Multiple flaws in the BlueStacks Android emulator were addressed, including a vulnerability that allowed attackers to remotely control code execution.

Other issues included information disclosure and a flaw that allowed attackers to steal backups of the VM and its data.

In April, the researcher Nick Cano discovered that BlueStacks versions prior than v4.90.0.1046 are affected by a DNS rebinding vulnerability that allowed attackers to gain access to the emulator’s IPC functions. These functions could be used by attackers to carry out a variety of different attacks, from remote code execution to information disclosure.

BlueStacks addressed the flaw with the release 4.90.0.1046 available since May 27th, 2019.

“An attacker can use DNS Rebinding to gain access to the BlueStacks App Player IPC mechanism via a malicious web page,” reads the security advisory published by BlueStacks. “From there, various exposed IPC functions can be abused.”

In the case of BlueStacks, it was vulnerabile to the DNS Rebinding attack because it exposed an IPC interface on 127.0.0.1 without any authentication.

The fix is not available for versions 2 or 3, for this reason, users urge to upgrade to the latest version.

Cano created a PoC for this vulnerability leveraging the DNS Rebinding in order to bypass the security measure Same Origin Policy (SOP). SOP was implemented to prevent one website to steal data from another, the expert pointed out that it focuses on the domain name, rather than the IP address. Then the researcher worked trick the browser into thinking that a script was still communicating with the original evil.com address, but is instead now connecting to an IP address on the local network.

A DNS rebinding attack allows any website to create a DNS name that they are authorized to communicate with, and then make it resolve to localhost.

This attack technique could be exploited to target a vulnerable machine and exploit vulnerabilities in applications running on the localhost interface or exposing local services.

The attacker only needs to trick victims into visiting a malicious page or view a malicious ad to launch the attack.

Cano explained that an attacker could trick the victim into visiting the evil.com website, the associated domain is hosted on an attacker-controlled DNS server and has a really low TTL of 0 or 1 second.

The web page on evil.com will run some JavaScript that connects to the following URL:

http://evil.com/ipc/delete_folder?f=data

Changes the IP address for evil.com to 127.0.0.1, the above command will be executed on the local host as:

http://127.0.0.1/ipc/delete_folder?f=data.

With this trick, the script bypasses the Same Origin Policy and access the local host or machines in the internal network.

The above URL, if the command is actually mapped to an IPC function, would allow deleting the folder passed via the f= variable.

Cano exploited the DNS Rebinding issue to execute remote commands to the IPC server of the BlueStacks emulator, including the backup IPC command. This command allows creating a backup of the BlueStacks VM and all the data that was contained in it, such as credentials, pictures, documents.

Cano can also execute an RCE exploit using IPC commands to install a malicious APK or by restoring a malicious snapshot to the BlueStacks VM that could allow attackers to execute commands in BlueStacks.

An IPC command could be used to copy and replace any data in the clipboard or take a screen shot of the VM.

BlueStacks addressed the issue by implementing an IPC authorization process using a key stored in the Registry. Every request is served only if it contains this authorization key

Don’t waste time, upgrade your install to the latest version.

Pierluigi Paganini