Baidu SDK Wormhole vulnerability analysis report. It's like leaving your house key in the front door.

This article is an update to our previous report “The WormHole Vulnerability: The Number of Affected Apps is Increasing”. We will introduce more technical details about this vulnerability going forward.

Apk version used: Baidu map 7.7.0 for Android

The cause of the vulnerability:

The Moplus SDK creates a local server for in- and cross- app communications. It links on special ports (6259 or 40310), but doesn’t need to match the request source correctly. It only checks the Host/remote-addr/Referer field of the arrived packet. If their specifications align, it will allow their connection and accept/execute many powerful commands in the url’s parameters, such as downloading files from the internet, installing Apps, running apps, uploading user’s phone information, etc. These packet headers can be easily forged, allowing an attacker to send specially made urls to the user’s phone remotely, and executing dangerous commands on the user’s phone. Moplus SDK is so useful that many third party apps contain Moplus SDK for search engine or map services. Therefore, this vulnerability can have a large impact on Android users. You only need to know the user’s ip to launch an attack. Yes, that’s all.

The conditions that the incoming packet header must adhere to if they want to connect the user’s phone:

  • The “Host” and “remote-addr” field’s value is “127.0.0.1”
  • The “referer” file contains one of the following: baidu.com/hao123.com/hiapk.com/91.apk

Then it will consider that this request is from inside the app, accept it, and execute the command contained in the request.

To any a hacker, setting the request’s header field to some value is as easy as drinking a cup of coffee. All you need to do is this (if using Python):

 

图片1_1

All commands that the Moplus SDK supports can be seen in the function com.baidu.android.nebula.cmd.i.

All commands the server supports

The correspondence between the command and the function are as follows:

The corresponding functions and the commands

All commands’ functionalities are as follows:

  • geolocation: get the user’s exact location, such as the longitude and latitude
  • getsearchboxinfo: check if the user has installed the Baidu Search App (package name:com.baidu.searchbox)
  • getapn: get the user’s APN, such as the Wifi/2G/3G
  • getserviceinfo: get the Moplus/Baidu push service version info
  • getpackageinfo: check if the user has installed apps whose package names are specified in the parameters of the url
  • sendintent: launch a specified Intent Uri (such as open some App/send sms/open URL in browser and so on)
  • getcuid: get the user’s phone IMEI /cid number
  • getlocstring: get the phone’s cid/area code/IMEI and then join them together for sending
  • scandownloadfile: scan the apks in the download directory
  • addcontactinfo: add contact to the user’s phone
  • getapplist: get all installed apps’ package name and version on the user’s phone
  • downloadfile: download a file from a specified url to the user’s phone
  • uploadfile: install or uninstall some apps silently
downloadfile command

For example,take the command “downloadfile”. Its code is as follows: The function gets the download url, the saved path, and the file size (in bytes) from the url. Then it will download the file to the user’s phone, and the file will be saved in the “savepath” directory under the sdcard directory, etc. in /sdcard/$savepath$.

The code pieces of the downloadfile function

The url format containing the parameter for downloading is as follows:

download_file_2

sendintent command

Another important command is “sendintent”. Anyone could specify the intent Uri, which will start the Uri intent directly, such as dialing the specified number, sending an sms, or running an application.

Get the intent Uri from the URL

Get an Intent Uri then start it:

Start other apps by sending Intent to the phone
Start the Intent by the Uri in the URL

If you want to dial a number you could make a url like this:

sendintent_1

We developed the exploit application in Python and Java several days ago and tested it successfully, but recently Baidu updated its SDK. The vulnerable port (6259/40310) has been closed (I have tried several Apps, with the same outcome). When the app containing Moplus SDK is newly installed, the 6259/40310 port will open for several seconds, but will close soon thereafter. So now the exploit cannot be used. When executed, it will return an error. However, we found another vulnerability: the 7777 port is always open, so by exploiting the same vulnerability, the attacker could get useful information of the phone remotely, such as the phone’s IMEI and the user’s location, but cannot execute dangerous actions such as installing apps or downloading files to the user’s phone. Regardless, this could still result in the leakage of the user’s private information.

The vulnerable port 6259 has been closed, but 7777 port is still open, light vulnerable

These commands are so powerful, like Doraemon’s key, and this SDK so widely used, especially in China. If used by attackers, this could have a widespread negative impact for Android users. Imagine if you use a 2G or 3G network. All users are on the same LAN, so the attacker can  just scan the net range then see if you opened the 6259/40310 port. If yes, then the attacker could launch the attack. It’s that easy. So big companies should pay more attention their SDK and app security, and protect the Android world for users. Remember: With great power, comes great responsibility.

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s