Title:

Remote Code Execution cheetahmobile App

Report ID

SIK-2016-007

Summary:

• Vendor: cheetahmobile
• Product: CM Security (https://play.google.com/store/apps/details?id=com.cleanmaster.security)
• Affected Version: 2.7.3 and 2.8.5
• Severity: medium
• Short summary:

The application is vulnerable to a man-in-the-middle (mitm) attack, which can result to a RCE.

Details:

The virus definition update process of the application is done via an unprotected http connection. A man in-the-middle attacker controlling a WI-FI access point can modify the request/responses of the communication or redirect the traffic to another server (faking an update server) providing manipulated files. Attack process:

1. In the first step the application loads the version_data.ini file which contains the update version information and the path of the info_data.ini file (containing further file information). The info_data.ini file is stored in a .zip file named with the md5 value of the .zip file (e.g. c843c25d0ef76eb3bd5122db547f1656.ini.zip).

   All files and information stored in the config files mentioned in 1 can be spoofed by an attacker.

2. The info_data.ini file contains further paths and files which will be downloaded during the update process. These files are for instance data base files containing firewall rules, virus signatures, exploit pattern or .so (native executable) files. The info_data.ini file has no integrity protection, thus an attacker also can change and manipulate the content of this file.

The missing integrity protection can be abused by attackers replacing the .db files through empty or manipulated files. The security app won’t detect malicious apps any more. The biggest danger in the mitm attack scenario is the loading of native binaries. An attacker can replace (inject) a manipulated binary file. In the version 2.7.3 and previous versions we could observe the following download:

http://dl.sj.ijinshan.com/duba/updateintl/data/2015.11.26.2058/armeabi/libavlm.so.zip

Adapting the md5 and size values in the info_date.ini file triggers the download of a manipulated binary from a fake update host.

An attacker can replace the binary (libavlm.so), which is downloaded with the update process, by another binary file. This file will be executed by the application.

In the last tested version (2.8.5) we were not able to download the binary.

The traffic redirection or traffic payload manipulation is possible because the connection has no integrity protection and the client (application) is not authenticating the server.

Workaround

Avoid public or unknown Wi-Fi hotspots (access points) or use them only through a trusted VPN connection.

Suggested Mitigation

Proposals of a vendor fix can be done by different approaches: (1) transfer file(s) with a protected SSL (HTTPS) connection and/or (2) establish a correct signature process of the configuration files and the downloaded files to prevent modification of the files.

Timeline

• 2015-12-15 Vulnerability Discovered
• 2015-12-21 Vulnerability Reported (1. Try, no reaction)
• 2016-01-18 Vulnerability Reported (2. Try)
• 2016-01-27 Vulnerability Fixed