漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2014-054438
漏洞标题:百度安卓设计不当重要资讯泄漏
相关厂商:百度
漏洞作者: AndroBugs
提交时间:2014-03-27 17:15
修复时间:2014-06-25 17:16
公开时间:2014-06-25 17:16
漏洞类型:用户敏感数据泄漏
危害等级:中
自评Rank:7
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2014-03-27: 细节已通知厂商并且等待厂商处理中
2014-03-27: 厂商已经确认,细节仅向厂商公开
2014-03-30: 细节向第三方安全合作伙伴开放
2014-05-21: 细节向核心白帽子及相关领域专家公开
2014-05-31: 细节向普通白帽子公开
2014-06-10: 细节向实习白帽子公开
2014-06-25: 细节向公众公开
简要描述:
任意Android程序不需要任何权限就能获取由百度储存的重要设定与Token资讯
详细说明:
百度搜寻Android App(com.baidu.searchbox)存在隐私与Access Token泄漏问题,以下类别里的getSharedPreferences使用到MODE_WORLD_READABLE来储存重要资料,使所有其他的app皆可存取百度写入的config:
Lcom/baidu/android/pushservice/a;
Lcom/baidu/android/pushservice/a;
Lcom/baidu/android/pushservice/PushSDK;
Lcom/baidu/android/moplus/util/b;
Lcom/baidu/android/nebula/b/d;
Lcom/baidu/android/nebula/b/m;
...
漏洞证明:
MODE_WORLD_READABLE =>
http://developer.android.com/reference/android/content/Context.html#MODE_WORLD_READABLE
"This constant was deprecated in API level 17. Creating world-readable files is very dangerous, and likely to cause security holes in applications. It is strongly discouraged; instead, applications should use more formal mechanism for interactions such as ContentProvider, BroadcastReceiver, and Service. There are no guarantees that this access mode will remain on a file, such as when it goes through a backup and restore. File creation mode: allow all other applications to have read access to the created file."
参考以下代码:
以push_sync.xml来说就可以偷取重要的Token资讯:
修复方案:
改为MODE_PRIVATE即可
版权声明:转载请注明来源 AndroBugs@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:8
确认时间:2014-03-27 19:48
厂商回复:
感谢对百度安全的支持。
最新状态:
暂无