The VerSprite Research & Development Team discovered that the Baidu Browser for Android insecurely handles the intent url scheme, allowing attackers to arbitrarily read local files. This vulnerability was discovered in VerSprite’s effort to explore systemic vulnerability patterns in browsers for Android offered on the Google Play Store. The vulnerability is leveraged by minimal user interaction and the targeting of specific Baidu Browser components. This vulnerability was discovered in version 184.108.40.206.
January 25, 2015 – Vulnerability is discovered January 26, 2015 – Vulnerability is reported to Baidu’s Security Team January 28, 2015 – Baidu confirms the fix will be in the 220.127.116.11 release January 30, 2015 – 18.104.22.168
VerSprite began its investigation into the Baidu Browser by first verifying whether or not it implemented the Intent URL scheme. This was done by creating an application with a vulnerable Activity that would consume an Intent passed to it. The Activity would assign the URL string stored within the Intent’s extra into the loadURL() method call of a WebView it created. VerSprite then created a simple HTML page that would attempt to attack this Activity via passing it an Intent through the Intent URL defined within itself.
Once the HTML page was loaded in the Baidu Browser, Google fired off, and we had verified relatively quickly that the Intent URL scheme was being implemented. So attacking applications is pretty dope, but we wanted to go after the Baidu Browser itself. Through inspecting the manifest, and running dex2jar on the APK, we quickly discovered an interesting Activity -> com.baidu.htmlNotification.WebContentActivity
Because the implementation does not use any filtering to help prevent Intent based attacks, an attacker can now use this to create Intent objects and send them to Activities that are private to the browser application.
You can see that within the Activity’s onCreate() method, the assignment of the URL through the extra Bundle.
This is passed to the loadUrl() method in the WebView that is created.
In order to exploit this, a simple HTML page was created in order to generate an Intent object and pass it directly to the vulnerable activity. We also included the Intent extra, which the Activity would pass as the argument to the WebView loadUrl() call.
This would demonstrate the ability to load and read files from the Baidu Browser’s data directory. location.href="intent:#Intent;
First we loaded the HTML with the Baidu Browser, and setup logcat to grep anything associated with the Baidu Browser.
Below you can see the ActivityManager starting the targeted Activity based on the Intent object we crafted through the page, and the subsequent loading of the file from the data directory.
The Baidu Team communicated that a fix would be released in the 22.214.171.124 version, which is now currently available on the Google Play Store. VerSprite recommends that if you do use the Baidu Browser for Android, that you update immediately. VerSprite is still working to verify the fix, and will update this post accordingly.