漏洞详情

披露状态:

2014-01-16: 细节已通知厂商并且等待厂商处理中
2014-01-17: 厂商已经确认,细节仅向厂商公开
2014-01-20: 细节向第三方安全合作伙伴开放
2014-01-27: 细节向核心白帽子及相关领域专家公开
2014-02-06: 细节向普通白帽子公开
2014-02-26: 细节向实习白帽子公开
2014-04-16: 细节向公众公开

简要描述:

Tencent WeiBo(WBlog) latest Version(2014-1-15),Critical Dos vulnerability again.

详细说明:

Tencent WeiBo(WBlog) latest Version(2014-1-15),Critical Dos vulnerability again. Also the same vulnerability found in same place/

So why? Where the security testing?



problem is due to the exported Activity which named "com.tencent.WBlog.intentproxy.TencentWeiboIntent"



Here is the crash log.



I/ActivityManager(   77): START {flg=0x10000000 cmp=com.tencent.WBlog/.intentproxy.TencentWeiboIntent (has extras)} from pid 638
W/WindowManager( 77): Failure taking screenshot for (180x300) to layer 21025
D/dalvikvm( 953): GC_FOR_ALLOC freed 1080K, 12% free 19775K/22407K, paused 103ms
I/dalvikvm-heap( 953): Grow heap (frag case) to 20.860MB for 1536016-byte allocation
D/dalvikvm( 953): GC_FOR_ALLOC freed 23K, 12% free 21252K/23943K, paused 90ms
D/AndroidRuntime( 953): Shutting down VM
W/dalvikvm( 953): threadid=1: thread exiting with uncaught exception (group=0x409961f8)
E/AndroidRuntime( 953): FATAL EXCEPTION: main
E/AndroidRuntime( 953): java.lang.RuntimeException: Unable to start activity ComponentInfo

{com.tencent.WBlog/com.tencent.WBlog.intentproxy.TencentWeiboIntent}: java.lang.NullPointerException
E/AndroidRuntime( 953): at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:1955)
E/AndroidRuntime( 953): at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:1980)
E/AndroidRuntime( 953): at android.app.ActivityThread.access$600(ActivityThread.java:122)
E/AndroidRuntime( 953): at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1146)
E/AndroidRuntime( 953): at android.os.Handler.dispatchMessage(Handler.java:99)
E/AndroidRuntime( 953): at android.os.Looper.loop(Looper.java:137)
E/AndroidRuntime( 953): at android.app.ActivityThread.main(ActivityThread.java:4340)
E/AndroidRuntime( 953): at java.lang.reflect.Method.invokeNative(Native Method)
E/AndroidRuntime( 953): at java.lang.reflect.Method.invoke(Method.java:511)
E/AndroidRuntime( 953): at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:784)
E/AndroidRuntime( 953): at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:551)
E/AndroidRuntime( 953): at dalvik.system.NativeStart.main(Native Method)
E/AndroidRuntime( 953): Caused by: java.lang.NullPointerException
E/AndroidRuntime( 953): at com.tencent.WBlog.intentproxy.TencentWeiboIntent.onCreate(ProGuard:60)
E/AndroidRuntime( 953): at android.app.Activity.performCreate(Activity.java:4465)
E/AndroidRuntime( 953): at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1049)
E/AndroidRuntime( 953): at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:1919)
E/AndroidRuntime( 953): ... 11 more
W/ActivityManager( 77): Force finishing activity com.tencent.WBlog/.intentproxy.TencentWeiboIntent
W/ActivityManager( 77): Force finishing activity com.tencent.WBlog/.activity.MicroblogTab
I/WindowManager( 77): createSurface Window{41a65740 paused=false}: DRAW NOW PENDING
W/ActivityManager( 77): Activity pause timeout for ActivityRecord{414c7698 com.tencent.WBlog/.intentproxy.TencentWeiboIntent}
W/NetworkManagementSocketTagger( 77): setKernelCountSet(10005, 1) failed with errno -2
I/WindowManager( 77): createSurface Window{41385410 com.android.launcher/com.android.launcher2.Launcher paused=false}: DRAW NOW PENDING
W/NetworkManagementSocketTagger( 77): setKernelCountSet(10037, 0) failed with errno -2

漏洞证明:

wblog.jpg







wblog-2.jpg





wblog-3.jpg

修复方案:

版权声明:转载请注明来源 Pentest.mobi@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2014-01-17 10:18

厂商回复:

非常感谢您的报告,问题已着手处理,感谢大家对腾讯业务安全的关注。如果您有任何疑问,欢迎反馈,我们会有专人跟进处理。

最新状态:

暂无


漏洞评价: