Trustlook Sentinel Whitepaper Now Available!

Are you interested in learning more about one of the most groundbreaking technologies in mobile security?

Trustlook Sentinel is the first ever 100% behavioral based malware detection engine built into the operating system of a mobile device. It’s provides real-time zero day detection of malware. Download the whitepaper here and discover when Sentinel is considered a game changer in security. >>

Trustlook Releases BadKernel Vulnerability Detector

An Updated Version (Version 3.5.10) of the Trustlook Mobile Security App Identifies the BadKernel Issue Affecting 30 Million Android Users

Trustlook has released a new feature in its Trustlook Mobile Security app that detects BadKernel, the widespread vulnerability affecting millions of Android devices.

First discovered in August 2016, BadKernel is a flaw in the Google Chromium mobile browser framework that spreads as users click on malicious links. Users of older versions of Chromium-powered mobile browsers, as well as applications with embedded Webview (such as the massively popular WeChat app) may be vulnerable. If infected, a user’s contacts and text messages could be exposed, as well as any payment passwords.

To determine if your device is vulnerable to this threat, open the Trustlook Mobile Security app, navigate to the BadKernel Vulnerability detector on the main screen, and click “Check it Now.” If you are exposed, you can update your browser software.

Screenshot_2016-08-26-11-50-26         Screenshot_2016-08-26-11-50-33
The BadKernel vulnerability impacts an estimated 30 million Android smartphones and tablets. The flaw involves a bug in the source code of Google’s V8 JavaScript Engine, which is a component of the open-source Chromium. An attacker can exploit this flaw to cause key object information leakage.

Since many phones are not using the most current browser software, this zero-day attack could be used widely. Trustlook encourages users to run a quick scan of their phone and update their browser if they are affected. In addition, Trustlook suggests users not click on random links or links that appear suspicious. They also stress users keep their apps and OS updated, and continually monitor their device for any potential issues.

To check if your Android device is affected by the BadKernel vulnerability, please download the Trustlook Mobile Security app.

“虫洞”第三弹:360浏览器“任意门”远程代码执行漏洞分析

 

“这不是bug,是功能。” -程序员常说

“这不是漏洞,是后门。” -黑客们常说

The door at the beach

 

Trustlook在之前的一篇Blog已经demo过360浏览器上的新“虫洞”漏洞,这次将公布一些细节。

360浏览器安卓版不用多介绍了,在360,腾讯和豌豆荚上的下载量加起来超过4.6亿。这次的“任意门”漏洞威力要大过百度“虫洞”及360手机助手“异次元之门”:攻击者并非受限于几个远程控制功能,而是可以执行任意指令。在root过的手机上,可以毫无问题的远程静默安装及卸载app。如果做成蠕虫,批量扫描3G/4G网络,并自动攻击传播,后果不堪设想。

Screen Shot 2015-11-24 at 1.21.44 AM
漏洞的演示视频如下:

http://v.qq.com/iframe/player.html?vid=i0174pddb38&tiny=0&auto=0

受影响的安卓版360浏览器版本为6.9.9.70 beta及以下。在11月23日,有白帽子将漏洞发到了乌云(http://www.wooyun.org/bugs/wooyun-2015-0155003),24小时内Trustlook发布了漏洞的demo(https://blog.trustlook.com/2015/11/24/a-glance-at-the-wormhole-on-360-browser/)。360在同一天更新了修复漏洞的6.9.9.71 beta。鉴于此漏洞的巨大危害,我们没有马上公布漏洞利用细节,给了用户更多时间修补。

360浏览器在卸载的时候会弹出一个“用户调查”,询问用户卸载原因。这个功能是在一个叫um.3(UninstallManager的缩写)的so文件里实现的。这个库文件会开启一个独立进程,在收到卸载的消息后,会使用”am start”命令开启浏览器,显示“卸载调查”网页。

image3
um.3从asset中被释放出来

image2
um.3会占有一个独立进程

um.3的进程间通信机制是用一个自定义的HTTP server实现的。如同所有的虫洞漏洞一样,成了万恶之源。这个server会监听手机的6587端口,允许所有地址连接。但它支持的功能很简单:1. 查看版本 2. 开启浏览器

image1
um.3会在第一次启动后监听6587端口

比如,弹出那个“卸载调查”的时候,执行的命令如下:

