乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-28: 细节已通知厂商并且等待厂商处理中 2015-09-28: 厂商已经确认,细节仅向厂商公开 2015-10-01: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航) 2015-11-22: 细节向核心白帽子及相关领域专家公开 2015-12-02: 细节向普通白帽子公开 2015-12-12: 细节向实习白帽子公开 2015-12-27: 细节向公众公开
优酷android客户端最新版本存在拒绝服务漏洞。具体见详细内容!
暴露的activity组件:
com.youku.phone.ActivityWelcome Permission: null com.youku.ui.activity.UpdateActivity Permission: null com.youku.ui.activity.MyUploadVideoPageActivity Permission: null com.youku.ui.activity.PaidActivity Permission: null com.youku.ui.activity.DownloadPageActivity Permission: null com.youku.phone.search.activity.SearchResultActivity Permission: null com.youku.ui.search.last.SearchActivity Permission: null com.youku.ui.activity.DetailActivity Permission: null com.youku.ui.activity.WebViewActivity Permission: null com.youku.ui.activity.InteractionWebViewActivity Permission: null com.zijunlin.Zxing.CaptureActivity Permission: null com.youku.service.push.EmptyActivity Permission: null com.youku.phone.wxapi.WXEntryActivity Permission: null com.youku.gamecenter.GameCenterHomeActivity Permission: null com.youku.gamecenter.GameDetailsActivity Permission: null com.youku.gamecenter.GameSubCategoryActivity Permission: null com.youku.gamecenter.GameManagerActivity Permission: null com.youku.gamecenter.GameSearchActivity Permission: null com.youku.gamecenter.GameSearchResultActivity Permission: null com.youku.gamecenter.GamePresentListActivity Permission: null com.youku.gamecenter.GamePresentDetailsActivity Permission: null com.youku.gamecenter.GamePresentActivity Permission: null com.youku.gamecenter.GameWebViewActivity Permission: null com.youku.gamecenter.GameH5CardListActivity Permission: null com.youku.phone.wxapi.WXPayEntryActivity Permission: null com.youku.alipay.activity.CallbackActivity Permission: null com.taobao.tae.sdk.ui.TradeWebViewActivity Permission: null
对以下组件发送Intent启动会导致客户端直接退出!
com.youku.service.push.EmptyActivitycom.youku.alipay.activity.CallbackActivitycom.youku.gamecenter.GamePresentListActivitycom.taobao.tae.sdk.ui.TradeWebViewActivity
adb shell am start -n com.youku.phone/com.taobao.tae.sdk.ui.TradeWebViewActivity
设置export为false或添加异常处理!
危害等级:中
漏洞Rank:8
确认时间:2015-09-28 17:33
感谢提交!该问题会再下个版本中修复!
暂无