Authors: Tianfang Guo, Mengmeng Li
Two weeks ago, the Wormhole vulnerability was in the wild, and affected more than 100M Android users. As you may already know, the Wormhole is triggered on a customized HTTP service used for cross-app communication, allowing a remote attacker to bypass the security check and issue a variety of remote commands such as installing arbitrary APKs.
Less than 2 weeks after the Wormhole vulnerability was fixed by Baidu, another incident happened with the 360 Mobile Assistant application, which is a popular app on the Android platform. The Trustlook research team found a similar issue inside this app, which causes a nearly identical remote code execution bug, called the “DimensionDoor”.
The affected package is named “com.qihoo.appstore” in the Chinese market and “com.qihoo.secstore” on Google Play. The apps have a different version control, but use the same implementation. We used the Chinese version 3.1.55 as the example. When the app is launched, a service called “SimpleWebServer” will start listening to the TCP 0.0.0.0:38517 through a remote connection.
Even though the app’s code is protected by ProGuard, it is still readable. Three of the functionalities from the code that we highlight are open URL, download/install APK and start activity.
The commands could be issued remotely by sending an HTTP request to http://%5Bclient_ip%5D:38517/%5BAPI name]?[param], which will trigger any corresponding logic. However, there is a security check to prevent the service from being abused. For example, the remote URL will be filtered against a domain white list (only the domains owned by the vendor are allowed to access):
We dug into the verification logic and found a few detours. For example, the 360 app’s cloud storage service uses the domain “yunpan.360.cn”. Anyone can upload APK files to it, and get a downloadable URL with the “360.cn” domain. Another approach is using the vendor’s CDN domain “shouji.360tpcdn.com”.
Below is a PoC video:
As of Nov 17, the 360 Mobile Assistant app has already been taken down from the Google Play store.