/data/data/com.qihoo.browser/files/so_libs/um.3 com.qihoo.browser –execute am start -n com.android.browser/.BrowserActivity -a android.intent.action.VIEW -d http://serv.mse.360.cn/whyuninstall?Mid=95767669835b2b90bc459ee68d1ea6a7\&Wid=81e188a23869a898d1343eaa20c11495
\&Verc=6.9.9.14\&Mdl=iPhone\&Osver=4.2.1\&Net=WIFI\&Chl=h986596
–user 0

但程序员在这里犯了很要命的错误。

1. 命令使用system函数执行,对命令本身没有任何过滤。

2. 弹出网页的url是作为命令的一部分传进去的,而这个url是远程可控的,直接来自远程请求的GET参数。

只要攻击者利用分号将前一条命令分隔开,后面写的所有恶意指令都会被360浏览器忠实的执行。。。

为了搞清楚这个HTTP server的一些逻辑,我们用IDA Pro/HexRay把um.3逆向成了C代码,并加了注释。关键的函数有两个:sub_9018和sub_9078,分别用来解析URL参数,和实现HTTP server逻辑。有兴趣的读者可以点开大图看。

Untitled drawing (9)
简而言之,出现问题的命令是这样的:

am start -n com.qihoo.browser/.BrowserActivity -a android.intent.action.VIEW -d %s -e from %s

其中GET参数”u”的值会被带进第一个%s,而GET参数”t”必须为”1”。

只要一行代码,发送一条request,就可以在一台装了360浏览器的手机上远程执行任意代码:

curl -X http://%5Btarget IP]:6587/t=1&u=www.trustlook.com;echo 1>/sdcard/lol.txt;

执行,你会发现目标手机的sd卡下面多了一个lol.txt。更复杂的攻击功能,就靠你的想象力了;-)

Screen Shot 2015-12-10 at 6.23.14 PM
命令执行成功你会看到这条返回

对于非root手机,攻击者会有和360浏览器相同的权限。包括发送和访问短信,读取通话记录,访问浏览记录,监控摄像头和麦克风。。。
Screenshot_2015-11-24-00-36-15Screenshot_2015-11-24-00-36-22

对于root手机,攻击者就天高任鸟飞了,比如静默卸载和静默安装。即便用户装了”SuperSU”等root管理软件,请求root权限的进程也会显示为“360浏览器”,相信数字公司的用户也是见怪不怪啦,骗得信任很容易。

Screenshot_2015-11-24-00-34-29
最后,Trustlook建议广大用户确保自己已升级到了6.9.9.71及以上版本。

Analysis of the "Anywhere Door" Vulnerability on the 360 Browser

 

“It’s not a bug. It’s a feature.” – A developer’s quote

“It’s not a vulnerability. It’s a backdoor.” – A hacker’s quote

The door at the beach

 

We first introduced “Anywhere Door” (in Chinese: “任意门”) in this previous article. “Anywhere Door” is a new Wormhole vulnerability that affects versions of the 360 Browser prior to 6.9.9.70 beta. By sending a certain crafted HTTP request, a remote attacker can execute an arbitrary shell command on the target phone, with the privilege of the 360 Browser app. If the phone is rooted, the attacker can do anything on the root user’s device, such as install and remove apps.

In this article, we will disclose more details of this vulnerability.

Like all the Wormhole vulnerabilities that have come before it, “Anywhere Door” is triggered on a customized HTTP server, on the port 6587. The server is used for cross-process communications, and contains a few APIs, such as popping-up a browser window. The purpose of this API is to display an “uninstall survey” when the main app is being removed. And the server logic is implemented by a native library (.so file) called um.3 (UninstallManager we guess?)

image1

Port 6587 will be opened upon the first launch of the 360 browser

image2

The HTTP server in um.3 is running in an independent process

image3

The um.3 will be copied from the assets folder to so_libs folder

When handling the “launch browser” request, we found the um.3 directly executes a shell command to launch the browser process. For example, when popping up the “uninstall survey”, the command is goes like this:

/data/data/com.qihoo.browser/files/so_libs/um.3 com.qihoo.browser –execute am start -n com.android.browser/.BrowserActivity -a android.intent.action.VIEW -d http://serv.mse.360.cn/whyuninstall?Mid=95767669835b2b90bc459ee68d1ea6a7\&Wid=81e188a23869a898d1343eaa20c11495
\&Verc=6.9.9.14\&Mdl=iPhone\&Osver=4.2.1\&Net=WIFI\&Chl=h986596
–user 0

There is a critical vulnerability in this design: the url, which is part of the shell command, is controllable by a HTTP GET parameter. And the entire command is executed via system() without any filtering, causing a remote command injection vulnerability. A remote attacker could use “;” to close the original “am start” command, add any malicious commands after the “;”, and have those commands executed by the 360 browser on the target phone.

