Yet another Wormhole Vulnerability – Meet the "DimensionDoor"

3ef59741d4d54fba2d6f464fa7943002

 

Authors: Tianfang Guo, Mengmeng Li

Two weeks ago, the Wormhole vulnerability was in the wild, and affected more than 100M Android users. As you may already know, the Wormhole is triggered on a customized HTTP service used for cross-app communication, allowing a remote attacker to bypass the security check and issue a variety of remote commands such as installing arbitrary APKs.

Less than 2 weeks after the Wormhole vulnerability was fixed by Baidu, another incident happened with the 360 Mobile Assistant application, which is a popular app on the Android platform. The Trustlook research team found a similar issue inside this app, which causes a nearly identical remote code execution bug, called the “DimensionDoor”.

 

Screen Shot 2015-11-17 at 10.34.45 PM

 

The affected package is named “com.qihoo.appstore” in the Chinese market and “com.qihoo.secstore” on Google Play. The apps have a different version control, but use the same implementation. We used the Chinese version 3.1.55 as the example. When the app is launched, a service called “SimpleWebServer” will start listening to the TCP 0.0.0.0:38517 through a remote connection.

 

Screen Shot 2015-11-17 at 11.30.00 PM

 

Even though the app’s code is protected by ProGuard, it is still readable. Three of the functionalities from the code that we highlight are open URL, download/install APK and start activity.

 

Screen Shot 2015-11-17 at 11.37.52 PM

 

 

The commands could be issued remotely by sending an HTTP request to http://%5Bclient_ip%5D:38517/%5BAPI name]?[param], which will trigger any corresponding logic. However, there is a security check to prevent the service from being abused. For example, the remote URL will be filtered against a domain white list (only the domains owned by the vendor are allowed to access):

 

 

 

Screen Shot 2015-11-17 at 11.49.23 PM

 

We dug into the verification logic and found a few detours. For example, the 360 app’s cloud storage service uses the domain “yunpan.360.cn”. Anyone can upload APK files to it, and get a downloadable URL with the “360.cn” domain. Another approach is using the vendor’s CDN domain “shouji.360tpcdn.com”.

Below is a PoC video:

 

As of Nov 17, the 360 Mobile Assistant app has already been taken down from the Google Play store.

Screen Shot 2015-11-18 at 12.01.45 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s