<--

Xiaomi MIUI Analytics Remote Code Execution

Aleph Research Advisory

Identifier

Severity

Critical

Product

Xiaomi mobile phones

Vulnerable Versions

  1. Xiaomi MIUI 6.1.8.
  2. Unconfirmed for versions below 6.1.8

Technical Details

An attacker can execute code on a target device via MiTM attack. This attack also involved code-injection inside of the update framework.

The vulnerability resides in the analytics package (com.xiaomi.analytics) which is present in various applications that come with MIUI. As a result, all applications with the analytics package are vulnerable to remote code execution via MiTM.

At least 4 vulnerable applications have been identified in the MIUI developer Rom version 6.1.8 (including the built-in browser app). These had differing sets of privileges and capabilities. A RCE vulnerability in any of these applications allows attacker-supplied code to run with the privileges of its host app. If a vulnerable application was found to be running as the system user – a good portion of Android’s userspace would be compromised. Such an app has been identified– com.cleanmaster.miui – running as the system user, as being vulnerable to code-injection.

The com.xiaomi.analytics package polls a RESTful web service (http://sdkconfig.ad.xiaomi.com/api/checkupdate/lastusefulversion) periodically to determine whether there is an update available. The server responds with the following short JSON response:

{
  "force": 0,
  "md5": "3238b0f5af9931fc73a43eb02a2ee528",
  "url": "http://update.address/update.apk",
  "v": "1.8.0"
}

The response is parsed to determine whether the current version is less than the version advertised in the update response and, if so, the APK referred to by the url key is downloaded and extracted to the filesystem within the local application sandbox context. This code is then loaded by the host application and executed. The update transaction is performed over an insecure transport link (HTTP). As such, a MiTM attack would allow a malicious user to inject a JSON response to force an update by replacing the url and md5 hash with those of a malicious APK (Android application package) containing arbitrary code. As there is no cryptographic verification of the update code itself, com.xiaomi.analytics will replace itself with the attacker-supplied version via Android’s DexClassLoader mechanism. vulnerability that allowed an attacker to execute code on a target device via MiTM attack.

Timeline

Credit

External References