We reverse engineered the um.3 using IDA Pro/HexRay. The critical code is mainly in 2 functions: sub_9018 and sub_9078, which are used for handling HTTP server logic and GET parameter parsing. The code logic is explained in the comments in the following figure (click for enlarged image):

Untitled drawing (9)

From the reversed C code, we can see that the raw command to be executed is:

am start -n com.qihoo.browser/.BrowserActivity -a android.intent.action.VIEW -d %s -e from %s

And the value of GET parameter “u” will be filled in the first “%s” (while the “t” value must be set to “1”). To exploit it, all an attacker needs to do is simply send the following request:

curl -X http://%5Btarget IP]:6587/t=1&u=www.trustlook.com;echo 1>/sdcard/lol.txt;

After that, the attacker will find a lol.txt generated in the sdcard folder.

By default, the attacker could share the privileges of the 360 browser, such as sending and accessing SMS messages, reading the call logs, accessing browser history, and monitoring the camera and microphone.

If you are targeting a rooted phone, you can do almost anything. For instance, silently replacing the user’s banking app with a phishing app (as shown in the following video). Even if the user has installed a root management tool like SuperSU, the confirmation dialog will appear in the name of the 360 browser, which is likely to be trusted by the user.

http://v.qq.com/iframe/player.html?vid=i0174pddb38&tiny=0&auto=0

Reference:
[1] http://www.wooyun.org/bugs/wooyun-2015-0155003

A Glance at the "Anywhere Door", Another Wormhole on the 360 Browser

Screen Shot 2015-11-24 at 1.21.44 AM

 

The 360 browser is a popular browser on both the PC and mobile platforms in the Chinese market. It is known for its security, and has a total download number of more than 460 million on the 360 market, Tencent market and Wandoujia.com combined.

24 hours ago, a new vulnerability of the 360 browser was posted on Wooyun.org [1] (a popular vulnerability disclosure platform in China). After careful analysis of the 360 safe browser (com.qihoo.expressbrowser), another critical vulnerability “Anywhere Door” was found.

Like the “Wormhole” and “DimensionDoor”, the Anywhere Door is triggered on a customized HTTP service. We noticed that HTTP service will not be shutdown even after the app is patched. To stop this service, users need to manually disable it in the system settings, or reboot the phone.

Qihoo pushed the update 6.9.9.71 beta on Nov 23 to address this bug. According to our tests, the previous versions before Nov 23, such as 6.9.9.70 beta, are vulnerable. If you are using the 360 browser, and haven’t updated it after Nov 23, please make sure to update it to 6.9.9.71 beta or newer, then restart your phone.

What can this vulnerability do?

This vulnerability could lead to remote code execution on any Android phone with a 360 browser installed. Keywords: Remote, Silence, Flexible.

For rooted phones: the attacker can do pretty much everything, such as install APKs from the Internet in the background, access emails & SMS, monitor the camera and microphone. It is more flexible than the “DimensionDoor”. If the user has installed a root management tool such as SuperSU, the confirmation dialog will be popped up in the name of the 360 browser, which is likely to be trusted by users.

Screenshot_2015-11-24-00-34-29

For unrooted phones: the attacker could share the permissions of the 360 browser, such as sending and accessing SMS, reading the call logs, accessing browser history, and monitoring the camera and microphone.

Screenshot_2015-11-24-00-36-15Screenshot_2015-11-24-00-36-22

As of today, Nov 23, most of the users have not upgraded their 360 browser to the latest version. The detailed analysis and exploitation code will be released in a later blog, after users have had a chance to protect themselves.

We made a PoC video for this vulnerability. In this demo, we triggered it remotely on a rooted phone, and replaced the genuine banking app with an arbitrary app.

http://v.qq.com/iframe/player.html?vid=i0174pddb38&tiny=0&auto=0

This blog will be updated soon with more details and exploitation simulations. Stay tuned!

