine or map services. Therefore, this vulnerability can have a large impact on Android users. You only need to know the user’s ip to launch an attack. Yes, that’s all.
The conditions that the incoming packet header must adhere to if they want to connect the user’s phone:
- The “Host” and “remote-addr” field’s value is “127.0.0.1”
- The “referer” file contains one of the following: baidu.com/hao123.com/hiapk.com/91.apk
Then it will consider that this request is from inside the app, accept it, and execute the command contained in the request.
To any a hacker, setting the request’s header field to some value is as easy as drinking a cup of coffee. All you need to do is this (if using Python):
All commands that the Moplus SDK supports can be seen in the function com.baidu.android.nebula.cmd.i.
The correspondence between the command and the function are as follows:
All commands’ functionalities are as follows:
- geolocation: get the user’s exact location, such as the longitude and latitude
- getsearchboxinfo: check if the user has installed the Baidu Search App (package name:com.baidu.searchbox)
- getapn: get the user’s APN, such as the Wifi/2G/3G
- getserviceinfo: get the Moplus/Baidu push service version info
- getpackageinfo: check if the user has installed apps whose package names are specified in the parameters of the url
- sendintent: launch a specified Intent Uri (such as open some App/send sms/open URL in browser and so on)
- getcuid: get the user’s phone IMEI /cid number
- getlocstring: get the phone’s cid/area code/IMEI and then join them together for sending
- scandownloadfile: scan the apks in the download directory
- addcontactinfo: add contact to the user’s phone
- getapplist: get all installed apps’ package name and version on the user’s phone
- downloadfile: download a file from a specified url to the user’s phone
- uploadfile: install or uninstall some apps silently
For example,take the command “downloadfile”. Its code is as follows: The function gets the download url, the saved path, and the file size (in bytes) from the url. Then it will download the file to the user’s phone, and the file will be saved in the “savepath” directory under the sdcard directory, etc. in /sdcard/$savepath$.
The url format containing the parameter for downloading is as follows:
Another important command is “sendintent”. Anyone could specify the intent Uri, which will start the Uri intent directly, such as dialing the specified number, sending an sms, or running an application.
Get an Intent Uri then start it:
If you want to dial a number you could make a url like this:
We developed the exploit application in Python and Java several days ago and tested it successfully, but recently Baidu updated its SDK. The vulnerable port (6259/40310) has been closed (I have tried several Apps, with the same outcome). When the app containing Moplus SDK is newly installed, the 6259/40310 port will open for several seconds, but will close soon thereafter. So now the exploit cannot be used. When executed, it will return an error. However, we found another vulnerability: the 7777 port is always open, so by exploiting the same vulnerability, the attacker could get useful information of the phone remotely, such as the phone’s IMEI and the user’s location, but cannot execute dangerous actions such as installing apps or downloading files to the user’s phone. Regardless, this could still result in the leakage of the user’s private information.
These commands are so powerful, like Doraemon’s key, and this SDK so widely used, especially in China. If used by attackers, this could have a widespread negative impact for Android users. Imagine if you use a 2G or 3G network. All users are on the same LAN, so the attacker can just scan the net range then see if you opened the 6259/40310 port. If yes, then the attacker could launch the attack. It’s that easy. So big companies should pay more attention their SDK and app security, and protect the Android world for users. Remember: With great power, comes great responsibility.