“虫洞”第三弹:360浏览器“任意门”远程代码执行漏洞分析

 

“这不是bug,是功能。” -程序员常说

“这不是漏洞,是后门。” -黑客们常说

The door at the beach

 

Trustlook在之前的一篇Blog已经demo过360浏览器上的新“虫洞”漏洞,这次将公布一些细节。

360浏览器安卓版不用多介绍了,在360,腾讯和豌豆荚上的下载量加起来超过4.6亿。这次的“任意门”漏洞威力要大过百度“虫洞”及360手机助手“异次元之门”:攻击者并非受限于几个远程控制功能,而是可以执行任意指令。在root过的手机上,可以毫无问题的远程静默安装及卸载app。如果做成蠕虫,批量扫描3G/4G网络,并自动攻击传播,后果不堪设想。

Screen Shot 2015-11-24 at 1.21.44 AM
漏洞的演示视频如下:

http://v.qq.com/iframe/player.html?vid=i0174pddb38&tiny=0&auto=0

受影响的安卓版360浏览器版本为6.9.9.70 beta及以下。在11月23日,有白帽子将漏洞发到了乌云(http://www.wooyun.org/bugs/wooyun-2015-0155003),24小时内Trustlook发布了漏洞的demo(https://blog.trustlook.com/2015/11/24/a-glance-at-the-wormhole-on-360-browser/)。360在同一天更新了修复漏洞的6.9.9.71 beta。鉴于此漏洞的巨大危害,我们没有马上公布漏洞利用细节,给了用户更多时间修补。

360浏览器在卸载的时候会弹出一个“用户调查”,询问用户卸载原因。这个功能是在一个叫um.3(UninstallManager的缩写)的so文件里实现的。这个库文件会开启一个独立进程,在收到卸载的消息后,会使用”am start”命令开启浏览器,显示“卸载调查”网页。

image3
um.3从asset中被释放出来

image2
um.3会占有一个独立进程

um.3的进程间通信机制是用一个自定义的HTTP server实现的。如同所有的虫洞漏洞一样,成了万恶之源。这个server会监听手机的6587端口,允许所有地址连接。但它支持的功能很简单:1. 查看版本 2. 开启浏览器

image1
um.3会在第一次启动后监听6587端口

比如,弹出那个“卸载调查”的时候,执行的命令如下:

/data/data/com.qihoo.browser/files/so_libs/um.3 com.qihoo.browser –execute am start -n com.android.browser/.BrowserActivity -a android.intent.action.VIEW -d http://serv.mse.360.cn/whyuninstall?Mid=95767669835b2b90bc459ee68d1ea6a7\&Wid=81e188a23869a898d1343eaa20c11495
\&Verc=6.9.9.14\&Mdl=iPhone\&Osver=4.2.1\&Net=WIFI\&Chl=h986596
–user 0

但程序员在这里犯了很要命的错误。

1. 命令使用system函数执行,对命令本身没有任何过滤。

2. 弹出网页的url是作为命令的一部分传进去的,而这个url是远程可控的,直接来自远程请求的GET参数。

只要攻击者利用分号将前一条命令分隔开,后面写的所有恶意指令都会被360浏览器忠实的执行。。。

为了搞清楚这个HTTP server的一些逻辑,我们用IDA Pro/HexRay把um.3逆向成了C代码,并加了注释。关键的函数有两个:sub_9018和sub_9078,分别用来解析URL参数,和实现HTTP server逻辑。有兴趣的读者可以点开大图看。

Untitled drawing (9)
简而言之,出现问题的命令是这样的:

am start -n com.qihoo.browser/.BrowserActivity -a android.intent.action.VIEW -d %s -e from %s

其中GET参数”u”的值会被带进第一个%s,而GET参数”t”必须为”1”。

只要一行代码,发送一条request,就可以在一台装了360浏览器的手机上远程执行任意代码:

curl -X http://%5Btarget IP]:6587/t=1&u=www.trustlook.com;echo 1>/sdcard/lol.txt;

执行,你会发现目标手机的sd卡下面多了一个lol.txt。更复杂的攻击功能,就靠你的想象力了;-)

