What the heck is TCP port 18800

Reverse engineering a hidden api from Amazon Music client

codecolorist
Dec 17, 2018 · 5 min read

There will be an suspicious open TCP port 18800 if you have Amazon Music client installed:

Windows? The same.

Image for post
Image for post

People have been complaining since 2014: https://chriscarey.com/blog/2014/10/08/how-to-stop-amazon-music-helper-from-running-in-the-background-osx/

Image for post
Image for post

So what exactly does it do?


From quick inspection, we know that the port belongs to /Applications/Amazon Music.app/Contents/MacOS/Amazon Music Helper

Now break on accept and nc 127.1 18800 to see what happens:

Huh, it’s an HTTP server? But curl fails.

Sometimes this happens when the server requires SSL and you’ve just sent the request in plain text. So let’s try a different payload:

Now it works.


Thanks to the unstripped symbols. Quick analyze shows lots of shared codebase between the Windows client and Mac, but MSVC has moved all symbols to pdb so it’s much harder to read.

So Morpho is the codename.

Image for post
Image for post

There are three request handlers:

  • Morpho::CrossDomainHandler (^/crossdomain[.]xml$)
  • Morpho::LaunchHandler (^/morpho)
  • Morpho::SystemHandler (^/.+)

Each handler has a method requireOrigin to require additional check for incoming requests:

Image for post
Image for post

The check is implemented in sym.Morpho::HttpDispatcher::getOriginMatchString_HttpRequest

Image for post
Image for post

Too many code screenshots? No worries, the simplified pseudo code would be like:

Since it accepts a custom http header x-amzn-origin, it’s easy for any third party websites to fake the requirement. Besides, this so called RESTful server is exposed on all interfaces (0.0.0.0), so don’t you Shodan or ZoomEye fans get excited?

Go back to the handlers.

Morpho::SystemHandler

It accepts arbitrary pathname, but don’t care the parameters at all. It will response the basic system information like following:

Morpho::LaunchHandler

This one looks evil. It checks if pathname matches regex at symbol sym._anonymousnamespace_::kLaunchRegEx, which will be initialized to ^/((purchase|download|play|cplaunch).*)$

Image for post
Image for post

If so, it would launch Amazon Music executable with the pathname as command line argument:

Image for post
Image for post

Addictionaly, if the http verb is POST, a slash and the request body will be added to the parameter. For example, the request

Results in

It’s lucky that there’s a pathname regex check, and they’ve used QProcess::startDetached(QString const&, QStringList const&) instead of its sibling QProcess::startDetached(QString const&).

Why?

The main executable is based on libCEF, which supports Chromium command flags as well. If I had a chance to feed arbitrary argument, it could be like:

This one if you prefer Windows:

Dear Amazon developers, you have been so close to a wormable remote code execution bug. Fortunately it didn’t happen.

Image for post
Image for post

One more thing. Do you need a certificate to run https server? Let’s add a -v to check it.

Image for post
Image for post
They have a independent domain that resolves to loopback
Image for post
Image for post
And it’s valid signed

Amazon Music just made the domain www.amazonmusiclocal.com to resolve to loopback. Since its signature is valid, they must have the private key delivered to the client. And here we go:

The key and certificate are hardcoded in this initializer. You can grab them by yourself.


Just few days ago I read an article telling that Spotify does the same as well:

Actually, we don’t even need DNS for this one. We can do the same as the embedded Spotify player does and send a request inside the victim’s browser to their local Spotify control server. We don’t even need to be Spotify. Authenticated requests between websites are fine. That’s something the internet just allows (with several extremely technical and complicated caveats).

What did Spotify Security say? That it’s a product decision and they’re fine with it. I tried to explain further but they confirmed, yes it’s a product decision and they’re fine with it. I’m also, to be fair, fine with posting the spotilocal.com certificate online. So I did. Well it’s removed now, so guess it wasn’t a product decision they wanted to keep WINKING EMOJI


There’s no actual exploitable bug found. But at least you can scan the LAN and pop them a Music Player, and now you have a trusted certificate for debugging web, LOL

CodeColorist

I write random stuff

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app