当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-054438

漏洞标题:百度安卓设计不当重要资讯泄漏

相关厂商:百度

漏洞作者: AndroBugs

提交时间:2014-03-27 17:15

修复时间:2014-06-25 17:16

公开时间:2014-06-25 17:16

漏洞类型:用户敏感数据泄漏

危害等级:中

自评Rank:7

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-03-27: 细节已通知厂商并且等待厂商处理中
2014-03-27: 厂商已经确认,细节仅向厂商公开
2014-03-30: 细节向第三方安全合作伙伴开放
2014-05-21: 细节向核心白帽子及相关领域专家公开
2014-05-31: 细节向普通白帽子公开
2014-06-10: 细节向实习白帽子公开
2014-06-25: 细节向公众公开

简要描述:

任意Android程序不需要任何权限就能获取由百度储存的重要设定与Token资讯

详细说明:

百度搜寻Android App(com.baidu.searchbox)存在隐私与Access Token泄漏问题,以下类别里的getSharedPreferences使用到MODE_WORLD_READABLE来储存重要资料,使所有其他的app皆可存取百度写入的config:
Lcom/baidu/android/pushservice/a;
Lcom/baidu/android/pushservice/a;
Lcom/baidu/android/pushservice/PushSDK;
Lcom/baidu/android/moplus/util/b;
Lcom/baidu/android/nebula/b/d;
Lcom/baidu/android/nebula/b/m;
...

漏洞证明:

MODE_WORLD_READABLE =>
http://developer.android.com/reference/android/content/Context.html#MODE_WORLD_READABLE
"This constant was deprecated in API level 17. Creating world-readable files is very dangerous, and likely to cause security holes in applications. It is strongly discouraged; instead, applications should use more formal mechanism for interactions such as ContentProvider, BroadcastReceiver, and Service. There are no guarantees that this access mode will remain on a file, such as when it goes through a backup and restore. File creation mode: allow all other applications to have read access to the created file."
参考以下代码:

1.png


以push_sync.xml来说就可以偷取重要的Token资讯:

2.png


3.png

修复方案:

改为MODE_PRIVATE即可

版权声明:转载请注明来源 AndroBugs@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:8

确认时间:2014-03-27 19:48

厂商回复:

感谢对百度安全的支持。

最新状态:

暂无