当前位置:WooYun(白帽子技术社区) >> 移动终端安全 >> 远程intent注入实现案例: Dropbox SDK for Android (CVE-2014-8889)
原文链接:
http://securityintelligence.com/droppedin-remotely-exploitable-vulnerability-in-the-dropbox-sdk-for-android#.VQAOAYGUfEF
漏洞代码:protected void onCreate(Bundle savedInstanceState) {
...
Intent intent = getIntent();
...
webHost = intent.getStringExtra(EXTRA_INTERNAL_WEB_HOST);
if (null == webHost) {
webHost = DEFAULT_WEB_HOST;
}
...
}
protected void onResume() {
...
String state = createStateNonce();
...
if (hasDropboxApp(officialIntent)) {
startActivity(officialIntent);
}
else {
startWebAuth(state);
}
...
authStateNonce = state;
}
private void startWebAuth(String state)
{
String path = "/connect";
Locale locale = Locale.getDefault();
String[] params = {
"locale", locale.getLanguage()+"_"+locale.getCountry(),
"k", appKey,
"s", getConsumerSig(),
"api", apiType,
"state", state};
String url = RESTUtility.buildURL(webHost, DropboxAPI.VERSION, path, params);
Intent intent = new Intent(Intent.ACTION_VIEW, Uri.parse(url));
startActivity(intent);
}
攻击流程:
Activity intent 注入看这里:
http://drops.wooyun.org/tips/3936
通过浏览器实现方法:
http://drops.wooyun.org/papers/2893