Screen Shot 2015-12-10 at 6.23.14 PM
命令执行成功你会看到这条返回

对于非root手机,攻击者会有和360浏览器相同的权限。包括发送和访问短信,读取通话记录,访问浏览记录,监控摄像头和麦克风。。。
Screenshot_2015-11-24-00-36-15Screenshot_2015-11-24-00-36-22

对于root手机,攻击者就天高任鸟飞了,比如静默卸载和静默安装。即便用户装了”SuperSU”等root管理软件,请求root权限的进程也会显示为“360浏览器”,相信数字公司的用户也是见怪不怪啦,骗得信任很容易。

Screenshot_2015-11-24-00-34-29
最后,Trustlook建议广大用户确保自己已升级到了6.9.9.71及以上版本。

Analysis of the "Anywhere Door" Vulnerability on the 360 Browser

 

“It’s not a bug. It’s a feature.” – A developer’s quote

“It’s not a vulnerability. It’s a backdoor.” – A hacker’s quote

The door at the beach

 

We first introduced “Anywhere Door” (in Chinese: “任意门”) in this previous article. “Anywhere Door” is a new Wormhole vulnerability that affects versions of the 360 Browser prior to 6.9.9.70 beta. By sending a certain crafted HTTP request, a remote attacker can execute an arbitrary shell command on the target phone, with the privilege of the 360 Browser app. If the phone is rooted, the attacker can do anything on the root user’s device, such as install and remove apps.

In this article, we will disclose more details of this vulnerability.

Like all the Wormhole vulnerabilities that have come before it, “Anywhere Door” is triggered on a customized HTTP server, on the port 6587. The server is used for cross-process communications, and contains a few APIs, such as popping-up a browser window. The purpose of this API is to display an “uninstall survey” when the main app is being removed. And the server logic is implemented by a native library (.so file) called um.3 (UninstallManager we guess?)

image1

Port 6587 will be opened upon the first launch of the 360 browser

image2

The HTTP server in um.3 is running in an independent process

image3

The um.3 will be copied from the assets folder to so_libs folder

When handling the “launch browser” request, we found the um.3 directly executes a shell command to launch the browser process. For example, when popping up the “uninstall survey”, the command is goes like this:

/data/data/com.qihoo.browser/files/so_libs/um.3 com.qihoo.browser –execute am start -n com.android.browser/.BrowserActivity -a android.intent.action.VIEW -d http://serv.mse.360.cn/whyuninstall?Mid=95767669835b2b90bc459ee68d1ea6a7\&Wid=81e188a23869a898d1343eaa20c11495
\&Verc=6.9.9.14\&Mdl=iPhone\&Osver=4.2.1\&Net=WIFI\&Chl=h986596
–user 0

There is a critical vulnerability in this design: the url, which is part of the shell command, is controllable by a HTTP GET parameter. And the entire command is executed via system() without any filtering, causing a remote command injection vulnerability. A remote attacker could use “;” to close the original “am start” command, add any malicious commands after the “;”, and have those commands executed by the 360 browser on the target phone.

We reverse engineered the um.3 using IDA Pro/HexRay. The critical code is mainly in 2 functions: sub_9018 and sub_9078, which are used for handling HTTP server logic and GET parameter parsing. The code logic is explained in the comments in the following figure (click for enlarged image):

Untitled drawing (9)

From the reversed C code, we can see that the raw command to be executed is:

am start -n com.qihoo.browser/.BrowserActivity -a android.intent.action.VIEW -d %s -e from %s

And the value of GET parameter “u” will be filled in the first “%s” (while the “t” value must be set to “1”). To exploit it, all an attacker needs to do is simply send the following request:

curl -X http://%5Btarget IP]:6587/t=1&u=www.trustlook.com;echo 1>/sdcard/lol.txt;

After that, the attacker will find a lol.txt generated in the sdcard folder.

By default, the attacker could share the privileges of the 360 browser, such as sending and accessing SMS messages, reading the call logs, accessing browser history, and monitoring the camera and microphone.

If you are targeting a rooted phone, you can do almost anything. For instance, silently replacing the user’s banking app with a phishing app (as shown in the following video). Even if the user has installed a root management tool like SuperSU, the confirmation dialog will appear in the name of the 360 browser, which is likely to be trusted by the user.

http://v.qq.com/iframe/player.html?vid=i0174pddb38&tiny=0&auto=0

Reference:
[1] http://www.wooyun.org/bugs/wooyun-2015-0155003