Reference:
[1] http://www.wooyun.org/bugs/wooyun-2015-0155003

Yet another Wormhole Vulnerability – Meet the "DimensionDoor"

3ef59741d4d54fba2d6f464fa7943002

 

Authors: Tianfang Guo, Mengmeng Li

Two weeks ago, the Wormhole vulnerability was in the wild, and affected more than 100M Android users. As you may already know, the Wormhole is triggered on a customized HTTP service used for cross-app communication, allowing a remote attacker to bypass the security check and issue a variety of remote commands such as installing arbitrary APKs.

Less than 2 weeks after the Wormhole vulnerability was fixed by Baidu, another incident happened with the 360 Mobile Assistant application, which is a popular app on the Android platform. The Trustlook research team found a similar issue inside this app, which causes a nearly identical remote code execution bug, called the “DimensionDoor”.

 

Screen Shot 2015-11-17 at 10.34.45 PM

 

The affected package is named “com.qihoo.appstore” in the Chinese market and “com.qihoo.secstore” on Google Play. The apps have a different version control, but use the same implementation. We used the Chinese version 3.1.55 as the example. When the app is launched, a service called “SimpleWebServer” will start listening to the TCP 0.0.0.0:38517 through a remote connection.

 

Screen Shot 2015-11-17 at 11.30.00 PM

 

Even though the app’s code is protected by ProGuard, it is still readable. Three of the functionalities from the code that we highlight are open URL, download/install APK and start activity.

 

Screen Shot 2015-11-17 at 11.37.52 PM

 

 

The commands could be issued remotely by sending an HTTP request to http://%5Bclient_ip%5D:38517/%5BAPI name]?[param], which will trigger any corresponding logic. However, there is a security check to prevent the service from being abused. For example, the remote URL will be filtered against a domain white list (only the domains owned by the vendor are allowed to access):

 

 

 

Screen Shot 2015-11-17 at 11.49.23 PM

 

We dug into the verification logic and found a few detours. For example, the 360 app’s cloud storage service uses the domain “yunpan.360.cn”. Anyone can upload APK files to it, and get a downloadable URL with the “360.cn” domain. Another approach is using the vendor’s CDN domain “shouji.360tpcdn.com”.

Below is a PoC video:

 

As of Nov 17, the 360 Mobile Assistant app has already been taken down from the Google Play store.

Screen Shot 2015-11-18 at 12.01.45 AM

The WormHole Vulnerability: The Number of Affected Apps is Increasing

The “WormHole” is a critical vulnerability on Moplus SDK on Android, which is used by major Baidu products, as well as some other apps.

In summary, this vulnerability is caused by “ImmortalService” – a customized HTTP service used for cross-app communication. Because “ImmortalService” uses an incorrect approach to filter requests from outside the phone, a remote attacker could use certain crafted HTTP requests to execute some pre-set functionalities of this SDK, such as to install an app from the Internet (needs root support), launch arbitrary intents, or manipulate phone contacts.

The details of this vulnerability can be found here.

It is entirely possible for an attacker to develop a worm , which can spreads itself using the WormHole vulnerability. To make matter worse if the worm spreads popular apps according to Wooyun.org, more than 100M users can become affected.

.

The Trustlook research team has searched our app database, and found the total number might be more than that. Here is the updated list of affected apps:

cn.jingling.motu.photowonder 50,000,000+
tv.pps.mobile 10,000,000+
com.baidu.baiducamera 5,000,000+
mobisocial.omlet 5,000,000+
xcxin.filexpert 5,000,000+
com.smart.softclient.music.baseline 1,000,000+
org.cocos2dx.FishGame 1,000,000+
com.smile.gifmaker 1,000,000+
com.qiyi.video.market 1,000,000+
com.baidu.input 1,000,000+
com.baidu.searchbox 1,000,000+
com.app.hero.ui 1,000,000+
com.nd.android.launcher91 1,000,000+
com.letv.android.client 1,000,000+
com.ubercab.driver 1,000,000+

Please note that the above list is a conservative estimation of the number of affected apps. The data only includes the Apps on Google Play, which has the lower bound of install numbers. Apps that were distributed via other channels are not calculated.

This blog will be updated by Nov 4 with more info about the WormHole vulnerability.