- #BLUESTACKS ANDROID INSTALL#
- #BLUESTACKS ANDROID UPGRADE#
- #BLUESTACKS ANDROID CODE#
- #BLUESTACKS ANDROID WINDOWS#
Any IPC requests that are made must contain this authorization key or they will be discarded.ĭue to the severity of this vulnerability, if you use BlueStacks, it is in your best interests to upgrade to the latest version.BlueStacks is unquestionable, one of the most appreciated Android emulators out there, a fact is proven by its 400+ million user community. This vulnerability was fixed by BlueStacks createing an IPC authorization key and storing it in the Registry.
#BLUESTACKS ANDROID WINDOWS#
"You can also steal partial screenshots. There's a command to take a screenshot, but it will take the screenshot of any windows layered above the VM. So if the VM is in the background, you can screenshot whatever is above it." This snapshot could then be used to execute commands in BlueStacks.įinally, Cano said you can use IPC command to copy and replace any data in the clipboard or take a screen shot of the VM, or the possible Windows host apps on top of it.
#BLUESTACKS ANDROID INSTALL#
The researcher also told BleepingComputer that you can perform an RCE exploit using IPC commands to install an APK, even malicious ones, or by restoring a malicious snapshot to the BlueStacks virtual machine. This data could include user names and passwords, pictures, and anything else that was stored in the VM. This included using the backup IPC command to create a backup of the BlueStacks VM and all the data that was contained in it. This allowed Cano to use DNS Rebdinding to execute remote commands to the IPC server of the BlueStacks emulator. The BlueStacks DNS Rebinding vulnerabilityīlueStacks was vulnerabile to a DNS Rebinding attack because it exposed an IPC interface on 127.0.0.1 without any authentication. Now this was a totally fictitious example, but does illustrate how DNS Rebinding can be used by remote attackers to access servers running locally on your machine or even your internal network. Now if there was a service running on port 80 of the localhost, that URL would be requested and if that command actually mapped to an IPC function that deletes the folder references by the f= variable, that folder would then be deleted. Īs the origin remains the same and only the IP address has changed, it allows the script to bypass Same Origin Policy and access the local host or machines in the internal network.
While the page request on the server doesn't do anything, what happens when the attacker changes the IP address for to 127.0.0.1? The command will now be executed on the local host using an URL that becomes effectively. Now this web page on will run some JavaScript that continuously connects to the following URL, which it is allowed to do so because it is on the same origin (domain): That means the browser should theoretically query the IP address every second from the DNS server. The domain for this site is hosted on an attacker controlled DNS server and has a really low TTL of 0 or 1 second. With this type of attack, a user is lured to a malicious site, such as, through phishing, social engineering, XSS, etc. This is where a DNS Rebinding attack comes in. SOP makes sure a site can only send requests to its own origin, which in most cases is the domain you visited in the browser.Īs SOP focuses on the domain name, rather than the IP address, what if there was a way to make the browser think that a script was still communicating with the original address, but is instead now communicating with an IP address on the local network? In conversation with BleepingComputer, Cano explained that creating a PoC for this vulnerability was trivial and only took him about 5 minutes with the use of DNS Rebinding.īrowsers protect users from scripts trying to communicate with other domains or hostnames in order to prevent cookies from being stolen or other malicious activity through a security measure called Same Origin Policy (SOP). "An attacker can use DNS Rebinding to gain access to the BlueStacks App Player IPC mechanism via a malicious web page," stated BlueStacks' advisory. "From there, various exposed IPC functions can be abused."Īccording to Cano, BlueStacks is not backporting this fix to versions 2 or 3, so users are strongly advised to upgrade to the latest version 4 as soon as possible. This vulnerability was discovered and reported by security researcher Nick Cano in April and was fixed in BlueStacks 4., which was released on May 27th, 2019 along with an advisory.
#BLUESTACKS ANDROID CODE#
These functions could then be used for a variety of different attacks ranging from remote code execution to information disclosure. In BlueStacks versions earlier than v4., a DNS rebinding vulnerability existed that allowed attackers to gain access to the emulator's IPC functions.
Vulnerabilities in the BlueStacks Android emulator were fixed at the end of May that allowed attackers to perform remote code execution, information disclosure, and to steal backups of the VM and its data.